There are several FIDO2 devices by Nitrokey. The oldest one was a standalone FIDO2 only device and got superseded by a Nitrokey 3 variant with FIDO2 only capabilities. And then there is a regular Nitrokey 3.
Update is also possible for Nitrokey 3 FIDO2 application but it is part of the regular Nitrokey 3 firmware update.
Most important nitropy fido2 commands are related to the management of resident keys. You can individually delete a resident key without factory reset of the whole device.
You can generate random bytes from the physical random number generator.
And you can also use the FIDO2-HMAC extension for challenge responses. This can be used to sign data with your FIDO2 key or to derive a password for services you use. This also gets used on Linux for systemd-cryptenroll to bind a LUKS encrypted disk to your FIDO2 key.
nitropy fido2 make-credential --resident-key required --user-verification discouraged
nitropy fido2 challenge-response a300582e14a57719c73396f3d7fbdcf9e7cfd84041aeab270e568b340486e0ce767bcf47c26e739fde58cd1429e3f6b2272b014cc6c4239db3e24c5a7d04c08a0250b09b61a485ac54120c90784fb279c901 support.nitrokey.com
Command line tool to interact with Nitrokey devices 0.4.47
Touch your authenticator to generate a response...
Touch your authenticator device now...
6becef6a607f010e7e2a1d2ed3b1c8428fec236aeb17b7f4adc5b244b2808cec
So why there is the update command option? and why I have fido version 0.64.1 and the latest is 2?
For me as a regular non crypto freak user (with basic understanding of linux and software) this option gave me the impression of “My software is out of date and, because nk is a crypto device , is at high risk of usafe to use”
It would be nice if there was more documentation about the options and how to use them and which are usable and which is not usable.
Where did you get your knowhow from?
Can you please post details about your
HMAC code you provided?
E.G. Where is this Hash from the challenge-response from?
Finally are there some more usefull web adresses I can find some information about handling FIDO2 related things?
I 'duckduckgo’ed a little bit but maybe you have some more handy stuff.
The best way for me to understand something is to see a picture about the problem I don’t understand.
Best
T.
FIDO2 is a protocol version supported by multiple Nitrokeys.
The firmware updates come with a change list, and I recommend reviewing it to see if an update is necessary. Updating is not always required, especially if you do not use all the features.
To stay informed, you need to read extensively. I educate myself on use cases, problems people encounter in the field, and I study the code or standards. I also compare how different vendors address these issues with their products.
The HMAC function uses certain FIDO2 protocol details, allowing you to specify a salt value for the token to calculate a hash. This enables the derivation of a password linked to a FIDO2 credential. This can be done as a shared secret between a server and a token or totally bound to the token.
