Use of mobile as hardware security key
1,075 views
Skip to first unread message
rahul jha
Dec 16, 2021, 9:42:39 AM12/16/21
to FIDO Dev (fido-dev)
Hi All,
I am working on POC to understand some of the requirement to use mobile as a=
hardware security key using FIDO2 authentication.
Below are few query where I need some help.
1. Can I use IPhone as mobile hardware security key without developing any o
then application like some of the advance google phone already does.
2. Can we use NFC in place of Bluetooth in IPhone to remove any third party api dependency.
3.We want to use Both IOS and Android to act as security key without any other
application
4.If a user tries to login from same mobile using browser or any application=
where key is stored how will it work.
5.Do we have any organization who are using mobile as hardware security key.=
I am looking for response of all above query and any help is appreciated.
Regards
Rahul Jha
I am working on POC to understand some of the requirement to use mobile as a=
hardware security key using FIDO2 authentication.
Below are few query where I need some help.
1. Can I use IPhone as mobile hardware security key without developing any o
then application like some of the advance google phone already does.
2. Can we use NFC in place of Bluetooth in IPhone to remove any third party api dependency.
3.We want to use Both IOS and Android to act as security key without any other
application
4.If a user tries to login from same mobile using browser or any application=
where key is stored how will it work.
5.Do we have any organization who are using mobile as hardware security key.=
I am looking for response of all above query and any help is appreciated.
Regards
Rahul Jha
Philipp Junghannß
Dec 16, 2021, 10:43:48 AM12/16/21
to rahul jha, FIDO Dev (fido-dev)
yes android and ios can work as a security key with the WebAuthn protocol, however they can only do that for themselves yet, and not for any other device meaning if you browse to a site in the browser on the phone or tablet you can use them, but sadly not in conjunction with a PC or other device.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b04d7cda-6b15-4888-a7e8-f515773ecca1n%40fidoalliance.org.
rahul jha
Dec 16, 2021, 10:56:01 AM12/16/21
to FIDO Dev (fido-dev), My1, FIDO Dev (fido-dev), rahul jha
Hi,
Isn't google has implemented Titan in its google pixle phones where user can use that as security key without having another external key?
I am looking for similar set of implementation for IPhones well.
Regards,
Mohamed Elkhalafy
Dec 16, 2021, 11:01:23 AM12/16/21
to rahul jha, FIDO Dev (fido-dev), My1
I think so u can used that
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/68afe6d8-5f84-48db-a4cc-592e4d4928c2n%40fidoalliance.org.
rahul jha
Dec 16, 2021, 11:18:06 AM12/16/21
to Mohamed Elkhalafy, FIDO Dev (fido-dev), My1
Do we need to make any configuration changes, how can we send authentication request to iPhone without using any application.
Arshad Noor
Dec 16, 2021, 9:20:55 PM12/16/21
to rahul jha, FIDO Dev (fido-dev)
Rahul,
FIDO/WebAuthn is becoming fairly confusing - and it is likely to get
more so in the future. :-(
That said, here is what is possible currently:
Working with native, Rich Client Apps (RCA) on mobile devices
-------------------------------------------------------------
1) Using the open-source library at
https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl, you
can use any Android 9+ phone with a built-in Authenticator, biometrics
(and the Titan chip on Pixel 3a or greater phones) with Android Key
Attestation. On phones without Titan, it will use the TEE. There is an
end-to-end sample app that demonstrates the capability using the sample
back-end applications in that folder, when used with the FIDO Certified
open-source FIDO server at https://github.com/StrongKey/fido2. However,
at this time, it does not work with browser-based web-apps on the mobile
device - just native, rich-client apps (RCA);
2) Using the Passkey API, you can check out the sample, native (RCA)
open-source iOS app that works as long as you have an Apple Developer Id
- the API is only accessible in Developer mode currently. Once Apple
releases Passkey into production, we will update the app and make it
available in the iTunes app-store. Keys generated on the iPhone's Secure
Enclave will work with RCA or Safari web-apps.
Authenticating with mobile when using desktop/laptop web-apps
-------------------------------------------------------------
3) While there are lots of demonstrations from FIDO Alliance members on
how to authenticate with your mobile authenticator when using a
web-application on your desktop/laptop (communicating with the mobile
over BLE, etc.), to the best of my knowledge, nothing is available in
production mode/quality - they still remain a work-in-progress; but I
could be wrong about this;
4) However, using the Android/iOS examples from above, it would be
trivial to build an RCA (that must be installed on the mobile), to
receive a challenge from a FIDO server when a user attempts to login on
a desktop/laptop with a browser, and send a digital signature response
from the mobile using the embedded FIDO credential (Titan/TEE/Secure
Enclave), that allows the FIDO server to authenticate the user and send
a signed JWT session token to the desktop/laptop browser. This flow
authenticates the user with stronger FIDO2 security than OTP, TOTP or
whatever *P you come up with, to the web-application.
5) As an incentive, the same RCA on the mobile can also be used to
generate digital signatures for *business transactions* that originate
either on the desktop/laptop or on the mobile. For payment apps, the
FIDO server I referenced above will even return JSON after verifying the
digital signature on the transaction, that enables compliance with
regulations such as PSD2 for frictionless, Strong Customer
Authentication (SCA). No BLE or NFC required.
This POC is all ready to be demonstrated after mere setup and
compilation - no coding required. Hope that helps.
Arshad Noor
FIDO/WebAuthn is becoming fairly confusing - and it is likely to get
more so in the future. :-(
That said, here is what is possible currently:
Working with native, Rich Client Apps (RCA) on mobile devices
-------------------------------------------------------------
1) Using the open-source library at
https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl, you
can use any Android 9+ phone with a built-in Authenticator, biometrics
(and the Titan chip on Pixel 3a or greater phones) with Android Key
Attestation. On phones without Titan, it will use the TEE. There is an
end-to-end sample app that demonstrates the capability using the sample
back-end applications in that folder, when used with the FIDO Certified
open-source FIDO server at https://github.com/StrongKey/fido2. However,
at this time, it does not work with browser-based web-apps on the mobile
device - just native, rich-client apps (RCA);
2) Using the Passkey API, you can check out the sample, native (RCA)
open-source iOS app that works as long as you have an Apple Developer Id
- the API is only accessible in Developer mode currently. Once Apple
releases Passkey into production, we will update the app and make it
available in the iTunes app-store. Keys generated on the iPhone's Secure
Enclave will work with RCA or Safari web-apps.
Authenticating with mobile when using desktop/laptop web-apps
-------------------------------------------------------------
3) While there are lots of demonstrations from FIDO Alliance members on
how to authenticate with your mobile authenticator when using a
web-application on your desktop/laptop (communicating with the mobile
over BLE, etc.), to the best of my knowledge, nothing is available in
production mode/quality - they still remain a work-in-progress; but I
could be wrong about this;
4) However, using the Android/iOS examples from above, it would be
trivial to build an RCA (that must be installed on the mobile), to
receive a challenge from a FIDO server when a user attempts to login on
a desktop/laptop with a browser, and send a digital signature response
from the mobile using the embedded FIDO credential (Titan/TEE/Secure
Enclave), that allows the FIDO server to authenticate the user and send
a signed JWT session token to the desktop/laptop browser. This flow
authenticates the user with stronger FIDO2 security than OTP, TOTP or
whatever *P you come up with, to the web-application.
5) As an incentive, the same RCA on the mobile can also be used to
generate digital signatures for *business transactions* that originate
either on the desktop/laptop or on the mobile. For payment apps, the
FIDO server I referenced above will even return JSON after verifying the
digital signature on the transaction, that enables compliance with
regulations such as PSD2 for frictionless, Strong Customer
Authentication (SCA). No BLE or NFC required.
This POC is all ready to be demonstrated after mere setup and
compilation - no coding required. Hope that helps.
Arshad Noor
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b04d7cda-6b15-4888-a7e8-f515773ecca1n%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b04d7cda-6b15-4888-a7e8-f515773ecca1n%40fidoalliance.org?utm_medium=email&utm_source=footer>.
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b04d7cda-6b15-4888-a7e8-f515773ecca1n%40fidoalliance.org
Arshad Noor
Dec 16, 2021, 9:32:13 PM12/16/21
to rahul jha, FIDO Dev (fido-dev)
I realized I might cause some confusion in one sentence and want to
clarify it.
When I said: "However, at this time, it does not work with browser-based
web-apps on the mobile device - just native, rich-client apps (RCA)" - I
meant that the FIDO credential/keys in the embedded authenticator on
Android will not work with browser-based web-apps currently - just with RCA.
The FIDO2 Server itself (that preceded this confusing sentence) will
work with any FIDO Certified FIDO2 authenticator.
Sorry about that.
Arshad
clarify it.
When I said: "However, at this time, it does not work with browser-based
web-apps on the mobile device - just native, rich-client apps (RCA)" - I
meant that the FIDO credential/keys in the embedded authenticator on
Android will not work with browser-based web-apps currently - just with RCA.
The FIDO2 Server itself (that preceded this confusing sentence) will
work with any FIDO Certified FIDO2 authenticator.
Sorry about that.
Arshad
Reply all
Reply to author
Forward
0 new messages