WebAuthn with Smart Phone (Android/IOS) as crossplatform authentictor
2,256 views
Skip to first unread message
Mitul Vanasiwala
Dec 29, 2020, 6:17:19 AM12/29/20
to FIDO Dev (fido-dev)
Dear all,
Request to help me with the use case of a user running a web application on their laptop or desktop and wants to use a smartphone as the cross-platform authenticator.
- User will attempt to sign-in (would enter username) into our web application from their laptop or desktop browser (using Chrome, Mozilla, Safari)
- There will be an option "Use Phone as security key"
- Once they would then click this option they would be prompted on their smartphone for a fingerprint scan or a PIN or face recognition.
- Upon successful verification, they would be logged in to our web application.
Please help me understand the process for setting up a smart-phone as a cross-platform authenticator? Is this a use case that Web Authentication supports?
What actually is caBLE and how it is related to QR scan?
I am not able to set up browser and smartphone as a cross-platform authenticator using BLE on demos - (https://webauthn.bin.coffee/, https://webauthn.io/)
I have already tried enabling below on chrome :
Any information on the above use-case and current status would be very helpful.
Thanks&Regards,
Mitul V
Mitul Vanasiwala
Jan 4, 2021, 5:39:21 AM1/4/21
to FIDO Dev (fido-dev), Mitul Vanasiwala
Dear all,
Can anyone please provide the update on the trail email?
Regards,
Mitul V
Adam Langley
Jan 4, 2021, 12:53:59 PM1/4/21
to FIDO Dev (fido-dev), mit...@njgroup.in
On Monday, January 4, 2021 at 2:39:21 AM UTC-8 mit...@njgroup.in wrote:
I am not able to set up browser and smartphone as a cross-platform authenticator using BLE on demos - (https://webauthn.bin.coffee/, https://webauthn.io/)I have already tried enabling below on chrome :
As you note, you can play with unlaunched experiments in Chrome using the first of those flags. (The second is unrelated.) If you want something to potentially work then you should be sure to use Chrome Canary on both the desktop and Android phone, to match the Chrome versions exactly, not use Linux on the desktop, and to use the Settings > Passwords > Use phone as a security key option on the Android device.
However, we have nothing further to note in public at this time. I'm aware that these experiments have been ongoing for some time and I share the frustration. So far the progress has been in the form of learning what doesn't work.
Cheers
AGL
Mitul Vanasiwala
Jan 4, 2021, 11:48:13 PM1/4/21
to FIDO Dev (fido-dev), alan...@gmail.com, Mitul Vanasiwala
Dear AGL,
Thank you so much for the response.
So what I understood is currently there are implemention challenges with CTAP. Will CTAP over BLE with cross ptaform authenticator cause any issues or currently it is not recommended to use CTAP over BLE?
Can I use out of band Authentication mechanism (FIDO server <----> Mobile Device) like PUSH Base or QR Base till CTAP over BLE becomes stable.
Basically we are reviewing feasibility of implementing FIDO2 (WebAuthn + UAF). Can you help us with broad overview of issues that we might face if we go ahead and implement it.
Thanks & Regards,
Thanks & Regards,
Mitul V
Adam Langley
Jan 5, 2021, 12:08:03 PM1/5/21
to Mitul Vanasiwala, FIDO Dev (fido-dev)
On Mon, Jan 4, 2021 at 8:48 PM Mitul Vanasiwala <mit...@njgroup.in> wrote:
So what I understood is currently there are implemention challenges with CTAP. Will CTAP over BLE with cross ptaform authenticator cause any issues or currently it is not recommended to use CTAP over BLE?
caBLEv2 uses BLE, but is not simply CTAP2-over-BLE because of the issues we observed when trying something like that.
Can I use out of band Authentication mechanism (FIDO server <----> Mobile Device) like PUSH Base or QR Base till CTAP over BLE becomes stable.
An important property of FIDO is the proof of proximity. USB, NFC, BLE, etc either have limited range or require a direct connection. A simple push notification to a phone would not suffice.
Basically we are reviewing feasibility of implementing FIDO2 (WebAuthn + UAF). Can you help us with broad overview of issues that we might face if we go ahead and implement it.
We (Chrome) continue to work on making phone-as-a-security-key reliable and suitable for the wider Web, but it's taking a while and we only expect to document and standardise things once we have something that's working.
Cheers
AGL
Mitul Vanasiwala
Jan 6, 2021, 4:22:46 AM1/6/21
to Adam Langley, FIDO Dev (fido-dev)
Hi AGL,
Thank you for making things clear.
So can we use platform authenticator / inbuilt authenticator on Desktop/laptop and Android/IOS devices? I believe the current limitations and challenges are only with roaming / cross-platform authenticator. If we use platform authenticator, caBLE / BLE / NFC / PUSH can be eliminated and we can at least give our clients passwordless experience on Mobile and Desktop / Laptop (with inbuilt authenticator).
The use case will be -
- A user running our web application on the Mobile Device or Laptop and wants to use the device as the platform authenticator.
- User will attempt to sign-in (would enter username) into our web application from the Mobile or Laptop browser (using Chrome, Mozilla, Safari)
- There will be an option "Use Phone as security key"
- Once the user clicks this option the user would be prompted on his/her Mobile / Laptop for a fingerprint scan or a PIN or face recognition.
- Upon successful verification, the user would be logged in to our web application.
- Also the same process for the Mobile Application as well.
Do we currently have any limitation to use Platform Authenticator.
Thanks & regards,
Mitul V
Disclaimer: Privileged & confidential information is contained in this message (including all attachments). If you are not an intended recipient of this message, please destroy this message immediately and kindly notify the sender by reply e-mail. Any unauthorized use or dissemination of this message in any manner whatsoever, in whole or in part, is strictly prohibited. This e-mail, including all attachments hereto, is for discussion purposes only and shall not be deemed or construed otherwise unless expressly stated. Any views or opinions presented in this email are solely those of the author and do not necessarily represent that of NJ Group of Companies. This communication, including any attachments may not be free of viruses, interceptions or interference, and may not be compatible with your systems. You should carry out your own virus checks before opening any attachment to this e-mail. The sender of this e-mail and NJ Group of Companies shall not be liable for any damage that you may sustain as a result of viruses, incompleteness of this message, a delay in receipt of this message or computer problems experienced. This message has been scanned for viruses and dangerous content by NJGroup Email Server, and is believed to be clean.
Arshad Noor
Jan 6, 2021, 4:44:24 AM1/6/21
to Mitul Vanasiwala, FIDO Dev (fido-dev)
There are no constraints in the FIDO2 protocol on using any kind of
Authenticator on any kind of platform for FIDO registration and
authentications (as long as it meets the protocol requirements).
However, if you choose to use a specific capability on a platform for
your FIDO Authenticator, you have to determine if the attestation
provided by that Authenticator is satisfactory to the RP. An
Authenticator is only as good as the attestation it provides during the
registration process.
Arshad Noor
StrongKey
On 1/6/21 1:22 AM, 'Mitul Vanasiwala' via FIDO Dev (fido-dev) wrote:
> Hi AGL,
>
> Thank you for making things clear.
>
> So can we use platform authenticator / inbuilt authenticator on
> Desktop/laptop and Android/IOS devices? I believe the current
> limitations and challenges are only with roaming / cross-platform
> authenticator. If we use platform authenticator, caBLE / BLE / NFC /
> PUSH can be eliminated and we can at least give our clients passwordless
> experience on Mobile and Desktop / Laptop (with inbuilt authenticator).
>
> The use case will be -
>
> * A user running our web application on the Mobile Device or Laptop
> * Once the user clicks this option the user would be prompted on
> application.
> * Also the same process for the Mobile Application as well.
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKqJuv2cpe0VdUMUO%3DJrBx60zVki-WAyedgwauNFci4nq2gZpg%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKqJuv2cpe0VdUMUO%3DJrBx60zVki-WAyedgwauNFci4nq2gZpg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Authenticator on any kind of platform for FIDO registration and
authentications (as long as it meets the protocol requirements).
However, if you choose to use a specific capability on a platform for
your FIDO Authenticator, you have to determine if the attestation
provided by that Authenticator is satisfactory to the RP. An
Authenticator is only as good as the attestation it provides during the
registration process.
Arshad Noor
StrongKey
On 1/6/21 1:22 AM, 'Mitul Vanasiwala' via FIDO Dev (fido-dev) wrote:
> Hi AGL,
>
> Thank you for making things clear.
>
> So can we use platform authenticator / inbuilt authenticator on
> Desktop/laptop and Android/IOS devices? I believe the current
> limitations and challenges are only with roaming / cross-platform
> authenticator. If we use platform authenticator, caBLE / BLE / NFC /
> PUSH can be eliminated and we can at least give our clients passwordless
> experience on Mobile and Desktop / Laptop (with inbuilt authenticator).
>
> The use case will be -
>
> and wants to use the device as the platform authenticator.
> * User will attempt to sign-in (would enter username) into our web
> application from the Mobile or Laptop browser (using Chrome,
> Mozilla, Safari)
> * There will be an option "Use Phone as security key"
> Mozilla, Safari)
> * Once the user clicks this option the user would be prompted on
> his/her Mobile / Laptop for a fingerprint scan or a PIN or face
> recognition.
> * Upon successful verification, the user would be logged in to our web
> recognition.
> application.
> * Also the same process for the Mobile Application as well.
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKqJuv2cpe0VdUMUO%3DJrBx60zVki-WAyedgwauNFci4nq2gZpg%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKqJuv2cpe0VdUMUO%3DJrBx60zVki-WAyedgwauNFci4nq2gZpg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Mitul Vanasiwala
Jan 6, 2021, 5:25:32 AM1/6/21
to Arshad Noor, FIDO Dev (fido-dev)
Hi Arshad,
Yes, but using smartphones as roaming / cross-platform authenticator currently has limitations and challenges (caBLE, etc).
Hence I wanted to understand if platform (internal) authenticators have any known implementation challenges or not.
Regards,
Mitul V
Arshad Noor
Jan 6, 2021, 5:38:01 AM1/6/21
to Mitul Vanasiwala, FIDO Dev (fido-dev)
That would depend on the business use-case and how much security (trust)
a relying party needs to have in that implementation, Mitul.
Speaking of my understanding of Android, there are various degrees of
security and privacy you can achieve - each with their own
implementation challenges that must be addressed:
https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/Fido2ApiClient
https://developer.android.com/training/articles/security-key-attestation
https://source.android.com/security/protected-confirmation
There are pros and cons with each approach - but you need to begin with
the business requirements for security & privacy, and then analyze which
approach provides the optimal solution for the use-case. That analysis
and discussion is, unfortunately, not feasible on a forum like this.
Arshad Noor
StrongKey
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>
> > <mailto:fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>>.
a relying party needs to have in that implementation, Mitul.
Speaking of my understanding of Android, there are various degrees of
security and privacy you can achieve - each with their own
implementation challenges that must be addressed:
https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/Fido2ApiClient
https://developer.android.com/training/articles/security-key-attestation
https://source.android.com/security/protected-confirmation
There are pros and cons with each approach - but you need to begin with
the business requirements for security & privacy, and then analyze which
approach provides the optimal solution for the use-case. That analysis
and discussion is, unfortunately, not feasible on a forum like this.
Arshad Noor
StrongKey
> > <mailto:alan...@gmail.com <mailto:alan...@gmail.com>>> wrote:
> >
> > On Mon, Jan 4, 2021 at 8:48 PM Mitul Vanasiwala
> <mit...@njgroup.in <mailto:mit...@njgroup.in>
> >
> > On Mon, Jan 4, 2021 at 8:48 PM Mitul Vanasiwala
> <mit...@njgroup.in <mailto:mit...@njgroup.in>
> > <mailto:fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKqJuv2cpe0VdUMUO%3DJrBx60zVki-WAyedgwauNFci4nq2gZpg%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKqJuv2cpe0VdUMUO%3DJrBx60zVki-WAyedgwauNFci4nq2gZpg%40mail.gmail.com>
>
> >
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKqJuv2cpe0VdUMUO%3DJrBx60zVki-WAyedgwauNFci4nq2gZpg%40mail.gmail.com?utm_medium=email&utm_source=footer
> >
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKqJuv2cpe0VdUMUO%3DJrBx60zVki-WAyedgwauNFci4nq2gZpg%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKqJuv2cpe0VdUMUO%3DJrBx60zVki-WAyedgwauNFci4nq2gZpg%40mail.gmail.com>
>
> >
Adam Langley
Jan 6, 2021, 12:26:10 PM1/6/21
to Mitul Vanasiwala, FIDO Dev (fido-dev)
On Wed, Jan 6, 2021 at 1:22 AM Mitul Vanasiwala <mit...@njgroup.in> wrote:
Hi AGL,Thank you for making things clear.So can we use platform authenticator / inbuilt authenticator on Desktop/laptop and Android/IOS devices? I believe the current limitations and challenges are only with roaming / cross-platform authenticator. If we use platform authenticator, caBLE / BLE / NFC / PUSH can be eliminated and we can at least give our clients passwordless experience on Mobile and Desktop / Laptop (with inbuilt authenticator).The use case will be -
- A user running our web application on the Mobile Device or Laptop and wants to use the device as the platform authenticator.
- User will attempt to sign-in (would enter username) into our web application from the Mobile or Laptop browser (using Chrome, Mozilla, Safari)
- There will be an option "Use Phone as security key"
- Once the user clicks this option the user would be prompted on his/her Mobile / Laptop for a fingerprint scan or a PIN or face recognition.
- Upon successful verification, the user would be logged in to our web application.
- Also the same process for the Mobile Application as well.
Do we currently have any limitation to use Platform Authenticator.
I can only speak to Android, but the platform authenticator should work fine there. The biggest known limitation is the lack of support for discoverable credentials but the flow that you outlined would not need them.
Cheers
AGL
Reply all
Reply to author
Forward
0 new messages