| > Is there anything in the standard about proving to the server that you have a genuine FIDO device Yes. When registering a credential you can request[1] attestation information. Generally this will come in the form of an X.509 certificate[2] per batch of 100,000 devices which is signed by the manufacturer and which signs the generated key. FIDO is planning on running a central registry[3] of devices which should include their certifications and manufacturer public keys etc. For more details, see [4]. > My understanding of FIDO (v1) is that the only function a device has to offer is authentication through digital signature. That's correct: CTAP1 just signs things. You can prove to a remote service that the credential is in live use right now because it signs over a server-provided nonce to show freshness, but that's all. With CTAP2, devices can store keys themselves and they can provide a random oracle (i.e. HMAC) for unlocking locally encrypted data[5]. FIDO2 devices can also require a PIN to be provided before keys are released. (Or have a local fingerprint reader, although I don't know of any such devices yet.) [1] https://www.w3.org/TR/webauthn/#attestation-convey
[2] https://www.w3.org/TR/webauthn/#fido-u2f-attestation
[3] https://fidoalliance.org/mds/
[4] https://www.imperialviolet.org/2018/03/27/webauthn.html#atte...
[5] https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-cl... |
A FIDO2 device with fingerprint reader was supposedly launched at RSA 2018 [1][2].
[1] https://mobileidworld.com/fido2-compliant-usb-key-fingerprin...
[2] https://www.slideshare.net/FIDOAlliance/fido-kwg-tech-semina...