FIDO Alliance certification

Hi,

I can find OnlyKey in FIDO Alliance database and there is also [1], but I am unable to find it in the FIDO Alliance Metadata Service (MDS) blob [2]. After decode of the jwt blob (NO 21 from the November 2022) I am unable to find any record related to the OnlyKey or CryptoTrust or certificate No. FIDO20020220330001. This is bad because I will be probably unable to use the OnlyKey for authentication with local government services. Why there is no record in the metada blob?

[1] OnlyKey Achieves FIDO2 Certification - CryptoTrust
[2] https://mds.fidoalliance.org/

1 Like

@yarda Thanks for reporting this. I contacted the FIDO Alliance about this and have verified that the metadata is now in the new MDS site. Please let me know if you have any other issues with this.

Hi All,

I have a similar problem, key is not accepted due to being unknown / not L1 certified.

MDS explorer site [1] shows that OnlyKey appeared 2023-JAN-11 on the list as “OnlyKey Secp256R1 FIDO2 CTAP2 Authenticator”. However, it is specified with wrong aaguid. OnlyKey itself when queried via [2] (attestation=direct) is showing a different one.

MDS explorer : aaguid: “998f358b-2dd2-4cbe-a43a-e8107438dfb3”
webauth debugger : aaguid: “79d699df-0191-4b10-b903-5467e7ce8231”

[1] https://opotonniee.github.io/fido-mds-explorer
[2] https://webauthn.me/debugger

If you purchased OnlyKey prior its to certification in May 2022 it is not FIDO2 certified. Only devices purchased after that time are FIDO2 certified and have the aaguid “998f358b-2dd2-4cbe-a43a-e8107438dfb3”

Hi,
I have similar problem. New OnlyKey Duo (bought this month) is not recognized as L1. I loaded new firmware 3_0_4_STD and debugger said that aaguid is all zeros “00000000-0000-0000-0000-000000000000”.

Please let me know any suggestions.

@lokiu Can you give some more information on what debugger you are referring to? Also what application you are having issues with?

@t11 Of course. I used debugger [1]. I made today more test and when I changed Attestation to Direct or Indirect then aaguid was correct (998f358b-2dd2-4cbe-a43a-e8107438dfb3). When using Attestation None or Enterprise the aaguid is zero.
Problem is with registration at [2] which is our goverment site. Registration with L1 certification level ends with error that this key is not L1. I wrote to the admins of the site adn I will add their comment.

[1] https://webauthn.me/debugger
[2]https://www.mojeid.cz/

1 Like

@lokiu This didn’t work for me in Firefox (because AFAIK Firefox doesn’t have full support yet), I had to use Chrome for my key to be recognized as L1.

@yarda I was trying Chrome (109.0.5414.120) on Win10. In Edge it didnt work also.

1 Like

Just chiming in here, we would really like to see L2 certification too. I made a separate thread for this recently.

1 Like

According to reply from tech support of mojeid.cz the Onlykey Duo replies with data not corresponding to certification. As detail I got information that the key has SKI c16ddb03c0de975740f696d94817bde125cbb4a4.

Is there any more information you could provide? I am not sure what SKI is referring to, generally the key sends an AAGUID and a certificate. You can view the certification information here FIDO MDS Explorer

I got only the SKI information. But now I extracted the certificate and SKI is probably Subject Key Identifier. Value is the same as from mojeid.cz. The SKI is a hash of the current certificate’s public key.

Is there a reason that the ONLYKEY hasn’t been added to the list of Microsoft certified Security keys? It sounds like the FIDO2 Certification was done in May of 2022. It sounds like in order to enable enforce attestation for security keys in Azure AD it has to be a Microsoft Certified device as well as Fido2 certified, does anyone know if that is true?