"Windows Hello" authenticator on Win 11 FIDO Metadata validation alg mismatch issue #393

WorldThirteen · 2023-06-09T22:37:44Z

WorldThirteen
Jun 9, 2023

This topic might seem similar to the #238, but I believe it is most likely a different problem, I've tried to include as much info as requested in #238 (comment).

Brief story

There was a laptop with Win 10 installed, which successfully configured the passkey using SimpleWebAuthn-powered service.
Then Windows was updated to Windows 11 on the same device, and an error occurred trying to re-create the passkey using this service. Direct attestation is requested, and the default FIDO MDS is enabled.

The issue appears in the attestation validation with metadata:

Error: Public key parameters { kty: 2, alg: -7, crv: 1 } did not match any of the following metadata algorithms:
[
  'rsassa_pkcsv15_sha256_raw' (COSE info: { kty: 3, alg: -257 })
] (TPM)
    at verifyAttestationTPM (/app/node_modules/@simplewebauthn/server/dist/registration/verifications/tpm/verifyAttestationTPM.js:226:19)
    at async verifyRegistrationResponse (/app/node_modules/@simplewebauthn/server/dist/registration/verifyRegistrationResponse.js:161:20)

After a brief investigation there is the following information:

Both registrations used the same AAGUID since the device was the same: 08987058-cadc-4b81-b6e1-30de50dcbe96;
From the FIDO MDS as of Jun 9, 2023, the only supported algorithm is rsassa_pkcsv15_sha256_raw, as correctly and pretty informative displayed in the error above (link for short reaching the FIDO MDS statements https://opotonniee.github.io/fido-mds-explorer);

The following section of code is responsible for the corresponding check:

SimpleWebAuthn/packages/server/src/metadata/verifyAttestationWithMetadata.ts

Lines 64 to 116 in 0ab19d8

    
             /** 
        
              * Attempt to match the credential public key's algorithm to one specified in the device's 
        
              * metadata 
        
              */ 
        
             let foundMatch = false; 
        
             for (const keypairAlg of keypairCOSEAlgs) { 
        
               // Make sure algorithm and key type match 
        
               if (keypairAlg.alg === publicKeyCOSEInfo.alg && keypairAlg.kty === publicKeyCOSEInfo.kty) { 
        
                 // If not an RSA keypair then make sure curve numbers match too 
        
                 if ( 
        
                   (keypairAlg.kty === COSEKTY.EC2 || keypairAlg.kty === COSEKTY.OKP) && 
        
                   keypairAlg.crv === publicKeyCOSEInfo.crv 
        
                 ) { 
        
                   foundMatch = true; 
        
                 } else { 
        
                   // We've matched an RSA public key's properties 
        
                   foundMatch = true; 
        
                 } 
        
               } 
        
               if (foundMatch) { 
        
                 break; 
        
               } 
        
             } 
        
             // Make sure the public key is one of the allowed algorithms 
        
             if (!foundMatch) { 
        
               /** 
        
                * Craft some useful error output from the MDS algorithms 
        
                * 
        
                * Example: 
        
                * 
        
                * ``` 
        
                * [ 
        
                *   'rsassa_pss_sha256_raw' (COSE info: { kty: 3, alg: -37 }), 
        
                *   'secp256k1_ecdsa_sha256_raw' (COSE info: { kty: 2, alg: -47, crv: 8 }) 
        
                * ] 
        
                * ``` 
        
                */ 
        
               const debugMDSAlgs = authenticationAlgorithms.map( 
        
                 algSign => `'${algSign}' (COSE info: ${stringifyCOSEInfo(algSignToCOSEInfoMap[algSign])})`, 
        
               ); 
        
               const strMDSAlgs = JSON.stringify(debugMDSAlgs, null, 2).replace(/"/g, ''); 
        
               /** 
        
                * Construct useful error output about the public key 
        
                */ 
        
               const strPubKeyAlg = stringifyCOSEInfo(publicKeyCOSEInfo); 
        
               throw new Error( 
        
                 `Public key parameters ${strPubKeyAlg} did not match any of the following metadata algorithms:\n${strMDSAlgs}`, 
        
               ); 
        
             }

;

SimpleWebAuthn version used: └── @simplewebauthn/[email protected];
It is clearly a mismatch between the credentialPublicKey and allowed authentication algorithms in metadata (ES256 vs RSA);
The issue was reproduced on 2 different devices with Windows 11 installed.

Additional data:

The WebAuthn registration request request

{
  "challenge": "REDACTED",
  "rp": {
    "name": "REDACTED",
    "id": "REDACTED"
  },
  "user": {
    "id": "REDACTED",
    "name": "REDACTED",
    "displayName": "REDACTED"
  },
  "pubKeyCredParams": [
    {
      "alg": -8,
      "type": "public-key"
    },
    {
      "alg": -7,
      "type": "public-key"
    },
    {
      "alg": -257,
      "type": "public-key"
    }
  ],
  "timeout": 60000,
  "attestation": "direct",
  "excludeCredentials": [
    {
      "id": "zo54gozOFyRO-LRqTckVzw",
      "type": "public-key",
      "transports": [
        "hybrid",
        "internal"
      ]
    }
  ],
  "authenticatorSelection": {
    "residentKey": "preferred",
    "userVerification": "required",
    "requireResidentKey": false
  },
  "extensions": {
    "credProps": true
  }
}

Attestation object

o2NmbXRjdHBtZ2F0dFN0bXSmY2FsZzn__mNzaWdZAQA1rDcWYZcqEkdVp8D_utz_Vl9B_UhwN12K17vHq-ISiW1O5lj_h9pfmlXiYS1mzpWL9WkeVtEAxXDKbyFNE045Pve5fMeYVdEt7y9atIlQ9xf539Msvpj7_oz6v63hdQu3SyMFTKIVsSxkJsPqhNIL89vtEoLDja3d5QccYApMXS66AnA5nfk-rwAECWClCGoeBHXMb26qFrjUdkhFY79q3ITlbO9OGyFlUj2_R_-Qn9wE53njvMNIycpnoYvIZmpqTxY9WZ4byUg_8AnMDrF7z5M91aJdy57ZrbAdz99QtyGc38jTTSorqmi4WBiEoY1TT2cjcAh3FM_y_P8vQkXKY3ZlcmMyLjBjeDVjglkFvTCCBbkwggOhoAMCAQICEBfzV53dzE_XkuMv8bAjnyEwDQYJKoZIhvcNAQELBQAwQjFAMD4GA1UEAxM3RVVTLUlOVEMtS0VZSUQtQjA2NkQ5Njk3RjVEM0EwN0I0MjVDMTBGNTg3Q0NFRUNGMTZGRkU1ODAeFw0yMzA2MDgwOTEyNTFaFw0yNzA2MDMxNzUxMDVaMAAwggEiMA0GCSqGSIb3DQEBAQUAA4IBDwAwggEKAoIBAQCb4lo5dcys31SZ5f5GAc99o1i6isJB1Y4KOJhxsK3uuE3ieIZAxrhsvgIJxeTd4IgJixYkUYb9sy1BfPIZn0BOQBmH_qVU7RcNtHhqEB4muyWb45QL3COTZhaJCnac720Dj7JyycW1ibY517UFXsLjYkJJ3gPUPES9Q4HqiDRuB1HvL8OKhTraJivwADv45nLrlVv7i2YtiRqPWyCR5cDx1XZP-Y6BBWo21aRkGmHJn_726quUSCfHegFrkFyK26Bveq8Z9cAaAcZDL3diGf8FaAfE7-lsybZHVfAH5Eds6kJXQipRUcZazSV3J5WmToylfnsXwWGuFHW5a3oBP6a9AgMBAAGjggHrMIIB5zAOBgNVHQ8BAf8EBAMCB4AwDAYDVR0TAQH_BAIwADBtBgNVHSABAf8EYzBhMF8GCSsGAQQBgjcVHzBSMFAGCCsGAQUFBwICMEQeQgBUAEMAUABBACAAIABUAHIAdQBzAHQAZQBkACAAIABQAGwAYQB0AGYAbwByAG0AIAAgAEkAZABlAG4AdABpAHQAeTAQBgNVHSUECTAHBgVngQUIAzBQBgNVHREBAf8ERjBEpEIwQDEWMBQGBWeBBQIBDAtpZDo0OTRFNTQ0MzEOMAwGBWeBBQICDANUR0wxFjAUBgVngQUCAwwLaWQ6MDI1ODAwMDcwHwYDVR0jBBgwFoAUaAThqfZhToosywMcnQAOoZ_3aIMwHQYDVR0OBBYEFHe1SoBjXVb32bGR0oSsMxkXLOGnMIGzBggrBgEFBQcBAQSBpjCBozCBoAYIKwYBBQUHMAKGgZNodHRwOi8vYXpjc3Byb2RldXNhaWtwdWJsaXNoLmJsb2IuY29yZS53aW5kb3dzLm5ldC9ldXMtaW50Yy1rZXlpZC1iMDY2ZDk2OTdmNWQzYTA3YjQyNWMxMGY1ODdjY2VlY2YxNmZmZTU4Lzc5MWYwYWUzLWYyNDQtNGE4Yy04NWQ1LWMzODNiYjdlMDM5My5jZXIwDQYJKoZIhvcNAQELBQADggIBACu6od4kRrvFTJmBiC5Fswnb_lg2siAOwu-BvU_UFhyiGzyrGhq82An5q4hO_OmzV2nVMLMmCzcQCTkqz5BBbkrVsDgdNhsBaVAM1o4ko_HY0VESeNmBOpuGEIVEV7PypC9D7MH4RE8OrM2AMmAinaW2P0fV_AA351pRopKgarZb-Firiuw42HTuYDBaxXfD8EnphoE0QuBi-ZK1YGQHDau6BQAZkQWTZt2NxBqhtlxcy3Xipfwx-5oHsz6KKFQA5W-C7aA_hTX8X9YEpJZtLzSU_uV-EfAPFcj9-sVsw_Cc8M0vJ8q6QXw0KE4l-5OuNpF-Rk2ww7AIXWTygqBntewFryTY31za9WFxg-LKMMBArTS8sYuSRioRJtzw1w9ymqyNG2yjjGEC19G1RpO1W_GcYCn2CIzWg2LwVr0dsMmdDr9SjuadSTdc_5NcThQiaEz5PA7qkXDJGXYE8v4YBIj7Oy-OlHd1r3Qidm0-OMIIPHkDbOAVaMBa4YePoDyFeHxTUQHNoar-Q3q10870uEt0q4wOlVbklnrBKoqJLxIjoj-wwRH4T8Yjz13gGrSal4j383zQOy1ExqG6RHl_xVbclH1OKqn_fX0As0PyVPrSKg_Z5HRj6t7NZ75csOz7dtKsxAE1NG5MCS4rNWZAaNFk9LonWN3l3W962e48jZxvWQbwMIIG7DCCBNSgAwIBAgITMwAAA9TNmGZQ0JUydwAAAAAD1DANBgkqhkiG9w0BAQsFADCBjDELMAkGA1UEBhMCVVMxEzARBgNVBAgTCldhc2hpbmd0b24xEDAOBgNVBAcTB1JlZG1vbmQxHjAcBgNVBAoTFU1pY3Jvc29mdCBDb3Jwb3JhdGlvbjE2MDQGA1UEAxMtTWljcm9zb2Z0IFRQTSBSb290IENlcnRpZmljYXRlIEF1dGhvcml0eSAyMDE0MB4XDTIxMDYwMzE3NTEwNVoXDTI3MDYwMzE3NTEwNVowQjFAMD4GA1UEAxM3RVVTLUlOVEMtS0VZSUQtQjA2NkQ5Njk3RjVEM0EwN0I0MjVDMTBGNTg3Q0NFRUNGMTZGRkU1ODCCAiIwDQYJKoZIhvcNAQEBBQADggIPADCCAgoCggIBAMe8XHbaqGYc0qdWqeJPZxStUBxEXPtjPwsrzGxuGHHOaBbtQwIWtDXRQ6QS98gE68iI7qOQYS5fNVAmjegKanXtGS31txkgWwD_IzPraIXslV8yXbiY13d8TDJd6xAyzTmb8HP3LSPlpoQQfd4zF_nsljjowRH2TUU5rUn2mAKksfjNDwIq5JgjaKuNtD5XehZ0qw7Lngu83-pRECbsiduhvSbnBp7xiulClPyAw6gMOhoGNVvTkq4V38lM6NMrGD6cQCJcolc8X4rXqsaILnLeDU_ixaKZ4SLTF4xN4bTm3-Wm38tTVCHnRI5uWGN89ML02IDAesHEviwkSnZKld9LRjISVWR0rA-0O5Cup9CEvTCife_4jurIbCv7XlasiFSdhgB0rFzOiFQGMIiZUGXKI1SRbyRNbmk5t-S4nqLPL2Dba3KaSC56q6yT4bftDukf-tyf-O7oktmEF8zieca4WiKWgA3jvX25FJbqHVMdDER17hUwXDPEW0sjCCisxK66iN6XF0IXRlO66DsqimwGK-dhR5tlpGOUyYEPejmH-zbzGTy7jSymdM4Lr1Ux-iStwXnkfPg7ewTDfKW03GKEiuAngheTbPj05tXGUFkxtFWABuNRpdBg_FQia8jiG0fF5VUBMP2AboFInkBKMS9jhC0xY_lOGebRgdWtVRL3AgMBAAGjggGOMIIBijAOBgNVHQ8BAf8EBAMCAoQwGwYDVR0lBBQwEgYJKwYBBAGCNxUkBgVngQUIAzAWBgNVHSAEDzANMAsGCSsGAQQBgjcVHzASBgNVHRMBAf8ECDAGAQH_AgEAMB0GA1UdDgQWBBRoBOGp9mFOiizLAxydAA6hn_dogzAfBgNVHSMEGDAWgBR6jArOL0hiF-KU0a5VwVLscXSkVjBwBgNVHR8EaTBnMGWgY6Bhhl9odHRwOi8vd3d3Lm1pY3Jvc29mdC5jb20vcGtpb3BzL2NybC9NaWNyb3NvZnQlMjBUUE0lMjBSb290JTIwQ2VydGlmaWNhdGUlMjBBdXRob3JpdHklMjAyMDE0LmNybDB9BggrBgEFBQcBAQRxMG8wbQYIKwYBBQUHMAKGYWh0dHA6Ly93d3cubWljcm9zb2Z0LmNvbS9wa2lvcHMvY2VydHMvTWljcm9zb2Z0JTIwVFBNJTIwUm9vdCUyMENlcnRpZmljYXRlJTIwQXV0aG9yaXR5JTIwMjAxNC5jcnQwDQYJKoZIhvcNAQELBQADggIBAIn2-e6yks9tusjR0XWTZzZDq7H_Il9qy3C8wTuk4D_ZUahpvXlXuU21SMQH6gWOr07AlHV5Flp-LPBRrk7Ray-0gyNIM-Q8GellqBG67f04ReF8xaQYO_ZcgVupcRwhyjuaLgwqjcBvjlw_jXbONLdrgViWUKi3nADu-xsI0Qy5-E_UFbJpa8oj9CfyNMzK-6Uku5B1uj9HdFxWx65dO4IUURp-eUjfjoXdFcuxkNiA39-mLNmyF6IWuZnJzkSqtDM2MMk_WNGEFa3HmcWs8X_ln7pxaGTY7q0ettSD8hz-bOvhr7EG0cJh_fNky8e9tf9UJMnXpP3_PGuYBMxO-a4P-LciisLF3DtveR9T-Ut2oVA4hTjD6aL6sL-rbarfClQLGlJ1JdD7lGlZyXKjU25-VCYLInkjXfNfyWIJX_QtPG5QYIU6m9H2wTFZeTXJ5MrFF7UFWIo3lkPa0zlywXRaW7U4ivV0PAL6mgyK_y1DsPisaD4Wh64h4DDnhxjli6o3WF6oEn2FGgVT2K_LXeK57KnpNWHmfzvftStYTb9mQkJf-s2yih_GSP9AzI0pj-43ZGeZYjDG39PQfXYMcLcfpz_DF41FIVhTfLmm15yaPtLQDvQSvQKjUczG13QH_cGlqhDHVuZrlAVXgych0XaFDtFR2k7LBIzC6_UovXLGZ3B1YkFyZWFYdgAjAAsABAByACCd_8vzbDg65pn7mGjcbcuJ1xU4hL4oA5IsEkFYv60irgAQABAAAwAQACBsTUhywouePhMvxbU9zymNAUYS2NJp3_gYHzV1zw-EGwAgY3g5px8tUzHqsFnhEmEMScFvS57-vvH_haMt5LUNqrRoY2VydEluZm9Yof9UQ0eAFwAiAAuwGNyIXvjlDLNOMMwWZu1k7RVxifo1zBisMyQQ2psrjQAUpTKUiFtQH2XGSBzcFoXEiaKqGC4AAAAANs38ior_OqNg8HUJAVBjq9YNxp3fACIAC_WBvzP7tjA4pJblKmgt3zOaDFC7IynkyPhd-f5hGA4-ACIAC59Wx8z7ydNJKWUEOSERfeb7FaXxsiWdT8ZvUPdExerOaGF1dGhEYXRhWKQH3xy-VWDSlviIV2mnLTJaBNtsINg_01svvRfNwzbM3kUAAAAACJhwWMrcS4G24TDeUNy-lgAgAS2zpcqF6j7z3xTekAzCckR4dD61Gaqar5wRm1eJc-qlAQIDJiABIVggbE1IcsKLnj4TL8W1Pc8pjQFGEtjSad_4GB81dc8PhBsiWCBjeDmnHy1TMeqwWeESYQxJwW9Lnv6-8f-Foy3ktQ2qtA

Attestation object Parsed into JSON representation

{
  "fmt": "tpm",
  "attStmt": {
    "alg": "RS1 (-65535)",
    "sig": "Naw3FmGXKhJHVafA_7rc_1ZfQf1IcDddite7x6viEoltTuZY_4faX5pV4mEtZs6Vi_VpHlbRAMVwym8hTRNOOT73uXzHmFXRLe8vWrSJUPcX-d_TLL6Y-_6M-r-t4XULt0sjBUyiFbEsZCbD6oTSC_Pb7RKCw42t3eUHHGAKTF0uugJwOZ35Pq8ABAlgpQhqHgR1zG9uqha41HZIRWO_atyE5WzvThshZVI9v0f_kJ_cBOd547zDSMnKZ6GLyGZqak8WPVmeG8lIP_AJzA6xe8-TPdWiXcue2a2wHc_fULchnN_I000qK6pouFgYhKGNU09nI3AIdxTP8vz_L0JFyg",
    "x5c": [
      {
        "tbsCertificate": {
          "version": 2,
          "serialNumber": REDACTED SINCE TOO LONG,
          "signature": {
            "algorithm": "1.2.840.113549.1.1.11",
            "parameters": null
          },
          "issuer": [
            [
              {
                "type": "2.5.4.3",
                "value": {
                  "printableString": "EUS-INTC-KEYID-B066D9697F5D3A07B425C10F587CCEECF16FFE58"
                }
              }
            ]
          ],
          "validity": {
            "notBefore": {
              "utcTime": "2023-06-08T09:12:51.000Z"
            },
            "notAfter": {
              "utcTime": "2027-06-03T17:51:05.000Z"
            }
          },
          "subject": [],
          "subjectPublicKeyInfo": {
            "algorithm": {
              "algorithm": "1.2.840.113549.1.1.1",
              "parameters": null
            },
            "subjectPublicKey": REDACTED SINCE TOO LONG
          }
          "extensions": [
            {
              "extnID": "2.5.29.15",
              "critical": true,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "2.5.29.19",
              "critical": true,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "2.5.29.32",
              "critical": true,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "2.5.29.37",
              "critical": false,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "2.5.29.17",
              "critical": true,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "2.5.29.35",
              "critical": false,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "2.5.29.14",
              "critical": false,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "1.3.6.1.5.5.7.1.1",
              "critical": false,
              "extnValue": {
                "buffer": {}
              }
            }
          ]
        },
        "signatureAlgorithm": {
          "algorithm": "1.2.840.113549.1.1.11",
          "parameters": null
        },
        "signatureValue": REDACTED SINCE TOO LONG
      },
      {
        "tbsCertificate": {
          "version": 2,
          "serialNumber": REDACTED SINCE TOO LONG,
          "signature": {
            "algorithm": "1.2.840.113549.1.1.11",
            "parameters": null
          },
          "issuer": [
            [
              {
                "type": "2.5.4.6",
                "value": {
                  "printableString": "US"
                }
              }
            ],
            [
              {
                "type": "2.5.4.8",
                "value": {
                  "printableString": "Washington"
                }
              }
            ],
            [
              {
                "type": "2.5.4.7",
                "value": {
                  "printableString": "Redmond"
                }
              }
            ],
            [
              {
                "type": "2.5.4.10",
                "value": {
                  "printableString": "Microsoft Corporation"
                }
              }
            ],
            [
              {
                "type": "2.5.4.3",
                "value": {
                  "printableString": "Microsoft TPM Root Certificate Authority 2014"
                }
              }
            ]
          ],
          "validity": {
            "notBefore": {
              "utcTime": "2021-06-03T17:51:05.000Z"
            },
            "notAfter": {
              "utcTime": "2027-06-03T17:51:05.000Z"
            }
          },
          "subject": [
            [
              {
                "type": "2.5.4.3",
                "value": {
                  "printableString": "EUS-INTC-KEYID-B066D9697F5D3A07B425C10F587CCEECF16FFE58"
                }
              }
            ]
          ],
          "subjectPublicKeyInfo": {
            "algorithm": {
              "algorithm": "1.2.840.113549.1.1.1",
              "parameters": null
            },
            "subjectPublicKey": REDACTED SINCE TOO LONG
          },
          "extensions": [
            {
              "extnID": "2.5.29.15",
              "critical": true,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "2.5.29.37",
              "critical": false,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "2.5.29.32",
              "critical": false,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "2.5.29.19",
              "critical": true,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "2.5.29.14",
              "critical": false,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "2.5.29.35",
              "critical": false,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "2.5.29.31",
              "critical": false,
              "extnValue": {
                "buffer": {}
              }
            },
            {
              "extnID": "1.3.6.1.5.5.7.1.1",
              "critical": false,
              "extnValue": {
                "buffer": {}
              }
            }
          ]
        },
        "signatureAlgorithm": {
          "algorithm": "1.2.840.113549.1.1.11",
          "parameters": null
        },
        "signatureValue": REDACTED SINCE TOO LONG
      }
    ],
    "ver": "2.0",
    "certInfo": "_1RDR4AXACIAC7AY3Ihe-OUMs04wzBZm7WTtFXGJ-jXMGKwzJBDamyuNABSlMpSIW1AfZcZIHNwWhcSJoqoYLgAAAAA2zfyKiv86o2DwdQkBUGOr1g3Gnd8AIgAL9YG_M_u2MDikluUqaC3fM5oMULsjKeTI-F35_mEYDj4AIgALn1bHzPvJ00kpZQQ5IRF95vsVpfGyJZ1Pxm9Q90TF6s4",
    "pubArea": "ACMACwAEAHIAIJ3_y_NsODrmmfuYaNxty4nXFTiEvigDkiwSQVi_rSKuABAAEAADABAAIGxNSHLCi54-Ey_FtT3PKY0BRhLY0mnf-BgfNXXPD4QbACBjeDmnHy1TMeqwWeESYQxJwW9Lnv6-8f-Foy3ktQ2qtA"
  },
  "authData": {
    "rpIdHash": "B98cvlVg0pb4iFdppy0yWgTbbCDYP9NbL70XzcM2zN4",
    "flags": {
      "userPresent": true,
      "userVerified": true,
      "backupEligible": false,
      "backupStatus": false,
      "attestedData": true,
      "extensionData": false
    },
    "counter": 0,
    "aaguid": "08987058-cadc-4b81-b6e1-30de50dcbe96",
    "credentialID": "AS2zpcqF6j7z3xTekAzCckR4dD61Gaqar5wRm1eJc-o",
    "credentialPublicKey": "pQECAyYgASFYIGxNSHLCi54-Ey_FtT3PKY0BRhLY0mnf-BgfNXXPD4QbIlggY3g5px8tUzHqsFnhEmEMScFvS57-vvH_haMt5LUNqrQ",
    "parsedCredentialPublicKey": {
      "keyType": "EC2 (2)",
      "algorithm": "ES256 (-7)",
      "curve": 1,
      "x": "bE1IcsKLnj4TL8W1Pc8pjQFGEtjSad_4GB81dc8PhBs",
      "y": "Y3g5px8tUzHqsFnhEmEMScFvS57-vvH_haMt5LUNqrQ"
    }
  }
}

I am not familiar with the all procedures required to update the metadata statement in FIDO, so I could be missing something here. I also found out @MasterKale's mention that Windows Hello starting using ES256 here: w3c/webauthn#1757 (comment).

Asking for community help to understand the nature of the issue. I would also appreciate hints of potential mitigation.

MasterKale · 2023-06-09T22:43:26Z

MasterKale
Jun 9, 2023
Maintainer

Hello @WorldThirteen, you've certainly done your research! I agree with you that this is likely ("simply") FIDO MDS metadata for the Windows Hello AAGUID falling out of sync with the reality of Windows' evolution.

If you want to continue to push this forward then I'd say your best bet is to post about this to the fido-dev mailing list and ask when the metadata will get updated to reflect the use of ES256 in Windows:

https://groups.google.com/a/fidoalliance.org/g/fido-dev

I'm happy to ask there on your behalf as well, it just might take me a few days to get to it.

1 reply

rmhrisk Jun 9, 2023

Letting @timcappalli know about this thread as he encountered it also.

Provide feedback

Saved searches

Use saved searches to filter your results more quickly

"Windows Hello" authenticator on Win 11 FIDO Metadata validation alg mismatch issue #393

{{title}}

{{editor}}'s edit

{{editor}}'s edit

Replies: 1 comment 1 reply

{{title}}

{{title}}

Select a reply

"Windows Hello" authenticator on Win 11 FIDO Metadata validation alg mismatch issue #393

WorldThirteen Jun 9, 2023

Brief story

After a brief investigation there is the following information:

Additional data:

Replies: 1 comment · 1 reply

MasterKale Jun 9, 2023 Maintainer

rmhrisk Jun 9, 2023

WorldThirteen
Jun 9, 2023

Replies: 1 comment 1 reply

MasterKale
Jun 9, 2023
Maintainer