Yubikey bio assertion - failed to fallback from fingerprint to PIN

Question

Yubikey bio assertion - failed to fallback from fingerprint to PIN

niryanowsky opened this issue 3 years ago · 4 comments

Hello,

Working in Windows 11 with Yubikey bio.
After generate a new credential in Yubikey bio with hmac Extension and uv = true,
I'm not able to fallback from fingerprint to PIN in the assertion, even thought fido_dev_get_retry_count == 8.

The Assertion case:

Assertion uv = true, up = omit

fido_dev_get_assert(device, _assertion, nullptr)
-> put wrong FP.
-> get FIDO_ERR_UV_INVALID, fido_dev_get_uv_retry_count == 2
fido_dev_get_assert(device, _assertion, nullptr)
-> put wrong FP.
-> get FIDO_ERR_UV_INVALID, fido_dev_get_uv_retry_count == 1
fido_dev_get_assert(device, _assertion, nullptr)
-> put wrong FP.
-> get FIDO_ERR_UV_INVALID, fido_dev_get_uv_retry_count == 0
fido_dev_get_assert(device, _assertion, CORRECT_PIN);
-> get FIDO_ERR_INTERNAL (fido_dev_get_retry_count == 8)

LevelLog = DEBUG. the log is only the last call to fido_dev_get_assert(with the correct PIN)

libfido: fido_dev_authkey_tx: dev=00000223666A0B90

libfido: fido_tx: dev=00000223666A0B90, cmd=0x10

libfido: fido_tx: buf=0000022365FDE2E0, len=6

libfido: 0000: 06 a2 01 02 02 02

libfido: fido_dev_authkey_rx: dev=00000223666A0B90, authkey=000002236671DC80, ms=-1

libfido: fido_rx: dev=00000223666A0B90, cmd=0x10, ms=-1

libfido: rx_preamble: buf=0000005605DFDC70, len=64

libfido: 0000: 5f 83 df d9 bf 00 01 06 00 00 00 00 00 00 00 00

libfido: 0016: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

libfido: 0032: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

libfido: 0048: 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00 00

libfido: rx_preamble: cid (0xd9df835f, 0xd9df835f), cmd (0xbf, 0x10)

libfido: rx: rx_preamble

libfido: fido_dev_authkey_rx: fido_rx

libfido: fido_do_ecdh: fido_dev_authkey

libfido: fido_dev_get_assert: fido_do_ecdh

Note: if I put the correct FP it is work perfectly.

Any Idea why this happening ?

Thanks

Answer 1 · 2022-01-17T08:24:06.000Z

I am not sure I understand the question. You talk about fido_dev_make_cred(), but the debug output concerns fido_dev_get_assert(). Is the problem happening with fido_dev_make_cred(), fido_dev_get_assert(), or both?

Answer 2 · 2022-01-17T11:58:32.000Z

@martelletto
Sorry, my bad. update the post.
It's happen to me only in assertion, when using fido_dev_get_assert().
When make credential the fall back works fine.

Answer 3 · 2022-01-17T12:31:42.000Z

Thank you for the clarification. Could you tell me a bit more about what the application is doing? For instance, are you opening the device once and making multiple calls to fido_dev_get_assert(), or do you open and close the device each time? Would it be feasible to reproduce the problem with dummy credentials and share the complete output of FIDO_DEBUG=1?

Answer 4 · 2022-01-26T08:48:37.000Z

The fallback is able when I change always_uv from 1 to 0 after builtInUvRetry is 0.
And it is make sense with the Client to Authenticator Protocol.
Thanks any way.