How to deal with authenticators with multiple CTAP transports on one physical interface

[iinuwa]

Somewhat related to #154 is that if a device supports the CCID/smart-card protocol over USB as well as HID, then it will appear as two devices without a way to deduplicate them¹.

But I think that we can improve this situation by only using physical interface-specific APIs. USB and BLE are fine: we should use libnfc only for the nfc::is_available(), or return false. (The reason for this is that PC/SC abstracts over physical transports, so we can't know at that level whether it's NFC, USB or a smartcard on some other port.)

• We can still support reading NFC keys with just pcsc, we just won't be able to tell inform the UI that they should say "a USB or NFC security key" rather than just "a USB security key". Similarly, this allows us to use "smart-card only" authenticators, though I don't know if any of those exist.

(I think this issue motivates a change in credentialsd though: instead of selecting transports for security keys, we should just generically show "security key" and preemptively discovery on all available transports. That'll be a separate issue in credentialsd.)

Footnotes

1. I think this needs CTAP spec changes to make this robust (e.g., returning a random ID from getInfo on every power cycle to identify the same device across transports). ↩