Part of the problem is Fido 2 is a marketing term and not a spec.
The platform authenticator built in to Android is what was
certified as a "Fido2" authenticator.
That is diffrent from saying that the WebAuthn platform also built into Android supports CTAP2.
Currently Android only supports CTAP1/U2F external
authenticators.
This was discussed at the fido plenary and Google intends to address this when time and resources permit.
So the bottom line is if your authenticator dosent support
CTAP1/U2F then it wont work with Android any time in the near
future.
That is one reason most external CTAP2 keys also support U2F/CTAP1.
The other thing to note on Android is that the platform authenticator dosen't support discoverable credentials(AKA resident) so combined with no CTAP2 external support you cant loginto a Microsoft account using WebAuthn from Android.
John B.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/553ddec8-d1e4-4228-bcfd-939d99e7e607%40fidoalliance.org.
Hi Zhao,
Android support for CTAP2 is limited. It can perform the usual tap to authenticate like U2F, but it cannot do pin presentation or discoverable credentials. As you’ve also noticed, it also blocks creation of discoverable credential on security keys – if you set the options to “cross-platform” and discoverable: “required”, the UI will guide you into creating a platform credential.
What you can do in the meantime, is enroll a discoverable credential on desktop, use it like a discoverable credential on desktop, and like a U2F credential on Android.
I expect Android to support passkeys on security keys someday, but I have no information on this topic.
Best regards,
--
Thomas Duboucher
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/56a66c6f-dbaf-4a7f-8b84-18e2830e7bd6n%40fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/MR1P264MB2673C6B5075C41466FE930FF9AF59%40MR1P264MB2673.FRAP264.PROD.OUTLOOK.COM.
I think it doesnt even even do CTAP2, when I checked attestations and stuff when creating a credential it always went straight to U2F.