Chrome on Android support of security keys

[Xavier CHAPRON]

Hello,

I made a few tests on multiples Android devices with version 11 / 12 / 13 and I was not able to register on webauthn.io using Google Chrome on any of them using something else than a Google Passkey when the "Discoverable Credential" is set to anything else than "Discouraged".
To me it appears that Google Chrome on Android suddenly drop the support of other authenticators, including hardware security keys.

I saw here that the support of "External Authenticator" is "planned": https://passkeys.dev/docs/reference/android/ but technically this was already working before...

Am I missing something here? Is Google Chrome really enforcing the usage of Google Passkey?

Thanks,

Xavier Chapron

[My1]

discovered credentials (also known as resident keys), is something that android cannot do with fido devices yet as it only speaks CTAP1 (aka U2F) with external devices so far.

so basically if you want resident credentials, google sees that and asks you for their passkey implementation.

Regards

My1

---

Les informations contenues dans ce message électronique ainsi que celles contenues dans les documents attachés sont strictement confidentielles et sont destinées à l'usage exclusif du (des) destinataire(s) nommé(s).

Toute divulgation, distribution ou reproduction, même partielle, en est strictement interdite sauf autorisation écrite et expresse de l’émetteur.

Si vous recevez ce message par erreur, veuillez le notifier immédiatement à son émetteur par retour, et le détruire ainsi que tous les documents qui y sont attachés.

The information contained in this email and in any document enclosed is strictly confidential and is intended solely for the use of the individual or entity to which it is addressed.

Partial or total disclosure, distribution or reproduction of its contents is strictly prohibited unless expressly approved in writing by the sender.

If you have received this communication in error, please notify us immediately by responding to this email, and then delete the message and its attached files from your system.

---

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/1a84e693-4014-43bf-b3cf-2192feb1a5d3n%40fidoalliance.org.

[Xavier CHAPRON]

Hello My1,

Thanks for your answer.

 

discovered credentials (also known as resident keys), is something that android cannot do with fido devices yet as it only speaks CTAP1 (aka U2F) with external devices so far.

This is not technically true. When choosing "Discoverable credentials" to "Discouraged" value and using my security key, I can clearly see a CTAP2 request (authenticatorGetInfo) being sent from the Android device to my device.

I saw this already being discussed on this mailing list but in my opinion, having the "Discoverable credentials" setting value "Preferred" being converted to "required" when transmitted to the authenticator doesn't sound the right thing to do.

To me this blog post says it all: https://fy.blackhats.net.au/blog/2023-02-02-how-hype-will-turn-your-security-key-into-junk/

Regards,

Xavier Chapron

 

[Tim Cappalli]

I saw here that the support of "External Authenticator" is "planned": https://passkeys.dev/docs/reference/android/ but technically this was already working before...

Passkeys.dev is exclusively about passkeys, which are WebAuthn discoverable credentials. Android did not support discoverable credentials on security keys. Android supported second factor / server-side / U2F-style credentials with security keys.

Support for passkeys on security keys is rumored to be coming soon. Passkeys.dev will be updated when that happens.

Also, just a nit, "Google Passkey" isn't a thing. I think you meant creating a passkey in Google Password Manager (which is the default passkey provider on most Android devices).

[My1]

it's not just discoverable/resident credentials that werent supported tho, UV was dead too, which is kinda important for passwordless even if you dont go usernameless.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/DM8PR00MB1407E045D9C54247EB12525095F7A%40DM8PR00MB1407.namprd00.prod.outlook.com.

[Joost van Dijk]

I haven’t tried myself, but for UV support on Android you may want to try to upgrade to the latest version of Google Play Services.

See

Which states:

“Adding Pin Protocol support for Fido2 on Android Platform.“

—Joost van Dijk

On 14 Sep 2023, at 12:10, My1 <teamhyd...@gmail.com> wrote:



To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNqONORSsiN7WJ%2B3vrvkqPe6nfrks8kAOMuDBS0RgKmv9A%40mail.gmail.com.

[John Bradley]

There is some support in the latest version of play services for biometric or pin over USB.  NFC support is still coming as I understand it.  

So you will get diffrent results on Android depending on the interface.  

That is not confusing at all, so just wanted to point it out before people try it and get confused. 

John B. 

Sent from my iPhone

On Sep 15, 2023, at 12:20 PM, Joost van Dijk <vandij...@gmail.com> wrote:



I haven’t tried myself, but for UV support on Android you may want to try to upgrade to the latest version of Google Play Services.

See

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/C03804D2-C31E-4626-AB06-0BD68F5BF7AD%40gmail.com.

[Md mamun]

mmd8...@gmail.com

[FIDO Dev (fido-dev)]

Just tested it using the 23.35.54 version of the play services, it doesn't seem to bring UV to security keys. Registering a security key on webauthn.io fails when UV is Required.

[مصطفى سعيد مصطفى سعيد‎]

الدعم

---

من: ‏‏fido...@fidoalliance.org <fido...@fidoalliance.org> بالنيابة عن FIDO Dev (fido-dev) <marko....@gmail.com>
‏‏تم الإرسال: 19 سبتمبر, 2023 01:13 م
إلى: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
نسخة: John Bradley <ve7...@ve7jtb.com>; My1 <teamhyd...@gmail.com>; Tim Cappalli <Tim.Ca...@microsoft.com>; Xavier CHAPRON <xavier....@ledger.fr>; FIDO Dev (fido-dev) <fido...@fidoalliance.org>; Joost van Dijk <vandij...@gmail.com>
‏‏الموضوع: Re: [FIDO-DEV] Chrome on Android support of security keys

 

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/360775d8-d801-4e00-acb8-0c9f93b7130dn%40fidoalliance.org.

[John Bradley]

My phone with beta play services has 23.35.56.  USB keys with built in biometrics work, however pin support over usb seems not to be in that external beta yet.  

It will happen eventually but after 5 years of real soon now, all I can say is real soon now:)

Yes lack of CTAP2 pin support on Android is significantly holding back adoption in a number of areas. 

John B. 

Sent from my iPhone

On Sep 19, 2023, at 5:13 AM, FIDO Dev (fido-dev) <marko....@gmail.com> wrote:



[Xavier CHAPRON]

Hello,

I just tested it on a Pixel 5 with Android version 14, Google Play Service version 23.40.14 and Google Chrome version 118.0.

It appears that when using "Discoverable Credential" setting to "Discouraged" it is possible to use an USB security key and it's even using CTAP2 protocol.

However I'm not sure, what is the reason to not allowing external security keys when "Discoverable Credential" setting is not set to "Discouraged", and this even though the authenticator supports internal user verification and discoverable credentials?

Does anyone know if this is temporary or if this is going to stay as it is currently?

Thanks,

Xavier

[Xavier CHAPRON]

Hello,

A few months later it appears that on up to date Android and Chrome, there is still no way to use an external security key when "Discoverable Credential" setting is not set to "Discouraged".

This is in my opinion a great blocker for Security Key adoption as most website used the classical "Preferred" setting value for
Does anyone knows if this is temporary or if this is going to stay as it is currently?

I also did a few tests on NFC support, and it appears that Chrome on Android is still using U2F, is FIDO2 support in the pipes?

Thanks,

Xavier

[John Bradley]

To my understanding support is coming for NFC but USB will be first.   The full support for USB is supposed to be soon.  

Sent from my iPhone

[Xavier CHAPRON]

Hello,

That are great news, thanks!

I take the opportunity to also ask if there is somewhere good material for implementing NFC support on an authenticator.

As of now I know there are:

- a dedicated part in the FIDO2 spec (https://fidoalliance.org/specs/fido-v2.1-ps-20210615/fido-client-to-authenticator-protocol-v2.1-ps-errata-20220621.html#nfc)

- a dedicated spec for U2F https://fidoalliance.org/specs/fido-u2f-v1.2-ps-20170411/fido-u2f-nfc-protocol-v1.2-ps-20170411.html

But I'm looking for a more extensive specification, and maybe some tooling, like a debug application or something?

Thanks again,

Xavier