Open Bug 1768622 Opened 2 years ago Updated 5 months ago

Support Google's "built-in security key" on phones

Categories

(Core :: DOM: Web Authentication, enhancement, P3)

Product:
Core
Component:
DOM: Web Authentication
Type:
enhancement

Tracking

()

Project Flags:
Webcompat Priority P3

People

(Reporter: denschub, Unassigned)

References

(Blocks 1 open bug)

Details

Googles 2fa flow supports using a phone's "built-in security key", as explained in https://support.google.com/accounts/answer/9289445

I don't know details about how this even works or if this is standardized or not, but even if we spoof as Chrome, Google still claims Firefox on Android is "unsupported". Maybe there is something we can do about that.

(I'm not sure if this is even related to WebAuthn, but this is a good starting point.)

Webcompat Priority: --- → ?

From what I've gathered this is a FIDO authenticator that uses the phone's TEE as the backend, and is exposed to other devices via Bluetooth. So this is at least WebAuthn-adjacent. It should be possible to make it work at least on Android. Do any other websites support this, or is this only usable on google.com?

As far as I can tell Windows Hello does not support Bluetooth security keys (when I try to add a security key it asks to insert it in the USB port; maybe there is a way that I am not aware of). If we were to want to support this on a Windows desktop we wouldn't be able to do so using our current approach, which is to simply call down to Windows Hello and let it take it from there.

(In reply to R. Martinho Fernandes [:rmf] from comment #1)

Do any other websites support this, or is this only usable on google.com?

As far as we know right now, it's only Google. We'll add see-also's if we see more reports.

This isn't breaking anything per se, just changing the UX on their page a bit (and it's unclear whether we want to support FIDO anytime soon), so we're setting webcompat P3 for now.

Webcompat Priority: ? → P3

Ah, this uses caBLE ("cloud assisted Bluetooth Low Energy"), which is a protocol that Google designed to side-step the need for the user to do Bluetooth pairing and has been submitted to FIDO for review. This will probably be part of the protocol suite for so-called Webauthn "passkeys" (aka multi-device credentials).

Severity: -- → S3
Priority: -- → P3
See Also: → passkeys
Blocks: 1835410
You need to log in before you can comment on or make changes to this bug.