fido_dev_is_fido2 on Windows Hello Pseudo-Device

[ohnowade]

Hi there,

We are currently trying to use libfido2 on Windows. We do not require users to have administrator access so the library was built with USE_WINHELLO=ON. We recently ran into a problem, in which when calling fido_dev_is_fido2 on the devices, it seemed to always return true.

I know that libfido2 abstracts webauthn.dll into a windows://hello pseudo-device, so some APIs to access information of the devices, like fido_dev_is_fido2, might not work appropriately? But please correct me if I am wrong and if I am not calling this API correctly.

Also, if the above guess is true, is there any other recommended API (or workaround) to decide if a device is FIDO2 or U2F? We want to set the correct RPID if a device was registered with U2F (blind retry is the only solution on top of my head now).

Thank you so much!

[LDVG]

Hi,

Yes, the return value of fido_dev_is_fido2() will always be true on the windows://hello pseudo-device since there's no webauthn.dll API to query or select authenticators programatically.

Also, if the above guess is true, is there any other recommended API (or workaround) to decide if a device is FIDO2 or U2F? We want to set the correct RPID if a device was registered with U2F (blind retry is the only solution on top of my head now).

Are you looking for fido_assert_set_winhello_appid() (which will be part of the next libfido2 release, see also #689)?

[ohnowade]

Hi, I think that is exactly what I was looking for. Thank you! Is there an estimated release date for it at the moment?

[LDVG]

Please refer to #737 🙂

[LDVG]

Hi again @ohnowade, 1.14.0 was released 2023-11-13. 🙂

[ohnowade]

Sorry for missing the previous message. Thank you so much for the update!