From d3067bcfda20fb9fe3abfaa6118e6b01860a643e Mon Sep 17 00:00:00 2001 From: Sebastian <> Date: Sun, 22 Jan 2023 15:50:15 +0100 Subject: [PATCH 1/5] feat: add fido2 pin --- src/pins/fido2/clevis-decrypt-fido2 | 80 +++++++++++++++ src/pins/fido2/clevis-encrypt-fido2 | 111 +++++++++++++++++++++ src/pins/fido2/clevis-encrypt-fido2.1.adoc | 85 ++++++++++++++++ 3 files changed, 276 insertions(+) create mode 100755 src/pins/fido2/clevis-decrypt-fido2 create mode 100755 src/pins/fido2/clevis-encrypt-fido2 create mode 100644 src/pins/fido2/clevis-encrypt-fido2.1.adoc diff --git a/src/pins/fido2/clevis-decrypt-fido2 b/src/pins/fido2/clevis-decrypt-fido2 new file mode 100755 index 00000000..39557926 --- /dev/null +++ b/src/pins/fido2/clevis-decrypt-fido2 @@ -0,0 +1,80 @@ +#!/bin/bash + +# Copyright (c) 2023 Sebastian Kussl +# Author: Sebastian Kussl +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +set -eu + +read -d . hdr64 +if ! hdr="$(jose fmt --quote="$hdr64" --string --b64load --object --output=-)" ; then + echo 'JWE header corrupt' >&2 + exit 1 +fi +if [ "$(jose fmt --json="$hdr" --get clevis --get pin --unquote=-)" != 'fido2' ] ; then + echo 'JWE pin mismatch!' >&2 + exit 1 +fi +if ! hmac_salt="$(jose fmt --json="$hdr" --get clevis --get fido2 --get hmac_salt --unquote=-)" ; then + echo 'JWE missing 'hmac_salt' header parameter!' >&2 + exit 1 +fi + +if ! rp_id="$(jose fmt --json="$hdr" --get clevis --get fido2 --get rp_id --unquote=-)" ; then + echo 'JWE missing 'rp_id' header parameter!' >&2 + exit 1 +fi +if ! cred_id="$(jose fmt --json="$hdr" --get clevis --get fido2 --get cred_id --unquote=-)" ; then + echo 'JWE missing 'cred_id' header parameter!' >&2 + exit 1 +fi +if ! uv="$(jose fmt --json="$hdr" --get clevis --get fido2 --get uv --unquote=-)" ; then + echo 'JWE missing 'uv' header parameter!' >&2 + exit 1 +fi +if ! up="$(jose fmt --json="$hdr" --get clevis --get fido2 --get up --unquote=-)" ; then + echo 'JWE missing 'up' header parameter!' >&2 + exit 1 +fi +if ! pin="$(jose fmt --json="$hdr" --get clevis --get fido2 --get pin --unquote=-)" ; then + echo 'JWE missing 'pin' header parameter!' >&2 + exit 1 +fi + +fido2_tokens="$(fido2-token -L)" + +if [ -z "${fido2_tokens}" ]; then + echo "Please insert your FIDO2 token." >&2 + exit 1 +fi + +num_tokens="$(echo "${fido2_tokens}" | wc -l)" +if ((num_tokens > 1)); then + echo "Warning: There are multiple tokens. Will use the first one." >&2 +fi + +fido2_token="$(echo "${fido2_tokens}" | head -n1 | cut -d':' -f1)" + +client_hash="$(dd if=/dev/urandom bs=1 count=32 status=none | base64 -w0)" + +hmac="$(printf '%s\n%s\n%s\n%s\n' "${client_hash}" "${rp_id}" "${cred_id}" "${hmac_salt}" | \ + fido2-assert -G -t "uv=${uv}" -t "up=${up}" -t "pin=${pin}" -h "${fido2_token}" | \ + head -n5 | tail -n1 | jose b64 enc -I -)" + +# use the secret in a key wrapping key +jwk='{"alg":"PBES2-HS512+A256KW", "kty":"oct"}' +jwk="$(jose fmt -j "${jwk}" -q "${hmac}" -s k -Uo-)" + +( printf '%s' "$jwk$hdr64." ; cat ) | exec jose jwe dec --key=- --input=- diff --git a/src/pins/fido2/clevis-encrypt-fido2 b/src/pins/fido2/clevis-encrypt-fido2 new file mode 100755 index 00000000..0779eed3 --- /dev/null +++ b/src/pins/fido2/clevis-encrypt-fido2 @@ -0,0 +1,111 @@ +#!/bin/bash + +# Copyright (c) 2023 Sebastian Kussl +# Author: Sebastian Kussl +# +# This program is free software: you can redistribute it and/or modify +# it under the terms of the GNU General Public License as published by +# the Free Software Foundation, either version 3 of the License, or +# (at your option) any later version. +# +# This program is distributed in the hope that it will be useful, +# but WITHOUT ANY WARRANTY; without even the implied warranty of +# MERCHANTABILITY or FITNESS FOR A PARTICULAR PURPOSE. See the +# GNU General Public License for more details. +# +# You should have received a copy of the GNU General Public License +# along with this program. If not, see . + +function create_credential () { + local device + local rp_id + local type + + device="$1" + rp_id="$2" + type="$3" + client_data="$(dd if=/dev/urandom bs=1 count=32 status=none | base64 -w0)" + user_id="$(echo -n 'clevis' | base64 -w0)" + cred_id="$(printf '%s\n%s\n%s\n%s\n' "${client_data}" "${rp_id}" 'clevis' "${user_id}" \ + | fido2-cred -M -h "${device}" "${type}" \ + | head -n5 | tail -n1)" >&2 + + echo -n "${cred_id}" +} + +function generate_hmac () { + local device + local rp_id + local cred_id + local hmac_salt + + device="$1" + rp_id="$2" + cred_id="$3" + hmac_salt="$4" + + client_hash="$(dd if=/dev/urandom bs=1 count=32 status=none | base64 -w0)" + hmac="$(printf '%s\n%s\n%s\n%s\n' "${client_hash}" "${rp_id}" "${cred_id}" "${hmac_salt}" | \ + fido2-assert -G -h -t "uv=${uv}" -t "up=${up}" -t "pin=${pin}" "${device}" | \ + head -n5 | tail -n1 | jose b64 enc -I -)" >&2 + + echo -n "${hmac}" +} + +cfg='' + +if ! cfg="$(jose fmt -j- -Oo- <<< "$1" 2>/dev/null)"; then + echo "Error: Configuration is malformed!" >&2 + exit 1 +fi + +type="$(jose fmt -j- -Og type -Bo- <<< "$cfg")" || type='es256' +uv="$(jose fmt -j- -Og uv -Bo- <<< "$cfg")" || uv='true' +up="$(jose fmt -j- -Og up -Bo- <<< "$cfg")" || up='true' +pin="$(jose fmt -j- -Og pin -Bo- <<< "$cfg")" || pin='false' +rp_id="$(jose fmt -j- -Og rp_id -Su- <<< "$cfg")" || rp_id='clevis' + +if ! fido2_token="$(jose fmt -j- -Og device -u- <<< "$cfg")"; then + fido2_tokens="$(fido2-token -L)" + + if [ -z "${fido2_tokens}" ]; then + echo "Please insert your FIDO2 token." >&2 + exit 1 + fi + + fido2_token="$(echo "${fido2_tokens}" | head -n1 | cut -d':' -f1)" + num_tokens="$(echo "${fido2_tokens}" | wc -l)" + if ((num_tokens > 1)); then + echo "Warning: There are multiple tokens. Will use the first one (${fido2_token})." >&2 + fi +fi + +cred_id="$(jose fmt -j- -Og cred_id -Su- <<< "$cfg")" || cred_id="$(create_credential "${fido2_token}" "${rp_id}" "${type}")" + +# generate a random salt for each encrypted payload to pass to the fido2 token, +# where it will be concatenated with a hardware-protected secret to produce an hmac. +hmac_salt="$(dd if=/dev/urandom bs=1 count=32 status=none | base64 -w0)" + +# retrieve the hmac result which will be the password to use for key wrapping a CEK. +hmac="$(generate_hmac "${fido2_token}" "${rp_id}" "${cred_id}" "${hmac_salt}")" + +if [ -z "${hmac}" ]; then + echo "Error: could not generate key." + exit 1 +fi + +# use the secret in a key wrapping key +jwk='{"kty":"oct", "alg":"PBES2-HS512+A256KW"}' +jwk="$(jose fmt -j "${jwk}" -q "${hmac}" -s k -Uo-)" + +jwe='{"protected":{"enc":"A256GCM","clevis":{"pin":"fido2","fido2":{}}}}' +jwe="$(jose fmt -j "$jwe" -g protected -q "$kid" -s kid -UUo-)" +jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g fido2 -q "${type}" -s type -UUUUo-)" +jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g fido2 -q "${hmac_salt}" -s hmac_salt -UUUUo-)" +jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g fido2 -q "${rp_id}" -s rp_id -UUUUo-)" +jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g fido2 -q "${cred_id}" -s cred_id -UUUUo-)" +jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g fido2 -q "${uv}" -s uv -UUUUo-)" +jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g fido2 -q "${up}" -s up -UUUUo-)" +jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g fido2 -q "${pin}" -s pin -UUUUo-)" + +exec jose jwe enc -i- -k- -I- -c < <(echo -n "$jwe$jwk"; /bin/cat) diff --git a/src/pins/fido2/clevis-encrypt-fido2.1.adoc b/src/pins/fido2/clevis-encrypt-fido2.1.adoc new file mode 100644 index 00000000..83747d2b --- /dev/null +++ b/src/pins/fido2/clevis-encrypt-fido2.1.adoc @@ -0,0 +1,85 @@ +CLEVIS-ENCRYPT-FIDO2(1) +====================== +:doctype: manpage + + +== NAME + +clevis-encrypt-fido2 - Encrypts using a FIDO2 token by using the hmac-secret extension for generating a symmetric key. + +== SYNOPSIS + +*clevis encrypt fido2* CONFIG [-y] < PT > JWE + +== OVERVIEW + +The *clevis encrypt fido2* command encrypts using a FIDO2 token. +Its only argument is the JSON configuration object. + +FIDO2 is a standard for web authentication using secure tokens, such as a security key. +For symmetrically encrypting data using a FIDO2 token, the token must support the hmac-secret +extension. The encryption then works by generating a random 32 byte public hmac-salt that is +sent to the token/authenticator, where an hmac over the salt is created using a key only known +to the authenticator. This secret value is then used to as a "keyWrap" JWK. + +Clevis provides support for encrypting data using such symmetric keys derived from a FIDO2 +hardware token. The following shows a basic example, using the default configuration options: + + $ clevis encrypt fido2 '{}' < PT > JWE + Enter PIN for /dev/hidraw0: + +By default, a new (non-discoverable) credential will be generated and its credential id, as well +as the randomly generated hmac-salt, is stored as metadata along with the ciphertext. Creating +the credential might require entering the device PIN (as shown above) and verifying user presence +by touching the token. If the "pin" option is set to true, the PIN must be entered again and at +every decryption. For example: + + $ clevis encrypt fido2 '{"pin": true}' < PT > JWE + Enter PIN for /dev/hidraw0: + Enter PIN for /dev/hidraw0: + +The options "up" and "uv" can be used to set the desired behaviour for user presence and user +verification when decrypting the ciphertext (see below). In a "headless" setup, e.g., when +encrypting a LUKS partition, those could be set to "false" in order to automatically decrypt +without any user actions. Note that there are currently no prompts when you need to tap on +the device, but the token might signal that by blinking. + +== CONFIG + +This command uses the following configuration properties: + +* *type* (string) : + The type of the credential, as supported by libfido2, i.e., "es256", "rs256" or "eddsa". + Default: "es256". + +* *cred_id* (string) : + A credential id generated for the specific token. If not specified, a new + (non-discoverable) will be generated using the **fido2-cred** command. Please + note that the credential must have the "hmac-extension" enabled. + +* *rp_id* (string) : + The reyling party id of the credential (that will be created or is provided via + the "cred_id" field). + Default: 'clevis'. + +* *up* (boolean) : + Whether or not to ask the authenticator to require user presence. + Default: true. + +* *uv* (string) : + Whether or not to ask the authenticator to require user verification. + Default: true. + +* *pin* (string) : + Whether or not to ask the authenticator to require the PIN and user verification. + Default: false. + +* *device* (string) : + The device, i.e., the fido2 token, to use (e.g., "/dev/hidraw0"). If not specified, + the first device from the list of connected tokens will be used. When setting this + option, you should be sure that the token's slot remains the same, as the decrypt + command will not be able to find the device, otherwise. + +== SEE ALSO + +link:clevis-decrypt.1.adoc[*clevis-decrypt*(1)] From a44fa31b8257e77acef7ee07f64475962f64316a Mon Sep 17 00:00:00 2001 From: Sebastian <> Date: Sun, 22 Jan 2023 16:06:26 +0100 Subject: [PATCH 2/5] chore: change comment --- src/pins/fido2/clevis-encrypt-fido2 | 3 +-- 1 file changed, 1 insertion(+), 2 deletions(-) diff --git a/src/pins/fido2/clevis-encrypt-fido2 b/src/pins/fido2/clevis-encrypt-fido2 index 0779eed3..ad8998f1 100755 --- a/src/pins/fido2/clevis-encrypt-fido2 +++ b/src/pins/fido2/clevis-encrypt-fido2 @@ -82,8 +82,7 @@ fi cred_id="$(jose fmt -j- -Og cred_id -Su- <<< "$cfg")" || cred_id="$(create_credential "${fido2_token}" "${rp_id}" "${type}")" -# generate a random salt for each encrypted payload to pass to the fido2 token, -# where it will be concatenated with a hardware-protected secret to produce an hmac. +# generate a random salt for each encrypted payload hmac_salt="$(dd if=/dev/urandom bs=1 count=32 status=none | base64 -w0)" # retrieve the hmac result which will be the password to use for key wrapping a CEK. From c57c349ca498054948d65675930b709cfd9ce936 Mon Sep 17 00:00:00 2001 From: sebastian Date: Tue, 24 Jan 2023 18:38:52 +0100 Subject: [PATCH 3/5] chore: remove kid field --- src/pins/fido2/clevis-encrypt-fido2 | 1 - 1 file changed, 1 deletion(-) diff --git a/src/pins/fido2/clevis-encrypt-fido2 b/src/pins/fido2/clevis-encrypt-fido2 index ad8998f1..a98a0a40 100755 --- a/src/pins/fido2/clevis-encrypt-fido2 +++ b/src/pins/fido2/clevis-encrypt-fido2 @@ -98,7 +98,6 @@ jwk='{"kty":"oct", "alg":"PBES2-HS512+A256KW"}' jwk="$(jose fmt -j "${jwk}" -q "${hmac}" -s k -Uo-)" jwe='{"protected":{"enc":"A256GCM","clevis":{"pin":"fido2","fido2":{}}}}' -jwe="$(jose fmt -j "$jwe" -g protected -q "$kid" -s kid -UUo-)" jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g fido2 -q "${type}" -s type -UUUUo-)" jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g fido2 -q "${hmac_salt}" -s hmac_salt -UUUUo-)" jwe="$(jose fmt -j "$jwe" -g protected -g clevis -g fido2 -q "${rp_id}" -s rp_id -UUUUo-)" From 2130cbeda63262f402b52df815cf0d94078df423 Mon Sep 17 00:00:00 2001 From: Sebastian Date: Tue, 14 Mar 2023 23:06:14 +0100 Subject: [PATCH 4/5] fix: resolve shellcheck errors in clevis-decrypt-fido2 --- src/pins/fido2/clevis-decrypt-fido2 | 14 +++++++------- 1 file changed, 7 insertions(+), 7 deletions(-) diff --git a/src/pins/fido2/clevis-decrypt-fido2 b/src/pins/fido2/clevis-decrypt-fido2 index 39557926..888a7c68 100755 --- a/src/pins/fido2/clevis-decrypt-fido2 +++ b/src/pins/fido2/clevis-decrypt-fido2 @@ -18,7 +18,7 @@ set -eu -read -d . hdr64 +read -r -d . hdr64 if ! hdr="$(jose fmt --quote="$hdr64" --string --b64load --object --output=-)" ; then echo 'JWE header corrupt' >&2 exit 1 @@ -28,28 +28,28 @@ if [ "$(jose fmt --json="$hdr" --get clevis --get pin --unquote=-)" != 'fido2' ] exit 1 fi if ! hmac_salt="$(jose fmt --json="$hdr" --get clevis --get fido2 --get hmac_salt --unquote=-)" ; then - echo 'JWE missing 'hmac_salt' header parameter!' >&2 + echo "JWE missing 'hmac_salt' header parameter!" >&2 exit 1 fi if ! rp_id="$(jose fmt --json="$hdr" --get clevis --get fido2 --get rp_id --unquote=-)" ; then - echo 'JWE missing 'rp_id' header parameter!' >&2 + echo "JWE missing 'rp_id' header parameter!" >&2 exit 1 fi if ! cred_id="$(jose fmt --json="$hdr" --get clevis --get fido2 --get cred_id --unquote=-)" ; then - echo 'JWE missing 'cred_id' header parameter!' >&2 + echo "JWE missing 'cred_id' header parameter!" >&2 exit 1 fi if ! uv="$(jose fmt --json="$hdr" --get clevis --get fido2 --get uv --unquote=-)" ; then - echo 'JWE missing 'uv' header parameter!' >&2 + echo "JWE missing 'uv' header parameter!" >&2 exit 1 fi if ! up="$(jose fmt --json="$hdr" --get clevis --get fido2 --get up --unquote=-)" ; then - echo 'JWE missing 'up' header parameter!' >&2 + echo "JWE missing 'up' header parameter!" >&2 exit 1 fi if ! pin="$(jose fmt --json="$hdr" --get clevis --get fido2 --get pin --unquote=-)" ; then - echo 'JWE missing 'pin' header parameter!' >&2 + echo "JWE missing 'pin' header parameter!" >&2 exit 1 fi From 489970240e8c0a2b986c1ba6ae119919c4b89a97 Mon Sep 17 00:00:00 2001 From: Sebastian Date: Mon, 2 Oct 2023 23:14:24 +0200 Subject: [PATCH 5/5] refactor: use AES256GCM as jwk alg + change default rp_id to 'fido2.clevis' --- src/pins/fido2/clevis-decrypt-fido2 | 4 ++-- src/pins/fido2/clevis-encrypt-fido2 | 7 +++---- src/pins/fido2/clevis-encrypt-fido2.1.adoc | 18 +++++++++--------- 3 files changed, 14 insertions(+), 15 deletions(-) diff --git a/src/pins/fido2/clevis-decrypt-fido2 b/src/pins/fido2/clevis-decrypt-fido2 index 888a7c68..cca14a9d 100755 --- a/src/pins/fido2/clevis-decrypt-fido2 +++ b/src/pins/fido2/clevis-decrypt-fido2 @@ -71,10 +71,10 @@ client_hash="$(dd if=/dev/urandom bs=1 count=32 status=none | base64 -w0)" hmac="$(printf '%s\n%s\n%s\n%s\n' "${client_hash}" "${rp_id}" "${cred_id}" "${hmac_salt}" | \ fido2-assert -G -t "uv=${uv}" -t "up=${up}" -t "pin=${pin}" -h "${fido2_token}" | \ - head -n5 | tail -n1 | jose b64 enc -I -)" + head -n5 | tail -n1 | base64 -d | jose b64 enc -I -)" # use the secret in a key wrapping key -jwk='{"alg":"PBES2-HS512+A256KW", "kty":"oct"}' +jwk='{"alg":"A256GCM", "kty":"oct"}' jwk="$(jose fmt -j "${jwk}" -q "${hmac}" -s k -Uo-)" ( printf '%s' "$jwk$hdr64." ; cat ) | exec jose jwe dec --key=- --input=- diff --git a/src/pins/fido2/clevis-encrypt-fido2 b/src/pins/fido2/clevis-encrypt-fido2 index a98a0a40..d380bb96 100755 --- a/src/pins/fido2/clevis-encrypt-fido2 +++ b/src/pins/fido2/clevis-encrypt-fido2 @@ -47,7 +47,7 @@ function generate_hmac () { client_hash="$(dd if=/dev/urandom bs=1 count=32 status=none | base64 -w0)" hmac="$(printf '%s\n%s\n%s\n%s\n' "${client_hash}" "${rp_id}" "${cred_id}" "${hmac_salt}" | \ fido2-assert -G -h -t "uv=${uv}" -t "up=${up}" -t "pin=${pin}" "${device}" | \ - head -n5 | tail -n1 | jose b64 enc -I -)" >&2 + head -n5 | tail -n1 | base64 -d | jose b64 enc -I -)" >&2 echo -n "${hmac}" } @@ -63,7 +63,7 @@ type="$(jose fmt -j- -Og type -Bo- <<< "$cfg")" || type='es256' uv="$(jose fmt -j- -Og uv -Bo- <<< "$cfg")" || uv='true' up="$(jose fmt -j- -Og up -Bo- <<< "$cfg")" || up='true' pin="$(jose fmt -j- -Og pin -Bo- <<< "$cfg")" || pin='false' -rp_id="$(jose fmt -j- -Og rp_id -Su- <<< "$cfg")" || rp_id='clevis' +rp_id="$(jose fmt -j- -Og rp_id -Su- <<< "$cfg")" || rp_id='fido2.clevis' if ! fido2_token="$(jose fmt -j- -Og device -u- <<< "$cfg")"; then fido2_tokens="$(fido2-token -L)" @@ -93,8 +93,7 @@ if [ -z "${hmac}" ]; then exit 1 fi -# use the secret in a key wrapping key -jwk='{"kty":"oct", "alg":"PBES2-HS512+A256KW"}' +jwk='{"kty":"oct", "alg":"A256GCM"}' jwk="$(jose fmt -j "${jwk}" -q "${hmac}" -s k -Uo-)" jwe='{"protected":{"enc":"A256GCM","clevis":{"pin":"fido2","fido2":{}}}}' diff --git a/src/pins/fido2/clevis-encrypt-fido2.1.adoc b/src/pins/fido2/clevis-encrypt-fido2.1.adoc index 83747d2b..496b4d41 100644 --- a/src/pins/fido2/clevis-encrypt-fido2.1.adoc +++ b/src/pins/fido2/clevis-encrypt-fido2.1.adoc @@ -38,18 +38,18 @@ every decryption. For example: Enter PIN for /dev/hidraw0: Enter PIN for /dev/hidraw0: -The options "up" and "uv" can be used to set the desired behaviour for user presence and user -verification when decrypting the ciphertext (see below). In a "headless" setup, e.g., when +The options "up" and "uv" can be used to set the desired behaviour for user presence and user +verification when decrypting the ciphertext (see below). In a "headless" setup, e.g., when encrypting a LUKS partition, those could be set to "false" in order to automatically decrypt without any user actions. Note that there are currently no prompts when you need to tap on -the device, but the token might signal that by blinking. +the device, but the token might signal that by blinking. == CONFIG This command uses the following configuration properties: * *type* (string) : - The type of the credential, as supported by libfido2, i.e., "es256", "rs256" or "eddsa". + The type of the credential, as supported by libfido2, i.e., "es256", "rs256" or "eddsa". Default: "es256". * *cred_id* (string) : @@ -59,19 +59,19 @@ This command uses the following configuration properties: * *rp_id* (string) : The reyling party id of the credential (that will be created or is provided via - the "cred_id" field). - Default: 'clevis'. + the "cred_id" field). + Default: 'fido2.clevis'. * *up* (boolean) : - Whether or not to ask the authenticator to require user presence. + Whether or not to ask the authenticator to require user presence. Default: true. * *uv* (string) : - Whether or not to ask the authenticator to require user verification. + Whether or not to ask the authenticator to require user verification. Default: true. * *pin* (string) : - Whether or not to ask the authenticator to require the PIN and user verification. + Whether or not to ask the authenticator to require the PIN and user verification. Default: false. * *device* (string) :