Issue detecting Android phone over BLE or USB as FIDO 2 Authenticator

[Rob Cordes]

Hi,

I am running the latest build of Chrome on OSX Catalina (latest build) and am trying out FIDO 2 using the Duo labs and Google demo webapp. While Chrome allows me to detect Bluetooth or USB devices there is nothing happening on my phone (android 9+) Huawei P30 model.I can't find so fat any settings that might prohibit CTAP2 calls over USB or Bluetooth.

Anybody knows how this is supposed to work and whether Android support for FIDO2 roaming authenticator functionality is hampered by skins of providers such as Huawei?

Thx. for the golden tip ;-)

Rob

[Rick]

My findings, the Android FIDO2 support announced last April is for Google accounts only. It seems to work well with my Google accounts but not so for any others. I've created a BLE Authenticator App myself, one that testing so far indicates is compatible across the board. In mine it was necessary to implement full FIDO BLE complaint stack to address the BLE connectivity need.

[Rob Cordes]

Hi Rick,

Yes I slowly came to the conclusion indeed that roaming authentication is not supported yet on Android out of the box. Bluetooth GATT service is still required to be either build, like you did, by one self or wait till Google does it.

The current solution of Google is about CaBLE and that is <> CATP2 and not released for public use and, till now, I don’t like it either. One needs to be logged-in into such a service eon both devices (laptop/pc) and mobile.

I just wanted to use a mobile as a out of band 2nd or 1st factor to replace all passwords.

I just don’t het why Apple and Google just do not make very clear what their current support is and what their roadmap is.

Perhaps I did not find their intention somewhere documented yet. If there is none, then, just like Apple, I find such a way of working kind of clumsy.

Apple does not disclose at all what their roadmap is regarding fido2. I tired to have them tell me but their support desk does not know. They forwarded the question tot the team responsible for it.

Amazing why Google and Apple have people chasing ghosts…. `why not just make a roadmap page available where you state what you have, what u don’t and what you should have somewhere in 2020.

Anyways, I never developed Android apps before and am happy to give it  a try. Do you perhaps have some documentation on how I can advertise a fido2 type of service on BLE GATT and bridge the gap to CATP2 API interface on Android? That would be great to get em started to try to get it working as a POC experiment . It. Will be good for my grey matter ;-)

Thx for the tip in any case.

Best regards,

Rob Cordes

 

-- 
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/cd9434fa-3150-49aa-a202-043dbf140a0f%40fidoalliance.org.

[Rick]

As for rolling your own, it’s a very heavy lift, one I would avoid if I were you. In the alternative I suggest a little more patience as I expect by mid-year to see some App options available, perhaps even from the Android and iPhone App stores. BTW, other than for my own efforts I have no indication as to what others may be planning, I just follow the chatter and make educated guesses. 

On Saturday, December 28, 2019 at 7:18:36 AM UTC-5, Rob Cordes wrote:

[Rob Cordes]

I can relate to the heavy lifting for sure. I was actually thinking about just providing the bridge between BLE and CATP2 API interface as that is what seems to be lacking. On the platform itself all works as Webauthn can call the CATP2 interface directly but from another platform over BLE GATT there is no possibility (as yet). For fun and curiosity it's okay to give the building of just that lacking part a try, but from a user experience or commercial perspective this would be a drag, No company likes to maintain an app that does nothing but bridging a gap of platform functionality on android that is not there (yet) and no company likes to tell its end - users, except for their own staff, to have them install an app first before they can start to make use of roaming authentication.

Op zondag 5 januari 2020 03:04:00 UTC+1 schreef Rick: