Handle FIDO BLE devices that do not require PIN pairing |
|
Issue descriptionThe current implementation assumes all BLE security keys use PINs for pairing. We should check the service data bit that represents whether BLE security keys use Passkey/Pincode for pairing and skip pairing if it's not needed. CTAP spec: 'To help clients show the correct UX, authenticators can use the Service Data field to specify whether or not authenticators will require a Passkey (PIN) during pairing'
,
Jan 15
Note: we have an instance of a vendor that is affected by this.
,
Jan 17
(5 days ago)
Guidance from Jun:
1) We need to know whether BLE security keys support pin-less pairing protocol.
In order to do so, we need to parse BLE service data bit [1], thus I believe FIDOBleConnection or FidoBleDevice would be the place to start. Please look for implementation of FIdoBleDevice::IsInPairingMode() for reference as
the specification are similar.
2) Next, we would need to plumb this information to UI layer. Perhaps as a part of AuthenticatorReference
3) For device that implements pin-less pairing protocol, we should implement FIdoBlePairingDelegate::AuthorizePairing()
- Right now, we simply ignore this request
4) Lastly, once everything is implemented, we should call FidoBlePairingDelegate::AuthorizePairing() function in chrome UI layer and NOT proceed to PIN UI when
we receive pairing request from a device that supports pin-less pairing protocol.
|
|
►
Sign in to add a comment |
|
Comment 1 by kpaulhamus@chromium.org
, Jan 10