Skip to content

Configurable-challenge-for-Active-Authentication #227

New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

Sign up for GitHub

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Jump to bottom
Merged
AndyQ merged 1 commit into from
Dec 10, 2025
Merged

Configurable-challenge-for-Active-Authentication #227

AndyQ merged 1 commit into from
Dec 10, 2025

Conversation

@Premeide
Copy link
Contributor

@Premeide Premeide commented Jul 25, 2024

  • Add option for providing custom aaChallenge

@Premeide Premeide force-pushed the main branch 2 times, most recently from a0e6881 to de25144 Compare August 3, 2024 19:26
@AndyQ
Copy link
Owner

AndyQ commented Sep 24, 2024

Hi, Could you explain why this is useful and needed?

@Premeide
Copy link
Contributor Author

Premeide commented Sep 25, 2024

Hi, Could you explain why this is useful and needed?

As an extra security feature, our backend now provides a unique active authentication challenge for the NFC reader to sign. By using a custom AA challenge, we ensure that the challenge/response was specifically executed in the session and not replayed. The app then sends the NFCPassportModel.activeAuthenticationSignature to the backend, along with the rest of the chip data. This requires the NFCPassportReader to optionally accept a custom aaChallenge.

This challenge/signature verification ensures that the app user has actually scanned the passport to retrieve the data, preventing the use of stored passport data.

@vpetrusevici
Copy link

vpetrusevici commented Nov 25, 2025

Hi, @AndyQ !
It's really important security feature to make passport based authentication without replay attack vulnerability.
Can we merge this PR please?

@ospfranco
Copy link

ospfranco commented Dec 2, 2025

This has been open for over a year and it's actually quite necessary from a security point of view. Any chance this can be merged soon @AndyQ ?

@AndyQ
Copy link
Owner

AndyQ commented Dec 2, 2025

Yes indeed - it will be merged soon and will be in the next release.

I'll try to get it merged this week so it's in main at least. Next release will hopefully be out by next week.

@ospfranco
Copy link

ospfranco commented Dec 3, 2025

Awesome! It would be great if #261 can also be merged, current install takes ages as it clones a huge repo

@ospfranco ospfranco mentioned this pull request Dec 3, 2025
Closed
@AndyQ
Copy link
Owner

AndyQ commented Dec 3, 2025

Sure will also look at including that PR too

@AndyQ AndyQ merged commit d37027f into AndyQ:main Dec 10, 2025
AndyQ added a commit that referenced this pull request Dec 10, 2025
@AndyQ
Added fix for OpenSSL 3.3 breaking SOD X509 certificate verification @…
ca802fc 
…issue #259

Added ability to provide a custom AA Challenge key for supporting backend AA challenges and eliminating replay attacks - PR #227
Updated to use the binary OpenSSL-Package to improve repo loading times and updated Cocoapods to use OpenSSL 3.3.1001 binary too - PR#263 (part)
Updated docs to say that Cocoapods will continue to be released to until end-2026 but will not be a supported deployment. - Issue #262
Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment

Reviewers

No reviews

Assignees

No one assigned

Labels

None yet

Projects

None yet

Milestone

No milestone

Development

Successfully merging this pull request may close these issues.

4 participants

@Premeide @AndyQ @vpetrusevici @ospfranco