https://www.otpme.org/redmine/https://www.otpme.org/redmine/redmine/favicon.ico?16699090422015-11-29T17:16:57ZOTPmeOTPme - Feature #64: Implement U2F tokenhttps://www.otpme.org/redmine/issues/64?journal_id=792015-11-29T17:16:57ZThe 2nd
<ul></ul><p>Some notes on U2F:</p>
<p>It looks like the "master key" of a U2F token is generated while manufacturing the key and cannot be regenerated by the user. Like described in the links below the reason for this are the attestation certificates. They are used to ensure that the key is not backed-up/cloned and thus the authentication service can use them to apply rules like "only allow U2F tokens from manufacturer X". This is a nice feature for everyone who wants to allow users to roll out their own tokens but want to prevent users from using insecure (e.g. software) tokens. But it also means that you have to trust the manufacturer. Currently there seems to be no way around this. But as yubico stated in the forum post below they could at least sell "un-programmed" tokens that users could load their own keys and attestation certificates to. Another and IMHO better solution would be to allow the U2F feature of the yubikey to use a second slot just like its done for the OTP/static password feature. This would allow us to use the yubikey with a trusted self created secret for your own systems without killing the manufacturer key/certs which may be needed if you want to use the yubikey with a third party that requires valid attestation certificates.</p>
<p><a class="external" href="https://developers.yubico.com/U2F/Protocol_details/Key_generation.html">https://developers.yubico.com/U2F/Protocol_details/Key_generation.html</a><br /><a class="external" href="http://forum.yubico.com/viewtopic.php?f=33&t=1666">http://forum.yubico.com/viewtopic.php?f=33&t=1666</a></p> OTPme - Feature #64: Implement U2F tokenhttps://www.otpme.org/redmine/issues/64?journal_id=802015-12-02T23:11:47ZThe 2nd
<ul><li><strong>% Done</strong> changed from <i>0</i> to <i>30</i></li></ul> OTPme - Feature #64: Implement U2F tokenhttps://www.otpme.org/redmine/issues/64?journal_id=812015-12-06T23:36:42ZThe 2nd
<ul><li><strong>% Done</strong> changed from <i>30</i> to <i>70</i></li></ul><p>Implemented first working version that can be used to do OTPme realm authentication.</p>
<ul>
<li>Checking U2F counter needs to be implemented</li>
<li>Current version misses offline login possibilities</li>
</ul> OTPme - Feature #64: Implement U2F tokenhttps://www.otpme.org/redmine/issues/64?journal_id=822015-12-08T22:08:12ZThe 2nd
<ul><li><strong>Status</strong> changed from <i>Neu</i> to <i>In Bearbeitung</i></li><li><strong>% Done</strong> changed from <i>70</i> to <i>80</i></li></ul><ul>
<li>Implemented counter check using the token counter mechanism for synchronization between nodes/hosts</li>
</ul>