The YKFFIDO2Session
provides access to the FIDO2 application on a YubiKey.
Communication with the FIDO2 application is done through the YKFFIDO2Session
and the methods it expose. You obtain the session by calling -(void)fido2Session:(YKFFIDO2SessionCallback _Nonnull)callback
on a YKFConnectionProtocol
. The method is guaranteed to either return the session or an error, never both nor neither.
connection.fido2Session { (session, error) in
guard let session = session else { return }
session.getPinRetries { retries, error in
// Display number of retries
}
}
[connection fido2Session:^(YKFFIDO2Session * _Nullable session, NSError * _Nullable error) {
if (session == nil) { /* Handle error */ return; }
[session getPinRetriesWithCompletion:^(NSUInteger retries, NSError * _Nullable error) {
// Display number of retries
}];
}];
Implement the YKFFIDO2SessionKeyStateDelegate
protocol and set the delegate of the YKFFIDO2Session
to observe changes to the YubiKeys state. This is needed for prompting the user to touch the key at certain points in the FIDO2 chain.
-
After PIN verification, YubiKit will automatically append the required PIN auth data to the FIDO2 requests when necessary. YubiKit does not cache any PIN. Instead it's using a temporary shared token, which was agreed between the key and YubiKit as defined by the CTAP2 specifications. This token is valid as long the session is opened and it's not persistent.
-
After verifying the PIN and executing the necessary requests with the key, the application can clear the shared token cache by calling
[clearUserVerification]
on the FIDO2 Service. This will also happen when the key is unplugged, taken away from the device, or when the session is closed programmatically. -
After changing the PIN, a new PIN verification is required.
The YubiKit Demo application provides detailed demos on how to use the FIDO2 functionality of the library:
-
The
FIDO2 Demo
in the Other demos provides a self-contained demo for the requests discussed in this section and more details about the API. -
The demo available in the FIDO2 tab of the application provides a complete example on how YubiKit can be used together with a WebAuthn server to register and authenticate.
Read more about WebAuthn and FIDO2 on the Yubico developer site.