5

Edit: -

Look is it just me or doesn't the W3C spec say this should be happening already: -

1.2.2. Authentication

On a laptop or desktop:

User pairs their phone with the laptop or desktop via Bluetooth.

User navigates to example.com in a browser and initiates signing in.

User gets a message from the browser, "Please complete this action on your phone."

Next, on their phone:

User sees a discrete prompt or notification, "Sign in to example.com."

User selects this prompt / notification.

User is shown a list of their example.com identities, e.g., "Sign in as Mohamed / Sign in as 张三".

User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.

Now, back on the laptop:

Web page shows that the selected user is signed in, and navigates to the signed-in page.

===============

My WebAuthn code happily interacts with Windows Hello for user verification via PIN. My Samsung Android phone happily interacts with the https://webauthn.appspot.com demo and accepts fingerprint verification.

But I can't seem to use my phone as an Security key like a YubiKey connected on my computer?

I can pair it with the PC via Bluetooth or tether it with a USB cable, but Windows will not recognize it as a security key.

Is this possible, or is the functionality restricted? If we could use our phone as security keys, we'd need no special dongles for platform agnostic authentication.

McMurphy
  • 1,235
  • 1
  • 15
  • 39
  • To add some more info, there was a project trying to achieve that https://github.com/Trojan295/android-webauthn-token . An adhoc walk around is using a QRCode to pass the session from the computer to the phone browser. – GramThanos Mar 18 '21 at 11:31

3 Answers3

4

In order for that to work, the phone device manufacturer would have to either always present itself as a FIDO2 authenticator, or have some sort of switch that allows it to change mode, kind of like how you can configure USB connection to be for charging or for data transfer. I don't see any technical reason why that could not be done, in fact it's come up multiple times in various discussions, but to my knowledge that is not an Android feature, at least not yet.

aseigler
  • 504
  • 3
  • 7
  • So it looks like it's a Samsung (et al) problem? https://www.theverge.com/2019/4/10/18295348/google-android-phone-fido-webauthn-phishing-two-factor-authentication – McMurphy Mar 17 '21 at 22:53
  • 2
    I don't necessarily think it's a Samsung problem but more of an Android feature that is a work in progress. The article is headlined in a way that makes it seem like the features that are currently available are the "holy grail" of being able to literally use your phone just like a security key with no strings attached or disclaimers -- to my knowledge that is simply not the case...yet. – aseigler Mar 17 '21 at 23:53
  • Please see Edit to main question above about prescribe functionality. – McMurphy Mar 23 '21 at 00:11
  • That scenario described is a potential use case story, and nearly identically describes the flow with Microsoft services today with the authenticator app. – aseigler Mar 23 '21 at 04:06
  • So Windows sees the Bluetooth Phone pairing and says "Ahah, let's see if they have Microsoft Authenticator installed. Then we'll offer up the biometrics. If not, stuff 'em"? Abuse of market position? Antitrust? – McMurphy Mar 23 '21 at 04:34
  • No, that's just one example of a vendor product, other vendors do similar things. – aseigler Mar 23 '21 at 14:19
  • Re: -1, cool! so what do I have to do to be another vendor product? Even Chrome debug webauthn authenticator emulation won't see my phone when I choose BLE as the transport :-( – McMurphy Mar 23 '21 at 23:22
1

For that either smartphone OS or a 3rd party application needs to implement CTAP protocol to receive and process authentication operations on the phone. Currently, Android does - but not in a way to be used as a cross-platform authenticator to not stick to only one PC. For 3rd party apps, there are some certified solutions that are listed on the FIDO Alliance website as certified authenticators.

Hamed
  • 202
  • 1
  • 4
  • 10
0

I recently find that the PIXEL phone can do this. When you open a FIDO2 Web via Chrome or Edge, it will prompt a dialog shows add Android Phone. Click it and a QR code(FIDO:/AAACCC...) appeared. Scan the QR Code by your Pixel Camera (registered FIDO2 Token). Magic... A push notify show on the Pixel. Click it and wait and scan FP. Finally your WebAuthn web Verify OK via BT.

The only question for me is what kinds of Andoid phones can support this scnerio. Can any other phone except Pixel support scan the QRCode(FIDO:/....).

Andy
  • 1