FIDO2 on Android

[Antoine FERRON [BitLogiK]]

On February 25th, 2019, the FIDO alliance announced that "Android is now FIDO2 Certified, bringing simpler, stronger authentication capabilities to over a billion devices that use this platform every day. With this news, any compatible device running Android 7.0+ were now FIDO2 Certified out of the box or after an automated Google Play Services update. This gives users the ability to leverage their FIDO security keys for secure passwordless access to websites and native applications that support the FIDO2 protocols."

Working on a FIDO2 CTAP2 NFC authenticator, named by Android as a SecurityKey. I struggled to find out why it doesn't work on Android, despite the fact it runs right on iOS 13 and Windows 10.
Looking at the logs of the Android 9.1 phone we use, finally found out the reason :

E Fido    : [NfcSKRequestController] Error when communicating with the security key.
E Fido    : xzl: yrp: Protocol version FIDO_2_0 not supported
E Fido    :      at xzb.a(:com.google.android.gms@20104030@20.1.04 (100408-288960190):17)
E Fido    :      at xzj.a(:com.google.android.gms@20104030@20.1.04 (100408-288960190):4)
E Fido    :      at ysm.run(:com.google.android.gms@20104030@20.1.04 (100408-288960190):10)
E Fido    :      at ter.b(:com.google.android.gms@20104030@20.1.04 (100408-288960190):14)
E Fido    :      at ter.run(:com.google.android.gms@20104030@20.1.04 (100408-288960190):2)
E Fido    :      at java.util.concurrent.ThreadPoolExecutor.processTask(ThreadPoolExecutor.java:1187)
E Fido    :      at java.util.concurrent.ThreadPoolExecutor.runWorker(ThreadPoolExecutor.java:1152)
E Fido    :      at java.util.concurrent.ThreadPoolExecutor$Worker.run(ThreadPoolExecutor.java:641)
E Fido    :      at tkp.run(Unknown Source:7)
E Fido    :      at java.lang.Thread.run(Thread.java:784)
E Fido    : Caused by: yrp: Protocol version FIDO_2_0 not supported
E Fido    :      at com.google.android.gms.fido.u2f.api.common.ProtocolVersion.a(:com.google.android.gms@20104030@20.1.04 (100408-288960190):2)
E Fido    :      at com.google.android.gms.fido.u2f.api.common.ProtocolVersion.a(:com.google.android.gms@20104030@20.1.04 (100408-288960190):5)
E Fido    :      at xzb.a(:com.google.android.gms@20104030@20.1.04 (100408-288960190):18)
E Fido    :      ... 9 more
E Fido    : [FidoApiImpl] pauseSecurityKeyRequestController should not be called when SecurityKeyRequestController is null.
E AppLifeChangeSensor:  CAWARENESS: activityPaused mAppLifeChangeCallback is null
E cr_Fido2Request: Google Play Services FIDO2 API returned an error: Device ineligible.

So in brief, Protocol version FIDO_2_0 not supported. CTAP2 only devices are "ineligible" on this phone.

If I use the old U2F_V2 SELECT identifier and a getInfo with only FIDO_2_0 supported version, the key registration process also fails.

Can anyone get a working CTAP2 only device on Android 9 ?

In which version of Mobile/Play Services FIDO2 is supported ? What are the missing components to support that ?

Are the conformance tests for a FIDO2 certified product public? This would be interesting and helpful for this matter to see the certification report results.

[Antoine FERRON [BitLogiK]]

Following this thread, maybe the certification and all this fancy communication was only about using an Android device as a FIDO2 CTAP authenticator. And nothing related to using a FIDO2 authenticator on an Android device.

More info, but not so much clearer : https://fidoalliance.org/news-your-google-android-7-phone-is-now-a-fido2-security-key/

I'm still surprised that Android is the last platform (after Windows, iOS) to not be able to use a CTAP2 authenticator. Also, maybe this is the Android 9 test phone I use who has an issue.

[John Bradley]

Part of the problem is Fido 2 is a marketing term and not a spec.

The platform authenticator built in to Android is what was certified as a "Fido2" authenticator.

That is diffrent from saying that the WebAuthn platform also built into Android supports CTAP2.

Currently Android only supports CTAP1/U2F external authenticators. 

This was discussed at the fido plenary and Google intends to address this when time and resources permit.

So the bottom line is if your authenticator dosent support CTAP1/U2F then it wont work with Android any time in the near future. 

That is one reason most external CTAP2 keys also support U2F/CTAP1.

The other thing to note on Android is that the platform authenticator dosen't support discoverable credentials(AKA resident) so combined with no CTAP2 external support you cant loginto a Microsoft account using WebAuthn from Android.

John B.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/553ddec8-d1e4-4228-bcfd-939d99e7e607%40fidoalliance.org.

[Luciano Checchinato]

Hello John,

I suppose that this has not changed since february 2020, and still CTAP2 is not supported over NFC transport in Android.

Do you know the support status of CTAP2 over NFC in iOS world ? Where can we get reliable infos ?

Thank you

[John Bradley]

Yes CTAP2 with pin is supported on iOS 14 now. 

There are still a couple of bugs that are being worked on, but most things in WebAuthn level1 are working.  

Unfourtunatly there is no new news for Android. 

[Zhao Bin]

Hi all

May I know if Android support CTAP2 now? 

I want to create Discoverable credential (or resident key) on my Yubico Security key which is FIDO2 certified. This works perfectly on Desktop browser. 

When testing using webauthn.io in my Android phone (Samsung Galaxy S21 FE), the chrome browser also prompts me to create a new Passkey. 

There is no option to choose Security key unless I set "Discoverable Credential" to "Discouraged" in Advanced settings (in webauthn.io). However, this will generate a non-discoverable credential in my Yubikey.

Please help to advice whether this is the expected behaviour in Android. or does Android has any plan to support creating of Discoverable credential in Security key.

Thanks.

Best Regards

Zhao Bin

[DUBOUCHER Thomas]

Hi Zhao,

 

Android support for CTAP2 is limited. It can perform the usual tap to authenticate like U2F, but it cannot do pin presentation or discoverable credentials. As you’ve also noticed, it also blocks creation of discoverable credential on security keys – if you set the options to “cross-platform” and discoverable: “required”, the UI will guide you into creating a platform credential.

 

What you can do in the meantime, is enroll a discoverable credential on desktop, use it like a discoverable credential on desktop, and like a U2F credential on Android.

 

I expect Android to support passkeys on security keys someday, but I have no information on this topic.

 

Best regards,

 

--

Thomas Duboucher

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/56a66c6f-dbaf-4a7f-8b84-18e2830e7bd6n%40fidoalliance.org.

[My1]

I think it doesnt even even do CTAP2, when I checked attestations and stuff when creating a credential it always went straight to U2F

Regards

My1

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/MR1P264MB2673C6B5075C41466FE930FF9AF59%40MR1P264MB2673.FRAP264.PROD.OUTLOOK.COM.

[Adam Langley]

On Wednesday, January 4, 2023 at 2:55:37 AM UTC-8 My1 wrote:

I think it doesnt even even do CTAP2, when I checked attestations and stuff when creating a credential it always went straight to U2F.

Android does not currently support CTAP2.

Cheers

AGL