The ultimate account security is now in your pocket [not true] from Mike Duffy on 2019-05-16 (public-webauthn@w3.org from May 2019)

From: Mike Duffy <mduffy@austin.rr.com>
Date: Thu, 16 May 2019 09:37:32 -0500
To: public-webauthn@w3.org
Message-ID: <fb2017df-b8ae-806d-60fe-9c52e1446cd2@austin.rr.com>

How is it possible that the W3C approved a recommendation without a reference implementation???!!!

The W3C recently approved /Web Authentication: An API for accessing Public Key Credentials/ <https://www.w3.org/TR/webauthn/>, commonly referred to as *WebAuthn*.

In section 6.2.1 the recommendation states, "For example, a platform authenticator integrated into a mobile device could make itself available as a roaming
authenticator via Bluetooth. In this case the client would recognize it only as a roaming authenticator, and not as a platform authenticator."

Are there any examples available anywhere for creating a WebAuthn roaming authenticator on a mobile device and making it available by Bluetooth?

Google was the leader in the WebAuthn recommendation. Google controls Chromium. Google controls Android. Where are the APIs for WebAuthn roaming
authenticators? Where is the sample code? Where is the reference implementation? Where is there any information to guide the development community? Where are
the announcements for anything that is, "Coming Soon"? Even for using WebAuthn with platform authenticators, the documentation
<https://developers.google.com/identity/fido/android/native-apps> is marginal. It seems that *Google has let the development community down in regards to
WebAuthn*.

I was excited to see this article: /The ultimate account security is now in your pocket
<https://blog.google/technology/safety-security/your-android-phone-is-a-security-key/>

/This article promised that your Android phone could be used as a roaming authenticator to sign into your Google account (a modest but good start).
Unfortunately, *the steps below fail *(from the article)/:
/
To activate your phone’s built-in security key <http://support.google.com/accounts?p=phone-security-key>, all you need is an Android 7.0+ phone and a
Bluetooth-enabled Chrome OS, macOS X or Windows 10 computer with a Chrome
browser. Here’s how to do it:

1. Add your Google Account to your Android phone.
2. Make sure you’re enrolled in 2SV <http://g.co/2sv>.
3. On your computer, visit the 2SV settings and click "Add security key".
4. Choose your Android phone from the list of available devices—and you’re done!

When I click "Add security key" (Windows 10 running Chrome Version 74.0.3729.157) I get the screen below with no phone in a "list of available devices". My
Samsung Nexus6 is running Android 7 AND I have paired the Bluetooth connection between my phone and computer.

What is wrong? Why doesn't this work? (Tell me I need the latest Pixel phone and I will go out and buy one.)

Thx in advance for your help and guidance.

Mike

Received on Thursday, 16 May 2019 14:38:03 UTC