U2F over BLE

[Magnus Berg]

Hi, I'm new here, perhaps you can tell from my question below.

I'm currently looking into the prospects of using a device we're developing as an authentication token using U2F over the BLE protocol. I was first trying to add a BLE helper to the Chrome U2F extension example, but it turned out I wasn't able to scan for BLE devices from extension code because the requestDevice() function of the Web Bluetooth specification requires that it was called from a direct user action (i.e. a mouse click or similar). That user action was lost when the request was posted to the extension, so the requestDevice function refused to scan for BLE devices.

I asked the Web Bluetooth developers about this on their GitHub area and they confirmed that extensions are not supported.

So, I adapted the code so it could be used as a Javascript library directly from the web page code, but I still need to add a pretty ugly work-around to be able to call the requestDevice function.

What I want is a more streamlined way of doing U2F over BLE. I realize the security concerns (by Web Bluetooth) are valid, but the solution to use a user action really complicates things.

Have anyone from Fido contacted the Web Bluetooth team about this?

[Fred Le Tamanoir]

Hi, I'll try to reply as a simple FIDO Alliance member who is trying to develop his own U2F over BLE device too.

As far as I know, FIDO U2F over BLE has nothing to do with "Web Bluetooth", you are not supposed to try to adapt something on your own, FIDO overt BLE aims to cover Android Apps, Chrome for Android (+Authenticator) and somehow someday iOS mysterious ways.  From time to time, in the past we saw alpha U2F extension for Chrome Desktop asking for Bluetooth interface but not anymore.

 For now, U2F over BLE prototypes can only be tested with a few (sometimes not even public) beta Android "authenticators" applications (like the ones from Google or Feitian) and beta Android applications (like the ones from SurePassID). For compliance / testing purpose only there is this Windows tool too : https://github.com/fido-alliance/ble-conformance-tool

I'd love to hear more news about FIDO over BLE agenda from other "higher" members here too :)

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/af072b64-3bd4-41ad-b8ba-1a015721b3f1%40fidoalliance.org.

[Alexei Czeskis]

Hi there,

We blocked accessing the U2F GATT service from web bluetooth.  If we didn't, any webpage could pretend to be any other webpage and then the phishing floodgates would open.

In any case, better bluetooth support is coming, I don't have any concrete dates to share, but it's on our radar.

Thanks!

-Alexei

________________

 . Alexei Czeskis .:. Securineer .:. 317.698.4740 .

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAEg85Vx7BZJTo0phoBw__M_3iXjgA0sCqfLOcy_dpy8Rntkz6A%40mail.gmail.com.

[Magnus Berg]

Hi guys, and thanks for the info.

Ok, so I can go ahead and implement U2F in our device and do some compliance testing with the tools Fred listed.

But I was a bit worried about not seeing any desktop OS in the list of FIDO over BLE support, only Android apps, Chrome for Android and perhaps iOS.

Does that mean I won't be able to authenticate web services from Chrome on Windows/Linux/Mac? And what about other browsers?

Or is that what Alexei meant by "better bluetooth support is coming"?

Regards,

 Magnus

[Fred Le Tamanoir]

Regarding using U2F over BLE on web services through browsers to this day :

- no support for desktop release of Chrome browser (Windows/OSX/Linux) or any desktop browser [ But that's not the main goal of BLE support... ]

- no official support yet for Android release of Chrome browser (I heard there is an ongoing beta-soon-to-be-released-oh-we-forgot version of Google Authenticator but no news for months now... no communication... nothing... and that makes me a sad panda)

- no news about support for iOS

😥

I let Alexei restore hope after this point 😊

[David Manouchehri]

U2F BLE already works on Android for Google Play. Doesn't seem to be a beta (or at least I didn't opt-in to anything).

https://imgur.com/a/rikyK

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAEg85VymZC0ZCBN2cvJ65AMu2yxUSx9HsoHdgsb3BDsW03LM4Q%40mail.gmail.com.

[Fred Le Tamanoir]

oh, I already saw that too... but :

- That's user setup step... so I don't think you can even use it really since I don't see any way to make a previous enrollment (have you find a way to use it?)

- My previous post was about using FIDO U2F on web services through browsers

[Bảo Hoa Quốc]

So far, only Chrome on Android support CTAP BLE, this is FIDO2, not U2F. The messages transported are CBOR which is handled within WebAuthn. U2F raw message will be support in CTAP2 for backward compatibility, not now. If you want to test your BLE security key with Browser, Please try with Chrome on Android.