Bluetooth Low Energy
Authenticator and Client devices using BLE SHALL conform to Bluetooth Core Specification 4.0 or later [BTCORE]
Bluetooth(tm) SIG specified UUID values SHALL be found on the Assigned Numbers website [BTASSNUM]
GATT Service Description
This profile defines two roles: FIDO Authenticator and FIDO Client.
- The FIDO Client shall be a GATT Client
- The FIDO Authenticator shall be a GATT Server
The following graphic illustrates the mandatory services and
characteristics that SHALL be offered by a FIDO Authenticator as
part of its GATT server:
The table below summarizes additional GATT sub-procedure requirements for a FIDO Authenticator (GATT Server) beyond those required by all GATT Servers.
| GATT Sub-Procedure | Requirements |
|---|---|
| Write Characteristic Value | Mandatory
|
| Notifications | Mandatory
|
| Read Characteristic Descriptors | Mandatory
|
| Write Characteristic Descriptors | Mandatory
|
The table below summarizes additional GATT sub-procedure requirements for a FIDO Client (GATT Client) beyond those required by all GATT Clients.
| GATT Sub-Procedure | Requirements |
|---|---|
| Discover All Primary Services | (*)
|
| Discover Primary Services by Service UUID | (*)
|
| Discover All Characteristics of a Service | (**)
|
| Discover Characteristics by UUID | (**)
|
| Discover All Characteristic Descriptors | Mandatory
|
| Read Characteristic Value | Mandatory
|
| Write Characteristic Value | Mandatory
|
| Notification | Mandatory
|
| Read Characteristic Descriptors | Mandatory
|
| Write Characteristic Descriptors | Mandatory
|
(*): Mandatory to support at least one of these sub-procedures.
(**): Mandatory to support at least one of these sub-procedures.
Other GATT sub-procedures may be used if supported by both client and server.
Specifics of each service are explained below. In the following descriptions: all values are big-endian coded, all strings are in UTF-8 encoding, and any characteristics not mentioned explicitly are optional.
U2F Service
An Authenticator SHALL implement the U2F Service described below.
The UUID for the FIDO U2F GATT service is 0xFFFD, it shall be declared as a Primary Service.
The service contains the following characteristics:
| Characteristic Name | Mnemonic | Property | Length | UUID |
|---|---|---|---|---|
| U2F Control Point | u2fControlPoint | Write | Defined by Vendor (20-512 bytes) | F1D0FFF1-DEAA-ECEE-B42F-C9BA7ED623BB |
| U2F Status | u2fStatus | Notify | N/A | F1D0FFF2-DEAA-ECEE-B42F-C9BA7ED623BB |
| U2F Control Point Length | u2fControlPointLength | Read | 2 bytes | F1D0FFF3-DEAA-ECEE-B42F-C9BA7ED623BB |
| U2F Service Revision | u2fServiceRevision | Read | Defined by Vendor (20-512 bytes) | 0x2A28 |
u2fControlPoint is a write-only command buffer.
u2fStatus is a notify-only response attribute.
The Authenticator will send a series of notifications on this attribute
with a maximum length of (ATT_MTU-3) using the response frames defined
above. This mechanism is used because this results in a faster transfer
speed compared to a notify-read combination.
u2fControlPointLength defines the maximum size in
bytes of a single write request to u2fControlPoint.
This value SHALL be between 20 and 512.
u2fServiceRevision defines the
revision of the U2F Service. The value is a UTF-8 string. For
this version of the specification, the value
u2fServiceRevision SHALL be 1.0 or in
raw bytes: 0x312e30.
The u2fServiceRevision Characteristic MAY include
a Characteristic Presentation Format descriptor with format value
0x19, UTF-8 String.
Device Information Service
An Authenticator SHALL implement the Device Information Service [BTDIS] with the following characteristics:
- Manufacturer Name String
- Model Number String
- Firmware Revision String
All values for the Device Information Service are left to the vendors. However, vendors should not create uniquely identifiable values so that Authenticators do not become a method of tracking users.
Generic Access Service
Every Authenticator SHALL implement the Generic Access Service [BTGAS] with the following characteristics:
- Device Name
- Appearance
Protocol Overview
The general overview of the communication protocol follows:
- Authenticator advertises the FIDO U2F service.
- Client scans for Authenticator advertising the FIDO U2F service.
- Client performs characteristic discovery on the Authenticator.
- If not already paired, the Client and Authenticator SHALL perform BLE pairing and create a LTK. Authenticator SHALL only allow connections from previously bonded Clients without user intervention.
- Client reads the
u2fControlPointLengthcharacteristic. - Client registers for notifications on the
u2fStatuscharacteristic. - Client writes a request (e.g., an enroll request) into
the
u2fControlPointcharacteristic. - Authenticator evaluates the request and responds by sending
notifications over
u2fStatuscharacteristic. - The connection is closed by the Client or the connection times out and is closed by the Authenticator.
Authenticator Advertising Format
When advertising, the Authenticator SHALL advertise the FIDO U2F service UUID.
When advertising, the Authenticator MAY include the TxPower value in the advertisement (see [BTXPLAD]).
The advertisement MAY also carry a device name which is distinctive and user-identifiable. For example, "ACME Key" would be an appropriate name, while "XJS4" would not be.
The Authenticator SHALL also implement the Generic Access Profile [BTGAP] and Device Information Service [BTDIS], both of which also provide a user friendly name for the device which could be used by the Client.
It is not specified when or how often an Authenticator should advertise, instead that flexibility is left to manufacturers.
Requests
Clients SHOULD make requests by connecting to the Authenticator
and performing a write into the u2fControlPoint
characteristic.
Responses
Authenticators SHOULD respond to Clients by sending notifications
on the u2fStatus characteristic.
Some Authenticators might alert users or prompt them to complete the
test of user presence (e.g., via sound, light, vibration,
etc.) Upon receiving any request, the Authenticators SHALL respond
within kMaxInitialResponseMillis. The Authenticators SHALL send
KEEPALIVE BLE commands every kKeepAliveMillis
milliseconds. While the Authenticator is processing the request
the KEEPALIVE BLE command will contain status Processing.
As soon the Authenticator has completed the processing it SHALL either send
the reply or wait for user presence. If a wait-for-user-presence
state is entered the KEEPALIVE will contain the TUPNeeded status.
The Authenticators MAY alert the user (e.g., by flashing) in order to
prompt the user to complete the test of user presence.
Upon receiving a KEEPALIVE message, the Client SHALL assume the
Authenticator is still processing the command; the Client SHALL not
resend the command. The Authenticator SHALL continue sending
KEEPALIVE messages at least every kKeepAliveMillis
to indicate that it is still handling the request. Until a
client-defined timeout occurs, the Client SHALL NOT move on to other
devices when it receives a KEEPALIVE with TUPNeeded
status, as it knows this is a device that can satisfy its request.
Framing fragmentation
A single request/response sent over BLE MAY be split over multiple writes and notifications, due to the inherent limitations of BLE which is not currently meant for large messages. Frames are fragmented in the following way:
A frame is divided into an initialization fragment and one or more continuation fragments.
An initialization fragment is defined as:
| Offset | Length | Mnemonic | Description |
|---|---|---|---|
| 0 | 1 | CMD | Command identifier |
| 1 | 1 | HLEN | High part of data length |
| 2 | 1 | LLEN | Low part of data length |
| 3 | maxLen - 3 | DATA | Data |
where maxLen is the maximum packet size supported by
the characteristic or notification.
In other words, the start of an initialization fragment is
indicated by setting the high bit in the first byte. The subsequent
two bytes indicate the total length of the frame, in big-endian
order. The first maxLen - 3 bytes of data follow.
Continuation fragments are defined as:
| Offset | Length | Mnemonic | Description |
|---|---|---|---|
| 0 | 1 | SEQ | Packet sequence 0x00..0x7f (high bit always cleared) |
| 1 | maxLen - 1 | DATA | Data |
where maxLen is the maximum packet size supported
by the characteristic or notification.
In other words, continuation fragments begin with a sequence number, beginning at 0, implicitly with the high bit cleared.
Example for sending a PING command with 40 bytes of
data with a maxLen of 20 bytes:
| Frame | Bytes |
|---|---|
| 0 | [810028] [17 bytes of data]
|
| 1 | [00] [19 bytes of data]
|
| 2 | [01] [4 bytes of data]
|
Example for sending a ping command with 400 bytes of data with a
maxLen of 512 bytes:
| Frame | Bytes |
|---|---|
| 0 | [810190] [400 bytes of data]
|
Implementation Considerations
Bluetooth pairing: Client considerations
As noted in the Pairing section, a disadvantage of using standard Bluetooth pairing is that the pairing is "system-wide" on most operating systems. That is, if an Authenticator is paired to a FIDO Client which resides on an operating system where Bluetooth pairing is "system-wide", then any application on that device might be able to interact with an Authenticator. This poses both security and privacy risks to users.
While Client operating system security is partly out of FIDO's scope, further revisions of this specification MAY propose mitigations for this issue.
Bluetooth pairing: Authenticator considerations
The method to put the Authenticator into Pairing Mode should be such that it is not easy for the user to do accidentally especially if the pairing method is Just Works. For example, the action could be pressing a physically recessed button or pressing multiple buttons. A visible or audible cue that the Authenticator is in Pairing Mode should be considered. As a counter example, a silent, long press of a single non-recessed button is not advised as some users naturally hold buttons down during regular operation.
Handling command completion
One of the benefits of the Bluetooth, and especially, Bluetooth Low Energy protocols is that they allow Authenticators to be battery-operated devices with low power requirements. A key consideration for such devices to to be able to conserve power by shutting down or switching to a lower-power state when they have satisfied a Client's requests.
On the other hand, the design of the protocol typically requires more than one command before completion. This is especially true when one command is rejected due to a key handle error: if a user has more than one key handle associated with an account or identity, multiple key handles may need to be tried before getting a successful outcome. At the same time, a Client that fails to send followup commands in a timely fashion may cause the Authenticator to drain its battery by staying powered up anticipating more commands.
A further consideration for an Authenticator is to ensure that a user is not confused about which command she is confirming by completing the test of user presence. That is, if a user performs the test of user presence, that action should perform exactly one operation.
We combine these considerations into the following series of recommendations:
- Upon initial connection to an Authenticator, and upon receipt
of a response from an Authenticator, if a Client has more
commands to issue, the Client MUST transmit the next command or
fragment within
kMaxCommandTransmitDelayMillismilliseconds. - Upon successful completion of a command which required a test of user presence, e.g. upon a successful authentication or registration command, the Authenticator can assume the Client is satisfied, and MAY reset its state or power down.
- Upon sending a command response that did not consume a test of
user presence, the Authenticator MUST assume that the Client may
wish to initiate another command, and leave the connection open
until the Client closes it or until a timeout of at least
kErrorWaitMilliselapses. Examples of command responses that do not consume user presence include failed authenticate or register commands, as well as get version responses, whether successful or not. AfterkErrorWaitMillismilliseconds have elapsed without further commands from a Client, an Authenticator MAY reset its state or power down.
| Constant | Value |
|---|---|
kMaxCommandTransmitDelayMillis | 1500 milliseconds |
kErrorWaitMillis | 2000 milliseconds |
kMaxInitialResponseMillis | 500 milliseconds |
kKeepAliveMillis | 500 milliseconds |
Data throughput
BLE does not have particularly high throughput, this can cause noticeable latency to the user if request/responses are large. Some ways that implementers can reduce latency are:
- Support the maximum MTU size allowable by hardware (up to the 512 bytes max from the BLE specifications).
- Make the attestation certificate as small as possible, do not include unnecessary extensions.
Advertising
Though the standard doesn’t appear to mandate it (in any way that we’ve found thus far), advertising and device discovery seems to work better when the Authenticators advertise on all 3 advertising channels and not just one.
Authenticator Address Type
In order to enhance the user's privacy and specifically to guard against tracking, it is recommended that Authenticators use Resolvable Private Addresses (RPAs) instead of static addresses.