FIDO2 example on Android

[Ondrej Krc-Jediny]

In the RSA conference FIDO2 presentation, there is a demonstration using PayPal on Chromium on Android phone (https://youtu.be/M30aZ2cxElo?t=789, starting at 13:10). Instead of typing in username and password, fingerprint is scanned for PayPal login. I understand that the FIDO2 compliant browser communicates with the sensor via Android Fingerprint API.

My question is, who does the actual challenge signing required from FIDO2 Authenticators? Is the Fingerprint API capable of processing the whole WebAuthn get() request or is there some other entity involved?

Thank you.

[Kieun Shin]

Since fingerprint authenticator on Android is platform authenticator, the core logic to generate keys and signatures is implemented on the Android platform itself.

Android will provide FIDO2 native APIs for native applications and Chrome browser for Android leverages such APIs to handle FIDO2 request.

So, Chrome browser does not use fingerprint API for their implementation.

You can refer the following url to get some information regarding FIDO2 Android APIs.

https://developers.google.com/android/reference/com/google/android/gms/fido/package-summary

Thanks.