action #151666
open[security] FIDO2 key testing
0%
Description
We could cover a new area of testing, which deals with FIDO2 keys. The scope should definitely be, at least, 2FA with web applications, but we could also test resident and non-resident keys for SSH and PGP, which are supported at least by Yubikeys.
Our options would be:
- Bare-metal test with a physical key attached
- Using a software FIDO2 key, such as rust-u2f or virtual-fido
References¶
Updated by emiler 5 months ago
I've successfully deployed both software examples and tested them with a Yubico demo. The rust version needs to be build using cargo and some further dependencies. virtual-fido works with just go installed, since it provides a demo binary.
This sort of testing only verifies the functionality of the implementation, but not physical keys. The issue is that physical keys usually have a proof of presence, which requires us to touch the device. We could use a custom-built key or something else than Yubikeys, which are the most common.
I am starting to think that a complete automated test suite is not possible due to the security features presented by current FIDO2 keys.