Fido Passkey is not working with iPhone Captive portal

[Athur Krishna]

I was able to set up passkey auth with okta and used as my wi-fi sso login.

in iPhone the captive portal launches and it does not recognize passkey - however the Safari and Chrome browser in the same iPhone identifies passkey.

any thoughts?

[Tim Cappalli]

Captive portal mini-browsers use Embedded WebViews which do not currently support WebAuthn on any platform.

tim

---

From: fido...@fidoalliance.org <fido...@fidoalliance.org> on behalf of Athur Krishna <athur....@gmail.com>
Sent: Friday, May 19, 2023 14:07
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Fido Passkey is not working with iPhone Captive portal

 

I was able to set up passkey auth with okta and used as my wi-fi sso login.

in iPhone the captive portal launches and it does not recognize passkey - however the Safari and Chrome browser in the same iPhone identifies passkey.

any thoughts?

--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/7df7a0cb-9e04-48b4-a145-4ec7c86dc7cen%40fidoalliance.org.

[My1]

it might be possible to just close that, open a normal browser and try to access a site that is not protected by HTTPS, like neverssl, which is useful to get a normal browser to move into a captive portal.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/BYAPR00MB0471B8E5CC6DD265A85DA759957CA%40BYAPR00MB0471.namprd00.prod.outlook.com.

[Athur Krishna]

it's not a good experience for end users. is there any initiative for captive portal to start supporting webAuthn? 

[My1]

sure long term that would be awesome.

I was just thinking of a short term work around.

I wasnt even aware that there are captive portals that support WebAuthn, so never had an idea whether the captive portal webview can do that lol.

What software are you using? Only if it's okay that I may ask, that would be so damn cool.

[Joost van Dijk]

Some will actually consider this a feature.

Captive portals have several security issues, even if the website is protected by an HTTPS secure connection. For instance, revocation checking (or updating crlsets) requires a network connection that isn't available yet.

I agree that it would be nice to be able to use passkeys to sign in to a WiFi network. There is some work being done in the IETF to enable that (through EAP/802.1X so mostly for enterprise networks and eduroam), but I believe that is still in a very early stage currently.

--Joost

[Athur Krishna]

Hi Joost

Thanks.

Do you have any more details on the IETF work? 

Thanks

Krishna

[My1]

isnt revocation checking not even done by most browsers anyway iirc except maybe for some big names and EV certs?

also OCSP staple could also help.

[Joost van Dijk]

Not yet, unfortunately.

Work on EAP-FIDO is coming out of the eduroam community. I believe they are working on an IETF internet-draft, but I haven't seen anything yet.

--Joost

[Joost van Dijk]

That is probably true. Even so, roaming Wifi networks like eduroam and govroam still prohibit the use of captive portals. 
https://eduroam.org/faqs/#:~:text=Does%20eduroam%20use%20a%20captive%20portal%20for%20authentication%3F,-No

But I do agree that if captive portals are used, WebAuthn would be a huge security improvement compared to using passwords.

--Joost

[My1]

when you have a member-only network, that is cool but for example in mixed networks where you have both members and guests with temporary tickets (which is totally fine if the network disallows communication between devices anyway), or you plain cant do EAP because of compatibility issues (e.g. most game consoles cannot handle EAP) a captive portal kinda is your only option.

but wait eduroam is a specific standard? never knew that, I just thought that was more or less randomly the name of the wlan at the university I had an internship at lol.

[Joost van Dijk]

There is now a published draft on this:

Discussion on the IETF EAP Method Update WG mailing list:

—Joost 

On 26 May 2023, at 11:57, 'Joost van Dijk' via FIDO Dev (fido-dev) <fido...@fidoalliance.org> wrote:

Not yet, unfortunately.

To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/dba47db3-b625-4b6e-8a8a-b396bfd44aben%40fidoalliance.org.