Hi,
One approach is the hybrid App, an App that acts as a mobile CTAP2 authenticator via BLE and as a local authenticator via ASM API. I suppose the same could be done using NFC in the remote case but I have yet to explore that option.
Rick
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/892aee7a-6852-4cbc-8453-35a87d02e4d8n%40fidoalliance.org.
Yes and no, Patrice.(Apologies for the mixed answer, but this is where things get nuanced in the FIDO ecosystem).
The PDF you referenced has this sentence on the last page: "The
Akamai MFA service introduces a new authentication factor. It
digitizes the security of FIDO2 with just a smartphone and a web
browser, and combines it with the easy-to-use, familiar
experience of a push notification — which can be used
across any platform as a roaming authenticator."
Clearly, they have created a capability that leverages the FIDO2 protocol on a mobile device, using the native browser on the device, to strongly authenticate the user when they attempt to login into some application. This is no different from traditional "push-notification" apps that prompt for confirmation of some action on the mobile. The difference is that the Akamai capability is using the FIDO2 protocol leveraging the browser on the device. Their capability may be integrated with TouchID/FaceID on iOS devices and with similar biometric capabilities on Android - I don't know since I don't use any third-party MFA service, including Akamai's - to any website/application.
What the StrongKey Android Client Library (SACL) does goes further than most FIDO2 implementations - I can, currently, only speak for the Android platform since we don't have an iOS library (yet):
A browser-based FIDO2 "transaction" cannot associate the FIDO
digital signature to a specific business transaction because no
browser has implemented the Transaction
Authorization capability in any browser to the best
of my knowledge. Since no implementations exist for the extensions
in any browser, the W3C policy required that it be removed from
the Level-2
specification. Of course, browser manufacturers can still choose
to implement the extension based on the Level-1 spec if they
wanted to, but that's a business decision they have to make.
While FIDO standards do not cover how to implement transaction
authorization in the FIDO2 protocol (outside of the WebAuthn
Level-1 spec), nothing prevents innovative companies from
delivering the capability leveraging underlying cryptographic
primitives available on specific platforms. That is what we chose
to do.
Hope this helps.
Arshad Noor
StrongKey