使用通行证进行无人值守执行。

huangapple go评论61阅读模式
英文:

Using a passkey for unattended execution

问题

我相当肯定这是不可能的,但我要向大家请教一下。寻求实施一个基于标准的安全虚拟机凭据,以供 Web 应用程序使用,并且可以自动化。我知道这是一个很大的要求。

一个可能性是使用 Windows Hello - 但是自动化它很困难,因为它在连接到具有 RDP 的计算机时不允许使用 - 这是大多数 RPA 解决方案提供商用于创建会话的方法。如果您能让它正常工作,那么它可以被验证为平台验证器。

可以在与消费应用程序不同的设备上创建通行证。然而,据我了解,用户存在检查(例如 BLE 或 OOB 检查)是 必需的,以确保用户存在,或者用户已经批准使用便携式密钥。

是否存在任何可能的情况,其中可以在不需要用户与另一个设备(而不是 Windows Hello 等平台验证器)进行交互的情况下,使用通行证凭据(或其他 WebAuthn 凭据)来使用 Web 凭据 API?

英文:

I'm pretty sure this isn't possible, but I'm going to ask the hive mind.
Looking to implement a standards based secure virtual machine credential to use from web based applications that can be automated. I know, a lot to ask

One possibility is Windows Hello - however automating that is hard as it is not allowed to be used whilst connecting to a machine with RDP - this is used by most RPA solution providers for creating sessions. If you can get it working, then it can be authenticated as a platform authenticator.

Passkeys can be created on a different device to the consuming application. However, as I understand it, the user presence check (e.g. BLE or OOB check) is required to ensure that either the user is present, or that the user has approved use of the portable key.

Is there any possible scenario where a passkey credential (or other webauthn credential) can be used by the web credential APIs without user interaction on a separate device (other than a platform authenticator such as Windows Hello)

答案1

得分: 1

安全密钥使用的协议(CTAP)允许通过将请求中的“up”(用户存在)标志设置为false来请求无声签名(*)。然而,在WebAuthn级别,从未暴露这种能力。因此,如果您可以直接与安全密钥进行CTAP通信,那么可以实现,但无法通过浏览器实现。

您可以使用具有本机消息传递的浏览器扩展与本地进程通信,该进程可以要么通过CTAP与安全密钥通信,要么本地存储密钥(例如,在TPM中)。

(*) 一些安全密钥启用了“alwaysuv”功能,这种情况下将无法使用该方法,但这只是少数安全密钥中的一部分。

英文:

The protocol that security keys speak (CTAP) permits silent signatures to be requested by setting the up (user presence) flag to false in the request(*). However, this ability is never exposed at the WebAuthn level. So, if you can speak CTAP directly to the security key, you can do it, but you can't do it via browsers.

You could use a browser extension with native messaging to communicate with a local process that either speaks CTAP to a security key, or stores a key locally (e.g. in a TPM).

(*) Some security keys have the alwaysuv feature enabled, in which case that won't work, but that's a minority of security keys.

huangapple
  • 本文由 发表于 2023年6月26日 23:45:45
  • 转载请务必保留本文链接:https://go.coder-hub.com/76558257.html
匿名

发表评论

匿名网友

:?: :razz: :sad: :evil: :!: :smile: :oops: :grin: :eek: :shock: :???: :cool: :lol: :mad: :twisted: :roll: :wink: :idea: :arrow: :neutral: :cry: :mrgreen:

确定