Android SafetyNet Authenticator returns an empty userHandle on assertionCeremony

[Cyril Labbe]

Hello,

I don't get why Android SafetyNet Authenticator (the platform authenticator on Android > 7) keeps sending an empty user handle on assertion ceremonies, whereas the exact same procedure on Windows Hello or a yubikey do send it back filled

the authenticator was selected with residentKeyRequired during attestationCeremony and is fido-certified as "fido2", so where is the trap ?

Thank you for any insight on this issue!

Best regards

[Shane Weeden]

Last time I checked the Android authenticator does not support resident keys and therefore doesn't have a copy of the user handle.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4182e3bb-cc05-4d39-8aa3-0f2cbdb6fb35n%40fidoalliance.org.

[Shane Weeden]

Let me clarify - whilst you can actually complete the attestation ceremony with requiredResidentKey: true, if you then try to perform an authentication ceremony with an empty allowCredentials list on Android, you get an error "NotSupportedError: Use of an empty `allowCredentials` list is not supported on this device.

 

[Cyril Labbe]

Thank you for your answer, now I get it

So the "tricky" part is that one can complete the attestation ceremony with requiredResidentKey: true on the android authenticator whereas it does not support resident keys. Seems misleading, doesn't it?