FIDO2 browser vs FIDO2 platform

899 views
Skip to first unread message

kickoff 2017

unread,
May 9, 2019, 12:04:03 PM5/9/19
to FIDO Dev (fido-dev)
Hi everyone,

I'm new to FIDO here. my understanding is 
1. FIDO2 = CTAP + WebAuthN, so FIDO23 is for web app only
2. through FIDO2 web app be use platform embedded authenticator and/or U2F external authenticator

but I read things like Android is a FIDO2 platform. Does this mean I can have a Android native app that uses platform embedded authenticator and/or U2F external authenticator?  How it works for native app if FIDO2 is based on WebAuthN?

Thank you for your help.

Best,
Qing

Bao Hoa

unread,
May 9, 2019, 12:52:47 PM5/9/19
to FIDO Dev (fido-dev)
Hi,

Basically, FIDO-compliant systems consist of 3 components: FIDO Authenticator, FIDO Client, FIDO Server. Note that:
- FIDO Authenticator can be a mobile application or a hardware token.
- FIDO Client can be a mobile app or web browser
- FIDO Authenticator talks with FIDO Client by CTAP (USB, BLUETOOTH or NFC)
- In case FIDO Authenticator and FIDO Client are same device, then we call it Platform Authenticator. For instance, Android Authenticator is Platform Authenticator
- FIDO Client talks with FIDO Server. There may be intermediate servers between FIDO Client and FIDO Server

FIDO2 is extension of FIDO for web-based authentication. FIDO2 comes up with WebAuthn library and convinces Browser vendors to support. CTAP has been known since FIDO UAF, FIDO U2F. FIDO2 comes with WebAuthn also supports CTAP. In addition, WebAuthn also support CTAP2 which is for backward compatibility with U2F.

Android devices are now injected an attestation key which uses for FIDO key registration. I believe Android also supports APIs to implement Authenticator feature. Meaning to say we can make a FIDO authenticator as a mobile application.

kickoff 2017

unread,
May 10, 2019, 2:12:45 PM5/10/19
to FIDO Dev (fido-dev)
Thank you very much for the fast & clear response. Could you go through my question 1 by 1,  and tell me if I get it right?

 1 platform authenticator can be mobile native app or hard token.
 2 external authenticator can be mobile native app or hard token.
 3 FIDO client can be mobile native app or web browser
 4 FIDO client can work with both platform authenticator And external authenticator

 5 for web app FIDO client to work with FIDO platform authenticator or external authenticator, the browser has to support FIDO2
 6 for mobile native app FIDO client to work with FIDO platform authenticator or external authenticator, the mobile operating system has to support FIDO2
 7 to write a FIDO platform authenticator as a mobile native app running on Android or iOS, the mobile operating system has to support FIDO or I have to use a 3rd-party FIDO SDK.
 8 to write a FIDO external authenticator as a mobile native app running on Android or iOS, the mobile operating system has to support FIDO2 or I have to use a 3rd-party FIDO2 SDK.

Again. many thanks for the help here.
Qing

Bao Hoa

unread,
May 27, 2019, 3:39:36 AM5/27/19
to FIDO Dev (fido-dev)
Hi Kickoff,

I draw this photo, hope this help

Screen Shot 2019-05-27 at 3.31.06 PM.png


Note that: 

The roaming authenticator can be done in Android for sure. However, it can not be done in iOS because one issue I am still waiting for next FIDO action. The issue is CoreBluetooth doesn't allow us to advertise with Service Data field (0x16).

kickoff 2017

unread,
May 29, 2019, 3:52:40 AM5/29/19
to FIDO Dev (fido-dev)
Thank you so much. The diagram is very helpful!

John Bradley

unread,
May 29, 2019, 10:48:47 AM5/29/19
to fido...@fidoalliance.org

The platform authenticator is not really a app in the traditional sense.

On Android and windows it is part of the OS  (GMS in the android case), and uses TPM or other hardware storrage to protect keys.  

In some cases browsers (Chrome) have built a platform authenticator into the browser on platforms that don't natively provide one (yet) like OSX.

A platform authenticator could also be a roaming authenticator to another computer via CTAP ove BLE, NFC or USB.

The Android platform authenticator can also be a roaming Authenticator to Chrome on OSX or Windows via BLE.

So in a given circumstance a authenticator may be acting as roaming or platform via the WebAuthn API from the perspective of the Browser, however the authenticators themselves might be capable of doing both.

The language can be a bit confusing:)

John B.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/aa058a77-bc13-4cd5-a74b-0b44ad23ecf8%40fidoalliance.org.

Tom Scavo

unread,
May 29, 2019, 11:04:06 AM5/29/19
to John Bradley, fido...@fidoalliance.org
Thanks John. Can you give a brief update on iOS including any
workarounds that may exist?

Tom

On Wed, May 29, 2019 at 10:48 AM John Bradley <ve7...@ve7jtb.com> wrote:
>
> The platform authenticator is not really a app in the traditional sense.
>
> On Android and windows it is part of the OS (GMS in the android case), and uses TPM or other hardware storrage to protect keys.
>
> In some cases browsers (Chrome) have built a platform authenticator into the browser on platforms that don't natively provide one (yet) like OSX.
>
> A platform authenticator could also be a roaming authenticator to another computer via CTAP ove BLE, NFC or USB.
>
> The Android platform authenticator can also be a roaming Authenticator to Chrome on OSX or Windows via BLE.
>
> So in a given circumstance a authenticator may be acting as roaming or platform via the WebAuthn API from the perspective of the Browser, however the authenticators themselves might be capable of doing both.
>
> The language can be a bit confusing:)
>
> John B.
>
> On 5/29/2019 3:52 AM, kickoff 2017 wrote:
>
> Thank you so much. The diagram is very helpful!
>
> On Monday, May 27, 2019 at 3:39:36 AM UTC-4, Bao Hoa wrote:
>>
>> Hi Kickoff,
>>
>> I draw this photo, hope this help
>>
>>
> To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/80f7aaf4-f331-dc33-f373-6dc3517560de%40ve7jtb.com.

chirag shah

unread,
Jun 4, 2020, 3:47:23 PM6/4/20
to FIDO Dev (fido-dev)
So just one more q.
The diagram that Bao shown here,  can we say that  if I have device which is relatively Old and nothing to do with FIDO2 but the browser on that device is very up-to-date,  I can accomplish FIDO2  authentication  and registrtion.

chirag shah

unread,
Jun 4, 2020, 3:48:55 PM6/4/20
to FIDO Dev (fido-dev)
So just one more q.
The diagram that you shown here,  based on that , can we say that  if I have device which is relatively Old and nothing to do with FIDO2 but the browser on that device is very up-to-date,  I can accomplish FIDO2  authentication  and registration.

John Bradley

unread,
Jun 4, 2020, 6:36:44 PM6/4/20
to fido...@fidoalliance.org

The diagram is corerect. 

Depending on the platform in some cases the client is in the browser and on others it is part of the OS.

Windows 10 the client is part of the OS and exposes a API for browsers and apps to use.

Android 7+ it is part of GMS (AKA Google Play) and exposes a Webauthn like API to browsers and Aps (Browsers have more privilages than apps)

So depending on the browser and platform yes. 

Chrome or the new Edge shouild work for you on most platforms but you may be out of luck on really old Android or moderatlry old iOS.

Regards

John B.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
Reply all
Reply to author
Forward
0 new messages