a passkey query

165 views
Skip to first unread message

Rick

unread,
Mar 11, 2024, 10:14:34 AMMar 11
to FIDO Dev (fido-dev)
Android employs use of notifications for passkey challenge and response. Is FCM the protocol used? If not, what is the protocol?

Does Google plan to add BLE support to Android passkey?

Does Apple plan to add notifications as an option to iOS passkey?

 


Tim Cappalli

unread,
Mar 12, 2024, 8:21:33 AMMar 12
to FIDO Dev (fido-dev), Rick
Apparently I never hit reply all. Resending to the list.

Just to be more crisp with terminology here, both Android and iOS support FIDO Cross-Device Authentication. CDA has an optional mode which allows an authenticator to be persistently linked with the platform. The QR code is used to initially link the client and authenticator. If the authenticator doesn't support linking, the QR code is displayed every time. If the device supports linking, the remote authenticator can automatically be invoked. How the remote authenticator handles this invocation and how it is presented to the user is authenticator-specific. 

tl;dr, please avoid calling it "notifications for passkey challenge and response" as that is not really what is happening. It is just CDA with a linked device.

rjhal...@gmail.com

unread,
Mar 16, 2024, 6:40:56 AMMar 16
to Tim Cappalli, FIDO Dev (fido-dev)

In regard to my poorly worded question, my interest was in learning if push like notification protocol were used as part of the passkey authentication ceremony. It arises from my research into passkey authentication security risk landscape. While forcing errors and failures I came upon dialogs including the word “notification” in their messages. And as it happens, yes, push notification is employed in some passkey modes.

My follow-on question in regard to protocol used remains unanswered.

So, there you have it, and thank you for yours.

BTW, CDR is a recognized  passkey mode, there are others. As to whether its optional QR code is suggestive of a protocol or not may be splitting hairs. The QR code is used to deliver a “fido:/” URI and as I understand it, that URI is used by the passkey authenticator to establish a network session with a server for the purpose of exchanging authentication challenge and as response.   

Tim Cappalli

unread,
Mar 16, 2024, 9:50:50 AMMar 16
to Rick, FIDO Dev (fido-dev)
There is no "push notification protocol" for FIDO Cross-Device Authentication. 

tim

On Sat, Mar 16, 2024, 06:40 <rjhal...@gmail.com> wrote:

This message originated outside your organization.



Sourav Dhiman

unread,
Mar 17, 2024, 7:51:22 AMMar 17
to Tim Cappalli, Rick, FIDO Dev (fido-dev)
ale a satatione

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACZ9TyCGSY%3DOaGo%2BKtZD2U38UN6WqmByXa4dm8tgE2i9DmM5sw%40mail.gmail.com.

Sourav Dhiman

unread,
Mar 17, 2024, 7:52:25 AMMar 17
to Tim Cappalli, Rick, FIDO Dev (fido-dev)
Faizabaid

Joshua Zhao

unread,
Mar 18, 2024, 1:23:54 PMMar 18
to FIDO Dev (fido-dev), rjhal...@gmail.com, Tim Cappalli
Are you asking about the caBLE (Cloud-Assisted BLE) protocol? The linked authenticators are just long-term connections via caBLE. I suspect that push notifications are utilized to reactivate the long-term connection.

rjhal...@gmail.com

unread,
Mar 19, 2024, 7:06:41 AMMar 19
to Joshua Zhao, FIDO Dev (fido-dev), Tim Cappalli

Joshua,

 

Correct, it appears the framework is caBLE while underlying protocols are Web Bluetooth, BLE and an as yet unknown/undocumented network protocol. In addition to the exchanges between Web App and caBLE cloud over internet, and the exchange between Web App and passkey device over BLE, there is also an exchange between passkey device and I’m guessing the caBLE cloud. It is the later that I believe for the moment is initiated by caBLE cloud. It thought to be a necessary component providing a way for caBLE cloud to learn the present BLE random BLE address. That would be necessary for the caBLE to do its job to fulfill the Web App request. I alone I guess consider this exchange initiated by caBLE to be a form of “push” notification from caBLE to the passkey device (just me splitting hairs 😊).

 

BTW, pointing me to caBLE specifications would be appreciated.

 

Rick

Yehua Tmah

unread,
Mar 19, 2024, 7:20:54 AMMar 19
to rjhal...@gmail.com, Joshua Zhao, FIDO Dev (fido-dev), Tim Cappalli
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/022401da79ed%2481c06290%24854127b0%24%40gmail.com.

Yehua Tmah

unread,
Mar 19, 2024, 7:23:14 AMMar 19
to rjhal...@gmail.com, Joshua Zhao, FIDO Dev (fido-dev), Tim Cappalli
9890682168176243-1.pdf

Tim Cappalli

unread,
Mar 19, 2024, 3:02:33 PMMar 19
to rjhal...@gmail.com, Joshua Zhao, FIDO Dev (fido-dev)
FIDO Cross-Device Authentication uses CTAP 2.2 with hybrid transport. As I mentioned earlier, message delivery to linked devices is platform-specific.

On Tue, Mar 19, 2024 at 7:06 AM <rjhal...@gmail.com> wrote:

This message originated outside your organization.



Reply all
Reply to author
Forward
0 new messages