Enabling Fido/Webauthn Support on MacOS via NFC

[Evan Krueger]

Hi All, 

I'm hoping someone here can help me find the correct audience for this question about supporting Fido security keys via NFC on MacOS. 

Our company is working on a wearable Fido hardware security key. The interface for that Fido/Webauthn communication is NFC. Android, iOS and Windows support Fido over NFC, but from our testing, MacOS support is limited to USB security keys. The NFC omission on MacOS seems odd, given that iOS supports it, and we've struggled to develop a workaround for it. 

It may be that this is a niche issue for users of hardware security keys, but I also cannot imagine we'd be the only entity to benefit from broader support. The reason for my reaching out is that we're interested in finding a way to bring this feature to fruition in a way that benefits the wider Fido/Webauthn ecosystem. 

Instead of pinning hope for this support on a WWDC surprise announcement, we thought we'd ask if anyone has suggestions for how we might bring about this kind of support in an open source way, either through some kind of collaboration, bounty/grant/funding, or some other means such that everyone can utilize it. 

Any and all feedback is appreciated. Thanks.

[Tim Cappalli]

I can't speak for Apple, but I imagine it is solely due to the lack of Apple hardware running macOS with an NFC reader built-in. 

---

From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of Evan Krueger <ev...@tokenring.com>
Sent: Tuesday, March 29, 2022 18:08
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Enabling Fido/Webauthn Support on MacOS via NFC

 

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/5b08258b-3bc6-4652-8a80-d8712973c17bn%40fidoalliance.org.

[John Bradley]

Windows has a history of supporting smart cards for AD deployments in the enterprise, so Fido being seen as a replacement to smartcards made sense to support NFC for call centre and other shared computer environments.

Apple is less invested in those sorts of deployments.  

I agree that it would be great if they supported CCID readers like windows, but I won't hold my breath. 

You might get someplace by integrating libfido2 into a native app in OSX and providing the CCID stack over USB.

In principal, Microsoft Edge or Firefox could support CCID but I don't see them doing the work.  

I think Firfox and Edge/Chrome will probably move to the native OSX webauthn API so adding CCID would be complicated and probably not great UX.

Yor best bet is convincing apple.

I would like it.   

FYI the Fido conformance tool on OSX directly implemented CCID in electron so it is possible.

Regards

[Chester Taylor]

> You might get someplace by integrating libfido2 into a native app in OSX and providing the CCID stack over USB

This is similar to the approach we've been pursuing. We discovered a project on GitHub, CCIDU2F, which claims to have gotten the proposed solution working using a virtual authenticator's driver. However, the driver built as a KEXT, which macOS yells at me when I try installing.

Based on a discussion in an issue in the CCIDU2F repo, we are reworking the virtual authenticator to install using Apple's System Extensions framework instead. We'd looked at doing something with libfido2, but the CCIDU2F solution seemed more complete.

[Peter Huang]

OSX already support CCID, opensc has done a wonderful job in that area.   while ecsda-sk is not support on native ssh but the openssh version works (I tested it).   I was  play around duo-lab webauthn library that should hold some promise.   I wouldn't hole my breath for NFC, it is too much work to the tag right.

[John Pascoe]

This is in macOS Ventura/iOS 16 beta 4.