Use only "platform authenticators" on Android devices

144 views
Skip to first unread message

Dev TB

unread,
Jun 28, 2024, 11:25:33 AMJun 28
to FIDO Dev (fido-dev)
According to the WebAuthn, the client can specify a built-in authenticator by specifying the platform in authenticatorAttachment when generating credentials.
However, when screen lock is disabled in setting on Android devices, "the "Use another device" button appears and cross-platform authenticators are availables even if platfrom in authenticatorAttachment is specified.
Because I confirmed cross-platform authenticators were NOT availables until April 2024, I assume this behavior was changed by Google system update after that.
 
But even if the platform in authenticatorAttachment is specified, is it acceptable for FIDO2 conventions and specifications to allow the use of an authenticator that does not conform to the specification ?

Do you have any solutions  to avoid using NFC, USB or other security keys on Andorid devices ?

Tim Cappalli

unread,
Jun 28, 2024, 11:30:55 AMJun 28
to Dev TB, FIDO Dev (fido-dev)
Attachment is a bit of a dated concept (ex: a passkey in a "platform authenticator" can be used via Cross-Device Authentication which would be cross-platform attachment), and is difficult to deprecate. From a UI/UX perspective, WebAuthn clients will do what is best for their users. 

For general consumer cases, you should allow users to store their passkeys on the authenticator of their choosing, including security keys.

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7e8bf08a-9b41-4d9f-8a7c-f7308175aca4n%40fidoalliance.org.

Manu e gabi Guimaraes andrade

unread,
Jun 28, 2024, 6:26:51 PMJun 28
to FIDO Dev (fido-dev), Dev TB

Arshad Noor

unread,
Jun 29, 2024, 8:17:43 PMJun 29
to Dev TB, FIDO Dev (fido-dev)
While WebAuthn UX options allow you to provide hints, you need a
"policy" to enforce the requirement on the back-end.

Even though it is possible to have web/mobile applications perform those
checks, the surest, and most optimal, way to accomplish that is to NOT
leave it up to business applications for enforcement - you need to make
it the responsibility of the security service managing FIDO interactions.

StrongKey's open-source, FIDO Certified server includes a policy module
that allows you to enforce platform credentials (among many other
attributes); you can get a feel for how this works with the "FIDO
Policy" demo at https://demo.strongkey.com.

StrongKey FIDO Server (SKFS) and the FIDO Policy demo are available for
download at https://sourceforge.net/projects/strongkeyfido -
documentation at docs.strongkey.com.

Arshad Noor
StrongKey
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7e8bf08a-9b41-4d9f-8a7c-f7308175aca4n%40fidoalliance.org <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7e8bf08a-9b41-4d9f-8a7c-f7308175aca4n%40fidoalliance.org?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages