Native iOS FIDO2 (WebAuthn) Support
2,299 views
Skip to first unread message
James Hoon Go
Dec 1, 2020, 12:58:23 PM12/1/20
to fido...@fidoalliance.org
Hi all,
I would like to ask questions, and would like to hear advice from the experts on WebAuthn integration in native iOS mobile applications.
The goal that I am currently trying to achieve is to implement FIDO2 (WebAuthn) protocol in native iOS mobile applications. I do understand that there is no official support or specifically designed API for FIDO2 in iOS native (only supported through Safari). In Android, Google started supporting FIDO2 API for Android. Android supports various CTAP, USB Security Key, BLE, and etc, as well as a platform authenticator (I assume that it's using Android's KeyStore to protect the key from other processors).
So, I was thinking to go with a similar approach using iOS' Secure Enclave to generate and protect private keys used for FIDO2. I also found that there was a discussion on Google Chrome that they developed Chrome's WebAuthn support with the same approach using Secure Enclave. So, using the Secure Enclave would allow us to protect the private key as it is isolated from the main processor, and hardware-based key manager.
I would like to hear from the experts in this group about their opinion on this approach whether there is a serious security concern that I'm missing, if this is a bad approach, or if it is violating any of FIDO2 specification.
Can anyone share an opinion or experience on this topic?
Sincerely,
--
Hun James Go
I would like to ask questions, and would like to hear advice from the experts on WebAuthn integration in native iOS mobile applications.
The goal that I am currently trying to achieve is to implement FIDO2 (WebAuthn) protocol in native iOS mobile applications. I do understand that there is no official support or specifically designed API for FIDO2 in iOS native (only supported through Safari). In Android, Google started supporting FIDO2 API for Android. Android supports various CTAP, USB Security Key, BLE, and etc, as well as a platform authenticator (I assume that it's using Android's KeyStore to protect the key from other processors).
So, I was thinking to go with a similar approach using iOS' Secure Enclave to generate and protect private keys used for FIDO2. I also found that there was a discussion on Google Chrome that they developed Chrome's WebAuthn support with the same approach using Secure Enclave. So, using the Secure Enclave would allow us to protect the private key as it is isolated from the main processor, and hardware-based key manager.
I would like to hear from the experts in this group about their opinion on this approach whether there is a serious security concern that I'm missing, if this is a bad approach, or if it is violating any of FIDO2 specification.
Can anyone share an opinion or experience on this topic?
Sincerely,
Hun James Go
David Chadwick
Dec 1, 2020, 1:32:34 PM12/1/20
to fido...@fidoalliance.org
HI James
On 01/12/2020 17:58, James Hoon Go wrote:
> Hi all,
>
> I would like to ask questions, and would like to hear advice from the
> experts on WebAuthn integration in native iOS mobile applications.
>
> The goal that I am currently trying to achieve is to implement FIDO2
> (WebAuthn) protocol in native iOS mobile applications.
Do you want to implement this from scratch yourself, or do you want to
use an existing toolkit, and perhaps add to it?
Kind regards
David
> I do understand that there is no official support or specifically
> designed API for FIDO2 in iOS native (only supported through Safari).
> In Android, Google started supporting FIDO2 API for Android
> <https://developers.google.com/identity/fido/android/native-apps>.
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CABXiwNnXVkK%2Bgtk0fV15%2Ba3PWGwT8BJ_XC2U8Qzd%3Ds1S42TEmQ%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CABXiwNnXVkK%2Bgtk0fV15%2Ba3PWGwT8BJ_XC2U8Qzd%3Ds1S42TEmQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
On 01/12/2020 17:58, James Hoon Go wrote:
> Hi all,
>
> I would like to ask questions, and would like to hear advice from the
> experts on WebAuthn integration in native iOS mobile applications.
>
> The goal that I am currently trying to achieve is to implement FIDO2
> (WebAuthn) protocol in native iOS mobile applications.
use an existing toolkit, and perhaps add to it?
Kind regards
David
> I do understand that there is no official support or specifically
> designed API for FIDO2 in iOS native (only supported through Safari).
> In Android, Google started supporting FIDO2 API for Android
> Android supports various CTAP, USB Security Key, BLE, and etc, as well
> as a platform authenticator (I assume that it's using Android's
> KeyStore to protect the key from other processors).
>
> So, I was thinking to go with a similar approach using iOS' Secure
> Enclave
> <https://developer.apple.com/documentation/security/certificate_key_and_trust_services/keys/storing_keys_in_the_secure_enclave> to
> as a platform authenticator (I assume that it's using Android's
> KeyStore to protect the key from other processors).
>
> So, I was thinking to go with a similar approach using iOS' Secure
> Enclave
> generate and protect private keys used for FIDO2. I also found that
> there was a discussion on Google Chrome
> <https://bugs.chromium.org/p/chromium/issues/detail?id=678128> that
> there was a discussion on Google Chrome
> they developed Chrome's WebAuthn support with the same approach using
> Secure Enclave. So, using the Secure Enclave would allow us to protect
> the private key as it is isolated from the main processor, and
> hardware-based key manager.
>
> I would like to hear from the experts in this group about their
> opinion on this approach whether there is a serious security concern
> that I'm missing, if this is a bad approach, or if it is violating any
> of FIDO2 specification.
>
> Can anyone share an opinion or experience on this topic?
>
> Sincerely,
>
> --
>
> /Hun James Go/
> Secure Enclave. So, using the Secure Enclave would allow us to protect
> the private key as it is isolated from the main processor, and
> hardware-based key manager.
>
> I would like to hear from the experts in this group about their
> opinion on this approach whether there is a serious security concern
> that I'm missing, if this is a bad approach, or if it is violating any
> of FIDO2 specification.
>
> Can anyone share an opinion or experience on this topic?
>
> Sincerely,
>
> --
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CABXiwNnXVkK%2Bgtk0fV15%2Ba3PWGwT8BJ_XC2U8Qzd%3Ds1S42TEmQ%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CABXiwNnXVkK%2Bgtk0fV15%2Ba3PWGwT8BJ_XC2U8Qzd%3Ds1S42TEmQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Eldan Ben Haim
Dec 1, 2020, 1:54:56 PM12/1/20
to James Hoon Go, fido...@fidoalliance.org
If you take a look at the WebKit source code you’ll see fido2 implementation there is based on seckeychain.
That said, an alternative to rolling your own could be to launch a safari web authentication view controller, point at a domain you control and serve a page that will navigate to a url you’ll intercept in the app, encoding the webauthn response; best to use an industry standard protocol for this flow such as oauth or oidc but you can roll your own.
A benefit of this approach is that your app and the web app (assuming you also have a web app that does fido2 auth) can share the credential (as is the case with the android native fido2 api).
Hope this helps.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CABXiwNnXVkK%2Bgtk0fV15%2Ba3PWGwT8BJ_XC2U8Qzd%3Ds1S42TEmQ%40mail.gmail.com.
Eldan Ben Haim
Dec 1, 2020, 2:04:14 PM12/1/20
to James Hoon Go, fido...@fidoalliance.org
(See
James Hoon Go
Dec 1, 2020, 4:07:17 PM12/1/20
to FIDO Dev (fido-dev), David Chadwick
Hi David,
I was thinking to utilize open-source library (https://github.com/lyokato/WebAuthnKit-iOS) and modify as needed to fill any missing gap.
This library is essentially creating private key using Secure Enclave and follow the WebAuthn protocol.
Wasn't quite sure from security, or FIDO2 specification perspective, using private key in Secure Enclave would violate any of specification or raise any security concern.
Thanks,
James Hoon Go
Dec 1, 2020, 4:12:46 PM12/1/20
to FIDO Dev (fido-dev), el...@transmitsecurity.com, fido...@fidoalliance.org, James Hoon Go
Hi,
Thanks for sharing the source for WebKit, that was helpful.
Yes, I understand that it can also be done through ASWebAuthenticationSession to perform WebAuthn, but the requirement is to do the authentication journey in the native flow.
It's the proprietary authentication journey (collecting username/password/MFA, etc) + OAuth2 flow.
Of course, would like to follow whatever it's available as an official solutions, but the demands for the biometric authentication in native flow was hard requirement.
So, I wanted to make sure that I'm not stepping on the wrong path from the beginning with the idea of doing the WebAuthn natively in iOS.
David Chadwick
Dec 1, 2020, 4:14:39 PM12/1/20
to James Hoon Go, FIDO Dev (fido-dev)
Hi James
yes this is the library we are using. It works OK and we can set the
protocol parameters to the values that we want for our app. We have made
one mod, namely to remove the keys prompt to the user, which they find
confusing (and its unnecessary).
Kind regards
David
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CABXiwNnXVkK%2Bgtk0fV15%2Ba3PWGwT8BJ_XC2U8Qzd%3Ds1S42TEmQ%40mail.gmail.com?utm_medium=email&utm_source=footer
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CABXiwNnXVkK%2Bgtk0fV15%2Ba3PWGwT8BJ_XC2U8Qzd%3Ds1S42TEmQ%40mail.gmail.com?utm_medium=email&utm_source=footer>>.
>
>
yes this is the library we are using. It works OK and we can set the
protocol parameters to the values that we want for our app. We have made
one mod, namely to remove the keys prompt to the user, which they find
confusing (and its unnecessary).
Kind regards
David
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CABXiwNnXVkK%2Bgtk0fV15%2Ba3PWGwT8BJ_XC2U8Qzd%3Ds1S42TEmQ%40mail.gmail.com?utm_medium=email&utm_source=footer>>.
>
>
James Hoon Go
Dec 1, 2020, 4:15:39 PM12/1/20
to FIDO Dev (fido-dev), David Chadwick, James Hoon Go
That was exactly what I was thinking to remove as well as well as other library dependencies that are redundant.
Thanks for sharing!
David Chadwick
Dec 1, 2020, 5:18:26 PM12/1/20
to fido...@fidoalliance.org
We have not fed our mods back yet because we did not know if anyone else
would want them, but given that you do, we can talk to the developer to
see what he thinks
Kind regards
David
On 01/12/2020 21:15, James Hoon Go wrote:
> That was exactly what I was thinking to remove as well as well as
> other library dependencies that are redundant.
>
> Thanks for sharing!
>
> On Tuesday, December 1, 2020 at 1:14:39 PM UTC-8 David Chadwick wrote:
>
> Hi James
>
> yes this is the library we are using. It works OK and we can set the
> protocol parameters to the values that we want for our app. We
> have made
> one mod, namely to remove the keys prompt to the user, which they
> find
> confusing (and its unnecessary).
>
> Kind regards
>
> David
>
> On 01/12/2020 21:07, James Hoon Go wrote:
> > Hi David,
> >
> > I was thinking to utilize open-source library
> > (https://github.com/lyokato/WebAuthnKit-iOS
> <https://github.com/lyokato/WebAuthnKit-iOS>) and modify as needed to
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/3496c93c-842d-4689-b2dd-6d19261ae108n%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/3496c93c-842d-4689-b2dd-6d19261ae108n%40fidoalliance.org?utm_medium=email&utm_source=footer>.
would want them, but given that you do, we can talk to the developer to
see what he thinks
Kind regards
David
On 01/12/2020 21:15, James Hoon Go wrote:
> That was exactly what I was thinking to remove as well as well as
> other library dependencies that are redundant.
>
> Thanks for sharing!
>
> On Tuesday, December 1, 2020 at 1:14:39 PM UTC-8 David Chadwick wrote:
>
> Hi James
>
> yes this is the library we are using. It works OK and we can set the
> protocol parameters to the values that we want for our app. We
> have made
> one mod, namely to remove the keys prompt to the user, which they
> find
> confusing (and its unnecessary).
>
> Kind regards
>
> David
>
> On 01/12/2020 21:07, James Hoon Go wrote:
> > Hi David,
> >
> > I was thinking to utilize open-source library
> > (https://github.com/lyokato/WebAuthnKit-iOS
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/3496c93c-842d-4689-b2dd-6d19261ae108n%40fidoalliance.org?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages