Android invalidating FIDO Authenticators

43 views
Skip to first unread message

MuhammedZubair Omarjee

unread,
Jul 9, 2021, 1:33:12 AMJul 9
to fido...@fidoalliance.org
Good day,

Is there any explanation as to why Android will randomly invalidate FIDO authenticators, and prompt the user of an app to go through reset or recreate flow.

Any known issues, as we seeing a lot more of this scenario's happening.

Kind Regards
Mz

Arshad Noor

unread,
Jul 9, 2021, 4:43:20 PMJul 9
to fido...@fidoalliance.org, MuhammedZubair Omarjee
MZ,

Can you provide more information?

1. What do you mean by "invalidating FIDO Authenticators"? Are the
authenticators being cleared of their keys, or is the authentication
process just forced to restart?
2. Are the authenticators using the U2F, UAF or FIDO2 protocol?
3. If not UAF, what transport are they using: USB, NFC, BLE?
4. If not UAF, is your app using the WebView component for the
authentication process? Or, have you programmed your RCA to use a
specific API (such as the Google FIDO2 API)? If so, which one?
5. Have you checked the logs of your FIDO library/server to see what
errors are being reported?

Providing more detail can help readers provide better responses.

Arshad
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKm0qwn3%3DJcK%3DNEDzyc7N1X3A3C3a0gdhd_6MbEYk5%3DUOPFBWQ%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAKm0qwn3%3DJcK%3DNEDzyc7N1X3A3C3a0gdhd_6MbEYk5%3DUOPFBWQ%40mail.gmail.com?utm_medium=email&utm_source=footer>.

Philipp Junghannß

unread,
Jul 9, 2021, 5:00:47 PMJul 9
to Arshad Noor, FIDO Dev (fido-dev), MuhammedZubair Omarjee
Considering Android is not actually capable of speaking CTAP2 but basically falls back to U2F for roaming authenticators, there are 2 main scenarios I could imagine.

1) FIDO2/webauthn Platform authenticators forgetting the sites they were registered on
2) FIDO devices not recognizing the site due to separation of keys between U2F and FIDO2 modes

Regards

To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/4e3c6bee-d181-88e8-aa51-b417660111ea%40strongkey.com.
Reply all
Reply to author
Forward
0 new messages