what is extension, user verification, ctap on fido?

Question

I'm studying on FIDO2 these days. There are three questions.

1. In registration process, what is the extension field?

• purpose, usages

2. What means user verification? I think that user verification is local verification. example, fingerprint on mobile device. Why do I need to set this(required, preferred, discourage)?? Also what is the attesatation convayance preference??
3. I understood that CTAP is a protocol between an external authenticator and a browser. How can I send data from the authenticator to the browser?

Answer 1

1. Extensions are non-mandatory, weak processed functionality. Lack of them won't affect actual FIDO protocol, and presence will just enhance. Extension field contains a map of requested extension. For example, a relying party might want to store some data with the authenticator(you can do that in CTAP2.1). The RP then set extensions.credBlob to the required value. The platform will forward the extension to the device that will process it and store data with the credential.

2. FIDO devices could be UV capable (biometrics, pin, etc) or second factor only (Legacy U2F device, or TUP only FIDO2 devices).

In this situation:

• "Required" would cause command fail if device is not capable to verify user.

• "Prefer" would ask for UV when it's available, but still allow non-uv devices.

• "Discourage" would ask UV devices to skip user verification, thus simplifying user experience.

3. CTAP protocols (CTAP1 is raw message U2F, CTAP2 is FIDO2 CBOR based protocol) are HID/NFC/BLE based protocols. If you want to play with that I suggesting taking a look at virtual HID emulation like this is done in this project: https://github.com/concise/v2f-nodejs-linux