Not sure if this is going to be a [Question] or a [Bug], but here's what I found:
I went to "My Account" -> "Manage Security Keys" -> "Add Key" and noticed I could add my 2016 MacBook Pro's TouchID as a key. I completed this successfully.
Clearing my cookies (for existing 2FA mechanisms) and logging back in I entered my username and password then selected "Use Security Key" which prompts me to insert my security key and touch it. Since this is built-in hardware and not a USB key, I cannot complete this task by touching the TouchID panel.
It seems like the "Add Key", which offers bluetooth, USB, (and in the case of my MacBook Pro with Touch ID) a "Built-in sensor", and the login page's "Use Security Key" prompt for different mechanisms.
So, is this a supported use of a security key with TouchID, or is there an implementation issue with this type of login where MeshCentral is requesting a certain type of key (e.g. USB in this case) instead of giving me the appropriate options (if I have multiple security keys defined) or only a single option (in this case of TouchID)?
Thank you as always!
ryanblenis
All 11 comments
This is interesting. I have not tried TouchID on MacOS, but I am guessing it should work. I am back from vacation tomorrow evening and will look into this in the coming weeks. I will need to find myself some TouchID hardware.
Ylianst
on 25 Feb 2020
In poking around, if I remove the transports key and its data, I can successfully log in with TouchID
login.handlebars line 356:
{ id: Uint8Array.from(atob(hardwareKeyChallenge.keyIds[i]), function (c) { return c.charCodeAt(0) }), type: 'public-key', transports: ['usb', 'ble', 'nfc'], }
Presumably that limits the available transports, but I can't find the list of acceptable values. I'm assuming removing it allows "all" transports which is why it works when removed.
Should make tracking it down a bit easier, or if you don't need the transports limitation and it can be removed- a quick fix! Otherwise feel free to point me to the docs on that transport var and I'll be glad to test on my end and submit a PR.
ryanblenis
on 25 Feb 2020
Actually, I found it on MDN via the publicKeyCredentialRequestOptions call. It looks like the "internal" option was missing.
Please see pull request #971 for the fix!
ryanblenis
on 25 Feb 2020
Thank you so much for this fix, makes sense that would be the problem. I am back from vacation tomorrow and will publish this as soon as I can.
Ylianst
on 26 Feb 2020
Just published MeshCentral v0.4.9-l with this fix. I also made the same fix on the mobile web site. Let me know if it works.
Ylianst
on 27 Feb 2020
Actually that didn't work. I found a second place where the 'internal' parameter was added.
The pitfalls of not being able to test the committed changes (locally) on a remote server because I needed a valid cert to test- then copied the changes to my local for git!
Submitted PR #980 to fix.
ryanblenis
on 27 Feb 2020
Thanks, made the same change on the mobile web site side and published as MeshCentral v0.4.9-m. This version of MeshCentral also has all new MeshAgents on all platforms.
Ylianst
on 28 Feb 2020
I am, apparently, a schmuck. I typo'd internal to "interal" in #980
My apologies, I've been light-headed for a day and it is apparently affecting my cognitive functions.
ryanblenis
on 28 Feb 2020
100% ok, I do this all the time. Your fix is very much appreciated.
Ylianst
on 28 Feb 2020
Published MeshCentral v0.4.9-n with your new fix.
Ylianst
on 28 Feb 2020
Perfect, working as expected. Thank you!
ryanblenis
on 28 Feb 2020
Related issues
PathfinderNetworks
路
3Comments
haxmachine
路
3Comments
coolwormgit
路
3Comments
petervanv
路
3Comments
guerby
路
3Comments
Most helpful comment
Actually, I found it on MDN via the publicKeyCredentialRequestOptions call. It looks like the "internal" option was missing.
Please see pull request #971 for the fix!