Hacker News new | ask | show | jobs
by Dylan16807 1861 days ago
They could have added a new optional mechanism. I'm asking about github's servers specifically, not the long tail rest of the world.

Also, wait, if github isn't doing custom things on their end, how are they enforcing this rule that you need to tap once per connection?
1 comments
lxgr 1861 days ago
The touch/no-touch requirement is controlled by the server (or in FIDO2 terminology, the "relying party").

OpenSSH exposes this as a new sshd option called "no-touch-required", which Github probably just does not set.

link
tialaramex 1861 days ago
Specifically, Security Keys sign a blob of data to authenticate. Most of that blob is nonsense to the Security Key. It might mean something to a big complicated web browser or your SSH client, but not the simple, and thus hopefully secure, Security Key.

But, there's a field of bitflags. The Security Key knows what those mean. One of those bitflags is "User Present" or UP, which means, "I promise I have some means to verify a human interacted with me and they did".

For U2F and WebAuthn UP is just mandatory. So, most devices you will find just always set UP, even if the Relying Party doesn't ask them to. However some devices you could choose not to ask for UP, and a device could in this case just skip the touch step, but it must not sign a message with that UP bitflag set in this case.

Some of the flags are currently unused, one that's also interesting for SSH in some environments is UV, "User Verified" which means the device claims to have some way to know if this is its real owner or just a toddler clicking the button. UV is typically set for fingerprint readers, facial recognition, or the cheapest option, a Yubikey with a PIN can set UV if you entered your PIN.

link
Dylan16807 1860 days ago
Is the device explicitly not allowed to use a single touch to establish UP for a few minutes?
link
tialaramex 1860 days ago
User presence is defined in present time. There are no FIDO police who'll burn down your factory or arrest your executives if your device doesn't do this, but removing this safeguard has (at least potentially) negative consequences.

I believe some theoretical attacks against user privacy would benefit from being able to attempt a huge number of "authentication" steps without annoying the human by making them touch the sensor. As with the Socialist Millionaire's Protocol or Magic Wormhole, we're relying on the fact that humans get annoyed fairly quickly and will just give up if it doesn't work, so attacks that require a large number of iterations cannot mechanically succeed.

link