WebAuthn use case: multiple devices

[Ronnie C]

In the WebAuthn use case for Authentication, we see the following:

• On a laptop or desktop:

  • User navigates to example.com in a browser, sees an option to "Sign in with your phone."

  • User chooses this option and gets a message from the browser, "Please complete this action on your phone."

• Next, on their phone:

  • User sees a discrete prompt or notification, "Sign in to example.com."

I am trying to understand: What is the mechanism which (following the earlier registration on the phone) pushes the prompt/notification to the phone?

If this is a browser-level function (i.e. I am signed into Chrome on both desktop and phone, and hence Chrome syncs/pushes from one instance to the other), then under WebAuthn can this work cross-browser too? i.e. I am on Chrome on desktop, and Safari on phone.

Thanks,

RC.

[Christiaan Brand]

Hi RC,

The mechanism will be some local communication protocol, such as USB or BLE.

/christiaan

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/787aee13-dcb2-4e01-b863-820886637a5c%40fidoalliance.org.

[RC]

Thanks - that makes sense. So therefore it is possible for this to be 'cross browser' because it depends on the original (local) binding during registration.

[Christiaan Brand]

Not quite. It should work perfectly fine cross-browser: as long as the origin who registered the credential is still the one requesting to sign. Also, this means that the authenticator should be implemented at a layer lower than the the browser so multiple browsers can get access to it.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/8fad89a2-3be0-4445-9c3c-5c902c0b1080%40fidoalliance.org.

[Tomas Špokas]

I highly doubt that it meant to be physical connection between phone and desktop. WebAuthn does not specify how such flow should work. Probably it's up to you to decide how to implement push notifications and stuff. This is where UAF protocol could possibly be used.

Anyway, I see this question asked over and over again, because WebAuthn does not talk about network communication with authenticator and this confuses people a lot.

Can anybody with high authority explain how PC<->Phone authentication should work when using WebAuthn? 

[Arshad Noor]

The reason this is not explained in WebAuthn, is because it is not part of the specification the W3C is focused on.  The W3C is focused on standardizing just the part of the FIDO2 protocol that is implemented in the web user agent: the browser.

The part that completes the FIDO2 protocol between the platform (the desktop/laptop) and the "roaming" Authenticator is the Client to Authenticator Protocol 2, which is being standardized by the FIDO Alliance itself.  You need to understand both of these together to understand how the FIDO2 workflows work for Registration, Authentication and Transaction Authorization. 

The reason they are broken into 2 parts - and are being addressed by two different standards groups - is because of division of labor and specialization.  Web developers who are writing web-apps that use WebAuthn do not have to care about CTAP2; Authenticator manufacturers who are building Roaming Authenticators do not have to care about WebAuthn; and Server manufacturers - such as ourselves - have to care about both (and a whole lot more).

Anyone that wishes to truly understand FIDO2 really needs to understand WebAuthn, CTAP2, Metadata Services, Attestation and FIDO Extensions. 

Arshad Noor
StrongKey

[Tomas Špokas]

Makes total sense sense about first part. But I still don't understand/agree about CTAP2 filling the gap. FIDO2 talks a lot about CTAP2, but CTAP2 does not tell anything about communication with mobile phone (or is it?) or other out of band device. Roaming authenticator is well described even in WebAuthn, but mobile phone does not fit roaming authenticator description. UAF protocol fills the gap of PC to phone communication, but most people (including me) have the impression that FIDO2 supersedes UAF.

IMHO FIDO organisation should untangle the misconceptions about UAF, U2F and WebAuthn. They should more clearly describe various flows and how their protocols are involved in those flows.

From CTAP2 spec:

This protocol is intended to be used in scenarios where a user interacts with a relying party (a website or native app) on some platform (e.g., a PC) which prompts the user to interact with an external authenticator (e.g., a smartphone).

<..>This specification does not specify the details of how such a channel is established, nor how transport layer security must be achieved.

Sounds promising but later specification talks only about BT, NFC and USB..

[Christiaan Brand]

Ah, yes. There's a missing piece to CTAP right now that we're working on in the Alliance, called caBLE. It's a protocol that's suppose to address some of these shortcomings. Once we publish a review draft you'll be able to view it, or, if you'd like to join us in FIDO you can help shape this new protocol.

--

You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/67649536-005c-437b-ba18-2744eb541ece%40fidoalliance.org.

[John Bradley]

I think that you may be confusing the non Fido authentication protocols like GSMA Mobile Conect that use OpenID connect for federation, and may use UAF out of band via a push notification system to authenticate the user, with the new Fido2-CTAP Flow.

 

To be perfectly clear the out of band Flow suseptable to man in the middle.  So while it may use Fido as a component it is not in itself Fido.

 

The new WebAuthn Flow will cause the browser to enumerate the both plaftofm credentials and roaming credentials the user has for the site.

 

The roaming credentials could be on a a standalone device that supports USB, NFC or BLE.   They may also be on a mobile phone as part of its platform authenticator.   The mobile pone could use NFC  (on Android) , or BLE to the computer as the transport for CTAP2.

 

The downside of BLE is that it currently requires pairing the device in advance so the user experience is not ideal.   There are standalone BLE U2F authenticators now  that show this can work.

 

There is a proposal to make the BLE connection between a roaming credential provider and a PC more automatic, that Google has put forward.

 

So the Flow people are using to use push notification with Fido UAF is not itself part of Fido.

 

WebAuthn/CTAP2 provide a new Flow that properly prevents Phishing/Man in the middle attacks.

 

Regards

Johnn B.

 

Sent from Mail for Windows 10

 

From: Ronnie C
Sent: Wednesday, May 23, 2018 10:55 AM
To: FIDO Dev (fido-dev)
Subject: [FIDO-DEV] WebAuthn use case: multiple devices

 

In the WebAuthn use case for Authentication, we see the following:

 

• On a laptop or desktop:

o   User navigates to example.com in a browser, sees an option to "Sign in with your phone."

o   User chooses this option and gets a message from the browser, "Please complete this action on your phone."

• Next, on their phone:

o   User sees a discrete prompt or notification, "Sign in to example.com."

 

I am trying to understand: What is the mechanism which (following the earlier registration on the phone) pushes the prompt/notification to the phone?

 

If this is a browser-level function (i.e. I am signed into Chrome on both desktop and phone, and hence Chrome syncs/pushes from one instance to the other), then under WebAuthn can this work cross-browser too? i.e. I am on Chrome on desktop, and Safari on phone.

 

Thanks,

 

RC.

 

 

--

You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/787aee13-dcb2-4e01-b863-820886637a5c%40fidoalliance.org.

 

[John Bradley]

CTAP2 otherwise known as Fido 2 is a local connection between the User Agent and the authenticator. 

 

Out of band push notification to a UAF authenticator is not part of Fido (and subject to MIM) UAF and will not be part of CTAP2.

 

That is not to say that you couldn’t combine a Fido2 platform authenticator onn a mobile phone with a push notification app to get the same effect as the UAF + push notification flow.  It is just not part of Fido.

 

WebAuthn + CTAP2 provide a more secure flow to have the browser/User Agent talk directly to the authenticator on the phone over BLE so that the authentication can happen in band to protect against MIM attacks.

 

Regards

John B.

 

Sent from Mail for Windows 10

 

From: Tomas Špokas
Sent: Thursday, July 12, 2018 6:27 AM
To: FIDO Dev (fido-dev)

Subject: [FIDO-DEV] Re: WebAuthn use case: multiple devices

I highly doubt that it meant to be physical connection between phone and desktop. WebAuthn does not specify how such flow should work. Probably it's up to you to decide how to implement push notifications and stuff. This is where UAF protocol could possibly be used.

Anyway, I see this question asked over and over again, because WebAuthn does not talk about network communication with authenticator and this confuses people a lot.

Can anybody with high authority explain how PC<->Phone authentication should work when using WebAuthn? 

On Wednesday, May 23, 2018 at 5:55:49 PM UTC+3, RC wrote:

In the WebAuthn use case for Authentication, we see the following:

 

• On a laptop or desktop:

o   User navigates to example.com in a browser, sees an option to "Sign in with your phone."

o   User chooses this option and gets a message from the browser, "Please complete this action on your phone."

• Next, on their phone:

o   User sees a discrete prompt or notification, "Sign in to example.com."

 

I am trying to understand: What is the mechanism which (following the earlier registration on the phone) pushes the prompt/notification to the phone?

 

If this is a browser-level function (i.e. I am signed into Chrome on both desktop and phone, and hence Chrome syncs/pushes from one instance to the other), then under WebAuthn can this work cross-browser too? i.e. I am on Chrome on desktop, and Safari on phone.

 

Thanks,

 

RC.

 

 

--

You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/df3a341f-fd15-4961-955d-1d109b3312fa%40fidoalliance.org.

 

[Kris Vandermast]

Would be nice to see where this is going: I would expect - as mentioned by John - that the client itself has an UX-friendly way of selecting and addressing any of the authenticators. We’ve created a POC implementation with an Android authenticator and the Chrome BLE Webapi for a client, but next to being proof that it is doable, the UX is far from ideal. I read somewhere - if I recall correctly - in the W3C Webauthn draft that next to USB, NFC and BLE, they would also have a “custom” transport protocol. Could this be a Push Notification implementation? Our client has been running - successfully - for a few years a mobile solution based on CAS and an off-band Push mechanism. We could see some of the webauthn flows return within the app to facilitate authentication and create a roaming authenticator.

Regards,

Kris

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/5b48f40f.1c69fb81.785d1.7db9%40mx.google.com.

[John Bradley]

WebAuthn as part of W3C credman could be extended to support other authenticator types.  However that seems unlikly as part of Fido. The focus will be on improving the user experience between the WebAuthn client and authenticator over local CTAP2 connections.  

It is going to take some time for it to come together.  I expect that in upcoming releases the Android platform authenticator will be available over BLE to Chrome and perhaps other browsers on the desktop.  

I have seen what you are proposing done via a browser extension that intercepts the WebAuthn API in the browser and implimentation a custom protocol to talk to a pre-registerd app on a phone.   

That can work but it seems unlikly to me that it would be a broadly supported solution.  Perhaps something a Enterprise might do.  

If you have proposals for doing ctap2 over push notification in a open and secure way then bring them to WebAuthn or Fido.  

Regards

John B.