Closed Bug 1391438 Opened 3 years ago Closed 1 year ago

Support WebAuthn Tokens for WebAuthn on Android

Categories

(Core :: DOM: Web Authentication, enhancement, P1)

Other Branch
All
Android
enhancement

Tracking

()

RESOLVED FIXED
mozilla68
Tracking Status
relnote-firefox --- 68+
geckoview66 --- wontfix
firefox-esr60 --- wontfix
firefox66 --- wontfix
firefox67 --- wontfix
firefox68 + fixed

People

(Reporter: jcj, Assigned: jcj)

References

(Blocks 6 open bugs, )

Details

(Whiteboard: [webauthn][geckoview:fenix:m7])

Attachments

(2 files)

Android just added native support for FIDO U2F token devices [1], so it is now easier to support this in Fennec.

There's two approaches in the current WebAuthn code to add more platforms / authenticator types: 

1. Implement another U2FTokenTransport that calls out to the OS as needed. 

2. Add Android support to the Rust u2f-hid-rs library that we're importing into Gecko in Bug 1388843.

I'm not familiar with Fennec enough to know which would be easier. I know there are some Rust FFI crates available for Android, so it might be relatively straightforward to at least pull in Bluetooth HID on Fennec that way.

[1] https://developers.google.com/identity/fido/android/native-apps
We'll probably just want to do this in Rust; I've filed https://github.com/jcjones/u2f-hid-rs/issues/42 to track it in the Rust lib.
Using the Android Api might get users support for more transports than upgrading the rust library?
https://developers.google.com/android/reference/com/google/android/gms/fido/common/Transport

The Android API supports BT, BT_LE, NFC and USB.
https://developers.google.com/android/reference/com/google/android/gms/fido/common/Transport

:nalexander could you please take a look?
Flags: needinfo?(nalexander)
(In reply to Axel Nennker from comment #2)
> Using the Android Api might get users support for more transports than
> upgrading the rust library?
> https://developers.google.com/android/reference/com/google/android/gms/fido/
> common/Transport
> 
> The Android API supports BT, BT_LE, NFC and USB.
> https://developers.google.com/android/reference/com/google/android/gms/fido/
> common/Transport
> 
> :nalexander could you please take a look?

Hi Axel!  Sorry, I can't spend any time on this -- I've long since moved off the Fennec project.  I just do some build system stuff for Fennec now.

I agree that an implementation based off the Android API would be better than re-implementing everything in Rust, but given resourcing for Fennec now, I don't think an implementation based on the Android API will happen any time soon.  Sorry :(
Flags: needinfo?(nalexander)
no reviews needed yet, just a WIP
Attachment #8973658 - Attachment description: wip → Bug 1391438 - Support U2F Tokens for WebAuthn on Android
Component: DOM: Device Interfaces → DOM: Web Authentication

The APIs involved here give us CTAP2 (FIDO2) support

Hardware: Unspecified → All
Summary: Support U2F Tokens for WebAuthn on Android → Support WebAuthn Tokens for WebAuthn on Android
Attachment #8973658 - Attachment description: Bug 1391438 - Support U2F Tokens for WebAuthn on Android → Bug 1391438 - Support FIDO2 for WebAuthn on Android
Whiteboard: [webauthn] → [webauthn][geckoview:fenix:p3]
Priority: P3 → P2
Whiteboard: [webauthn][geckoview:fenix:p3] → [webauthn][geckoview:fenix:p2]

Adding [geckoview:fenix:m7] whiteboard tag because we should figure out our WebAuthn plans in Q2.

Whiteboard: [webauthn][geckoview:fenix:p2] → [webauthn][geckoview:fenix:m7]
Assignee: nobody → jjones
Status: NEW → ASSIGNED
Pushed by jjones@mozilla.com:
https://hg.mozilla.org/integration/autoland/rev/192ba11153b4
Move GECKOBUNDLE macros into their own header r=snorp
https://hg.mozilla.org/integration/autoland/rev/d8e0bfeb5fa3
Support FIDO2 for WebAuthn on Android r=snorp,keeler
Status: ASSIGNED → RESOLVED
Closed: 1 year ago
Resolution: --- → FIXED
Target Milestone: --- → mozilla68
Depends on: 1551297

Release Note Request (optional, but appreciated)
[Why is this notable]: We're enabling Web Authentication, including biometric authentication support, for Android (Fennec)
[Affects Firefox for Android]: Yes, this brings Fennec in-line with desktop (where WebAuthn shipped in 60).
[Suggested wording]: Support the anti-phishing W3C Web Authentication API on Firefox for Android.
[Links (documentation, blog post, etc)]: to be published

relnote-firefox: --- → ?

I'm using Firefox Beta 68 on a Samsung S5 mini with Android 6.0.1 with an NFC-enabled hardware security key (it's a Solo Tap), but I can't figure out how it works. It keeps popping up with the dialog asking me what to do with the NFC tag I've just presented my phone with.

Is there an additional app I need installed to take care of this for me? The instructions for my key say that I need the Google Authenticator app install, which I've just done, but it doesn't seem to change anything.

I guess bug 1551230 comment 5 covers this from a release notes pov? I can change the wording to your suggestion though.

Flags: needinfo?(jjones)

That's fine, :jcristau. Thanks!

Flags: needinfo?(jjones)

(In reply to Starbeamrainbowlabs from comment #12)

I'm using Firefox Beta 68 on a Samsung S5 mini with Android 6.0.1 with an NFC-enabled hardware security key (it's a Solo Tap), but I can't figure out how it works. It keeps popping up with the dialog asking me what to do with the NFC tag I've just presented my phone with.

Is there an additional app I need installed to take care of this for me? The instructions for my key say that I need the Google Authenticator app install, which I've just done, but it doesn't seem to change anything.

Hey Starbeamrainbowtabs:

We don't use Bugzilla for support (overall), but you shouldn't need any additional apps, no. The key instructions reflect Android of 2018, not the updates to add FIDO2 around New Years. The dialog that shows up when you're using WebAuthn (https://webauthn.io, https://webauthn.me) should let you trigger via NFC just fine, though the only NFC security keys I have used to test are Yubikey 4-series ones. The actual interaction with your security key here is mediated by Android, not us, so we're limited in what we can do to improve it, but feel free to email me directly and I'll try and help.

[geckoview:fenix:m7] bugs should be priority P1.

I'm editing a bunch of GeckoView bugs. If you'd like to filter all this bugmail, search and destroy emails containing this UUID:

e88a5094-0fc0-4b7c-b7c5-aef00a11dbc9

Priority: P2 → P1
You need to log in before you can comment on or make changes to this bug.