Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom

Hide serial number feature #8

Open
jans23 opened this issue Feb 12, 2019 · 4 comments
Open

Hide serial number feature #8

jans23 opened this issue Feb 12, 2019 · 4 comments
Labels
enhancement New feature or request good first issue Good for newcomers
Milestone
Version 2.1

Comments

@jans23
Copy link
Member

jans23 commented Feb 12, 2019

To be confirmed if this behaviour is expected by FIDO2 devices.
@jans23 jans23 added this to the Version 1.0 milestone Feb 13, 2019
@szszszsz
Copy link
Member

szszszsz commented Jun 7, 2019
edited
Loading

I believe it should be hidden by default.

@szszszsz szszszsz modified the milestones: Version 1.0, Version 1.1 Sep 12, 2019
@jans23 jans23 modified the milestones: Version 1.1, Version 1.0 Sep 12, 2019
@szszszsz
Copy link
Member

Looking at the FIDO U2F spec, I see only that device should not be possible to fingerprint:

T-1.2.6 Fingerprinting Authenticators Violates
  A remote adversary is able to uniquely identify a FIDO user device using the fingerprint of discoverable configuration of its FIDO Authenticators. Consequences: The exposed information violates [SG-8] Limited PII, allowing an adversary to violate [SG-7] User Consent by strongly authenticating the user without their knowledge and [SG-4] Unlinkablity by sharing that fingerprint. Mitigations: [SM-3] Authenticator Class Attestation ensures that the fingerprint of an Authenticator will not be unique. For web browsing situations where this threat is most prominent, user agents may provide additional user controls around the discoverability of FIDO Authenticators. SG-4, SG7, SG-8

@jans23
Copy link
Member Author

jans23 commented Nov 26, 2019

I believe this ticket is about the serial number via USB descriptor. Exposing the device serial number via USB descriptor wouldn't expose the serial number to web browsing situations. Therefore I'm not sure the quotation is applicable.

@szszszsz
Copy link
Member

Scheduled to be added in the next release.

@szszszsz szszszsz modified the milestones: Version 1.0, Version 1.1 Dec 4, 2019
@szszszsz szszszsz modified the milestones: Version 2.0, Version 2.1 May 18, 2020
@szszszsz szszszsz added the enhancement New feature or request label May 19, 2020
@szszszsz szszszsz added the good first issue Good for newcomers label Feb 10, 2021
@LennardBoediger LennardBoediger mentioned this issue Feb 14, 2021
Open
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Assignees
No one assigned
Labels
enhancement New feature or request good first issue Good for newcomers
Projects
None yet
Milestone
Version 2.1
Development

No branches or pull requests
2 participants
@jans23 @szszszsz