I would recommend thinking of a Platform Authenticator as a combination
of a Secure Element + firmware/software that knows how to handle FIDO
transactions while embedded in a general purpose computing device.
This is different from a Security Key, which is also a combination of an
[optional] Secure Element + firmware/software that understands FIDO, but
is NOT embedded in a general purpose computer; it is an external device
that can "roam" from computer to computer and work with the browser over
a transport protocol (USB, BLE, NFC, etc.).
The Secure Element (SE)[1] handles low-level cryptographic processing,
while the "software" works with the SE and can integrate [optional]
biometrics and/or PIN/Passwords for "user verification" (UV). At a
minimum, however, the "software" must implement "user presence" (UP).
Implementations are jointly standardized by the FIDO Alliance as CTAP,
and by W3C as WebAuthn for browsers - you need both to make it work for
web applications. You can, hoever, use implementations with CTAP without
WebAuthn for non-browser applications (such as SSH), or with PKI digital
certificates using PKCS#11 libraries if a vendor supplies it.
But, that is not the only way to use FIDO - anyone can choose to
implement the capability if they want to in a different way to solve
unique problems that are not addressed with general implementations.
StrongKey created an open-source Android Client Library[2] that uses the
SE (or TEE) on modern phones, leverages biometrics, Android Key
Attestation and delivers Transaction Confirmation using FIDO2 - but not
using CTAP or WebAuthn. It only works with native "rich client apps"
(RCA) and with StrongKey's open-source FIDO Certified FIDO2 Server[3].
The sample app in the same repository can use either a fingerprint or
PINs for UV - but both user verification methods are using the same
"platform authenticator". Because of the way Android separates apps and
their keystores, any other app that uses similar Android APIs (as we
did) can create their own "platform authenticator" on the same mobile
device, but never trip over the FIDO credentials StrongKey's Android
Client Library (SACL) creates because they're walled off from each other
at lower layers in Android.
Google also has their own FIDO2 API for Android, but last I looked (a
couple years ago), I don't believe it used an SE, Android Key
Attestation or supported Transaction Confirmation; perhaps there is an
update now.
We didn't use that API, but went to Android APIs directly to build SACL.
Because of that, technically, an app using Google's FIDO2 API, and
another app using SACL can co-exist on the same mobile device and keep
their FIDO credentials completely and cryptographically separated - even
to the same RPID!
Sounds confusing - but if you read enough, it all falls into place after
a while.
Hope this helps.
Arshad
[1]
https://www.arrow.com/en/iot/iot-security/secure-elements-and-trusted-platform-module
[2]
https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl
[3]
https://github.com/strongkey/fido2
>
https://demo.strongkey.com <
https://demo.strongkey.com>.
> <
https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/b3809039-a79e-4de8-a8ba-d66aac3cba67n%40fidoalliance.org?utm_medium=email&utm_source=footer
> <
https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/eb7b4d82-8b6c-4fdb-a79f-f3cb83c5be5an%40fidoalliance.org?utm_medium=email&utm_source=footer
> <
https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/eb7b4d82-8b6c-4fdb-a79f-f3cb83c5be5an%40fidoalliance.org?utm_medium=email&utm_source=footer>>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to
fido-dev+u...@fidoalliance.org
> <mailto:
fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
>
https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/c808a1b3-74e0-45ad-ad60-ae09323755e0n%40fidoalliance.org
> <
https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/c808a1b3-74e0-45ad-ad60-ae09323755e0n%40fidoalliance.org?utm_medium=email&utm_source=footer>.