Support Webauthn on Android without Google services
Categories
(GeckoView :: General, enhancement, P3)
Tracking
(Not tracked)
People
(Reporter: onitake, Unassigned)
References
(Blocks 1 open bug)
Details
User Agent: Mozilla/5.0 (X11; Linux x86_64; rv:82.0) Gecko/20100101 Firefox/82.0
Steps to reproduce:
Open a website in Fenix that supports authentication with hardware keys through WebAuthn/U2F, such as https://webauthn.io/ .
Try to use a hardware token such as a Yubikey or similar USB/NFC device to authenticate with the site.
The device where Fennec is running does not have Google Mobile Services (GMS) or a replacement framework installed, only vanilla Android Open Source (AOSP).
Actual results:
The website reports that Webauthn is not supported on the device.
Expected results:
Fenix should ask to connect a security token, either via USB or via NFC, when no GMS services for WebAuthn authentication are found.
There is other Android software that supports hardware tokens without depending on Google Services, so it is definitely possible to implement this in an Android application. For example: https://www.openkeychain.org/
For reference, my original question was posted here: https://github.com/mozilla-mobile/fenix/issues/1340#issuecomment-719910187
|
||
Comment 2•4 years ago
|
||
Hey snorp, should this work now? or maybe Fenix hasn't implemented it yet.
|
|
||
Updated•3 years ago
|
(In reply to PTO DEC 19th - JAN 3rd | Agi Sferro | :agi | ⏰ PST | he/him from comment #2)
Hey snorp, should this work now? or maybe Fenix hasn't implemented it yet.
Yeah, I believe it should work now.
Can you clarify what should be working now?
I tested webauthn.io and demo.yubico.com with the latest Fennec release from F-Droid (84.1.0).
The websites no longer report that U2F/Webauthn isn't supported, and I can try to pair a token, but I never get prompted by the browser to do so. Connecting a USB token will not make it signal that pairing/authentication was requested. Connecting an NFC token will simply exhibit the default behaviour, in that a demo URL is presented by the token and Android asking to open a compatible app.
Is there additional UI needed to actually prompt the user for pairing tokens?
Ah, it seems this isn't working because https://github.com/mozilla-mobile/android-components/pull/8714 is still open on the A-C side. I get the same behavior as comment #4.
|
||
Comment 6•3 years ago
•
|
||
(In reply to James Willcox (:snorp) (jwillcox@mozilla.com) (he/him) from comment #5)
Ah, it seems this isn't working because https://github.com/mozilla-mobile/android-components/pull/8714 is still open on the A-C side. I get the same behavior as comment #4.
I don't believe the A-C changes can address what this request is asking for.
In GeckoView, we always use the privileged gms APIs here. From the ActivityDelegate, we only launch activity.startIntentSenderForResult and do not have control over which API can be used. For that, we would probably need to move more of the WebAuthnTokenManager to A-C instead of being a direct dependency of GV.
FWIW, if WebAuthn isn't usable per se, then it's clear that this needs to be addressed first.
But, as Jonathan correctly stated, this is not the scope of this bug report.
What I'm requesting is that Fenix integrates support for external authentication tokens (such as the Yubikey), in a similar way to how it's done in OpenKeyChain. There are Android devices that don't run (official) Google Mobile Services, and an external auth token is also arguably more secure than the mobile device itself.
As far as I can gather (and sadly, the documentation is a bit scarce), the GMS FIDO2 module doesn't support external tokens. It's only meant to turn the mobile device into a token, and that's possibly also a reason why Google did not put it into AOSP.
|
||
Updated•2 years ago
|
Can we use authenticator-rs (which has been used to inplement WebAuthn on macOS, Linux and Win7) to implement WebAuthn on Android after this PR which implements NFC transport was merged? This should also fix https://bugzilla.mozilla.org/show_bug.cgi?id=1554397 since it has full support for CTAP2.1.
https://github.com/mozilla/authenticator-rs/pull/114
Description
•