Arshad Noor

Excellent! Glad things worked out. Don't need to thank me - the actual work was done by colleagues in identifying the problem - I just did the communication work. Have a good weekend.

Desmond, Here is the problem. Of the 332 entries in the FIDO Alliance Metadata Services (MDS), the entry corresponding to the attestation certificate of OneSpan's authenticator is the ONLY one that has an invalid character in it: AAGUID: 30b5035e-d297-4ff1-b00b-addc96ba6a98 contains : YES "\tMIICojCCAkigAwIBAgIUVn2bWvs0Kl27jgwu1cLl8PxDo34wCgYIKoZIzj0EAwIwgacxCzAJBgNVBAYTAkJFMRAwDgYDVQQIDAdCcmFiYW50MRgwFgYDVQQHDA9TdHJvbWJlZWstQmV2ZXIxEDAOBgNVBAoMB09uZVNwYW4xIjAgBgNVBAsMGUF1dGhlbnRpY2F0b3IgQXR0ZXN0YXRpb24xDDAKBgNVBAMMA0NYMTEoMCYGCSqGSIb3DQEJARYZam9oYW4udmVycmVwdEBvbmVzcGFuLmNvbTAeFw0yMjEyMDIxMTQ1MjhaFw0zMjExMjkxMTQ1MjhaMIGnMQswCQYDVQQGEwJCRTEQMA4GA1UECAwHQnJhYmFudDEYMBYGA1UEBwwPU3Ryb21iZWVrLUJldmVyMRAwDgYDVQQKDAdPbmVTcGFuMSIwIAYDVQQLDBlBdXRoZW50aWNhdG9yIEF0dGVzdGF0aW9uMQwwCgYDVQQDDANDWDExKDAmBgkqhkiG9w0BCQEWGWpvaGFuLnZlcnJlcHRAb25lc3Bhbi5jb20wWTATBgcqhkjOPQIBBggqhkjOPQMBBwNCAARfH/AnC2HAV2B44SbfoSMegBQ2Uxa+SlYhp8YGeEolvaMSTTSMVEg2qalHPCwc20WftsHGWIDPauB4ny77Rfqyo1AwTjAdBgNVHQ4EFgQUwD45b6V2a+CxGFcsjjEmBmt/RUswHwYDVR0jBBgwFoAUwD45b6V2a+CxGFcsjjEmBmt/RUswDAYDVR0TBAUwAwEB/zAKBggqhkjOPQQDAgNIADBFAiEAz1QJQPaPYVqbV+W/pxJm1ZXyNK5hn/pBK1JXGIPXdX4CICgalg239zxKb2Fh+H5Q38/q7ZTsNlM61ScY2k3Gdl90"...

We will look into this, Desmond. We have also contacted OneSpan to get some of their Security Keys so we can test them in-house. Hopefully, we can figure out the issue from our server logs even before their Authenticators arrive. We'll get back to you as soon as we learn something. Thanks for testing it out with our demos and FIDO Server. On 2/25/25 6:29 PM, Desmond wrote: Hi Arshad, thanks for your quick reply. Below is the link of the product I tested. It is fido2 certified. OneSpan does have a...

Is it a FIDO Alliance certified Security Key, Desmond? Can you send a link to the product on their website? I'm not sure how many models they have. When you go into Developer mode on the browser and trace Network calls, what are you seeing when you try to register a credential with the Security Key? Also, which application on our website are you testing with, and what username did you use? We can look at the logs of our FIDO server and see if we can find anything. On 2/25/25 2:21 AM, Desmond wrote:...

We are working on resolving the “android:apk-key-hash:base64” issue. Please note that it is NOT a WebAuthn Level-2 or Level-3 standard for FIDO2. It is a Google feature - there is no mention of it anywhere in https://www.w3.org/TR/webauthn-2/ or the Level-3 DRAFT: https://w3c.github.io/webauthn/. As such, it is not implemented in SKFS yet. We are looking at the possibility of implementing it for an early 2025 release - but it will help if you can ascertain that such Google proprietary capabilities...

I will let FIDO Alliance respond to questions regarding certification - ultimately, they are the authoritative source of information in that regard. WRT "Is the Server (Functional) Certification sufficient to meet all server functionalities?", the simple answer is "NO"! FIDO2 is an extraordinarily complex protocol/API. It is made much more complex than TLS ClientAuthentication (enabled by PKI) because just 2-3 trillion $ companies are driving the web standards rather than a group of objective people....

We are working on resolving the “android:apk-key-hash:base64” issue. Please note that it is NOT a WebAuthn Level-2 or Level-3 standard for FIDO2. It is a Google feature - there is no mention of it anywhere in https://www.w3.org/TR/webauthn-2/ or the Level-3 DRAFT: https://w3c.github.io/webauthn/. As such, it is not implemented in SKFS yet. We are looking at the possibility of implementing it for an early 2025 release - but it will help if you can ascertain that such Google proprietary capabilities...

Fabio, Some questions for you: 1) From your message, I am assuming you have built and are using an Android app for the registration and authentication process, rather than a desktop with a browser - is that correct? 2) If you are using an Android app, can you please provide more specifics: a) Which version of Android? b) Which API level are you targeting for the baseline? c) Which mobile device and model number are you testing with? d) Are you using the WebView component for FIDO registration and...