mirror of https://github.com/trezor/trezor-firmware.git synced 2024-12-11 17:08:15 +00:00

History

Andrew Kozlik b3cd760df0 core/webauthn: Disable CTAPHID_WINK function.		2020-03-20 15:07:06 +01:00
..
metadata	core/webauthn: update metadata	2019-11-16 10:53:10 +00:00
res	common/defs: add Faceboook to recognized apps	2020-01-16 15:35:45 +00:00
__init__.py	core/usb: reorder endpoints	2019-11-13 13:21:39 +01:00
add_resident_credential.py	core/webauthn: Clean up bytes/bytearray typing around uctypes.	2020-03-12 15:45:26 +01:00
common.py	core/webauthn: Implement support for Ed25519 signatures in FIDO2.	2020-03-12 15:45:26 +01:00
confirm.py	core: auto-generate list of FIDO known apps	2019-12-09 16:31:46 +01:00
credential.py	core/webauthn: Remove indistinguishable credentials from the allow list.	2020-03-20 15:07:06 +01:00
fido2.py	core/webauthn: Disable CTAPHID_WINK function.	2020-03-20 15:07:06 +01:00
knownapps.py	common/defs: add Faceboook to recognized apps	2020-01-16 15:35:45 +00:00
knownapps.py.mako	webauthn: Add use_self_attestation flag to FIDO apps.	2019-12-11 15:29:52 +01:00
list_resident_credentials.py	core/webauthn: Add algorithm and curve to WebAuthnListResidentCredentials response.	2020-03-12 15:45:26 +01:00
README.md	core/webauthn: Add AAGUID to README.md.	2019-12-10 15:56:41 +01:00
remove_resident_credential.py	core/webauthn: rename storage.webauthn to storage.resident_credentials	2019-11-08 12:47:54 +01:00
resident_credentials.py	core/webauthn: rename storage.webauthn to storage.resident_credentials	2019-11-08 12:47:54 +01:00

README.md

WebAuthn

MAINTAINER = Andrew R. Kozlik andrew.kozlik@satoshilabs.com

AUTHOR = Andrew R. Kozlik andrew.kozlik@satoshilabs.com

REVIEWER = Jan Pochyla jan.pochyla@satoshilabs.com, Ondrej Vejpustek ondrej.vejpustek@satoshilabs.com

This app implements WebAuthn authenticator functionality in accordance with the following specifications:

Web Authentication: An API for accessing Public Key Credentials Level 1, W3C Recommendation, 4 March 2019
FIDO Client to Authenticator Protocol (CTAP) v2.0, Proposed Standard, January 30, 2019
SLIP-0022: FIDO2 credential ID format for HD wallets

Supported features and algorithms

This implementation supports client-side credential storage on the device and user verification by PIN entry, making the Trezor T a first-factor roaming authenticator usable for passwordless login.

User verification

The device is capable of verifying the user within itself by direct PIN entry via the touchscreen. Client PIN is not supported, because it is less secure than direct PIN verification. The authenticatorClientPIN command is therefore implemented only to the extent required by the hmac-secret extension. Namely, only the getKeyAgreement subcommand is supported.

Credential selection

Credential selection is supported directly on the device. The authenticatorGetNextAssertion command is therefore not implemented.

Public key credential algorithms

COSE algorithm ES256 (-7): ECDSA using the NIST P-256 curve with SHA-256.

Extenstions

hmac-secret extension.

Attestation types

Self attestation.

AAGUID

The AAGUID is a 128-bit globally unique identifier indicating the type (e.g. make and model) of the authenticator. The AAGUID for Trezor T is d6d0bdc3-62ee-c4db-de8d-7a656e4a4487.