Questions on WebAuthn implemenation with ble

Hi,
I’m Fabio Pandolfo, an Italian student in informatic engineering and I would like to deploy a full stack application exploiting Web Authentication Api. What I would like to do, in particular, is to develop an Android application that acts as authenticator for my web site. The scenario I’ve imagined is the following:

  1.  User pairs his smartphone with the desktop/laptop using Bluetooth low energy (ble)
  2.  User goes to my website and he is asked to register an account (according to the webauthn api)
  3.  User has to use my application as authenticator.
I’ve read that to support roaming authenticators (like my application on the smartphone) I Have to use the CTAP2 protocol. In particular, on this particular aspect I have a lot of doubts concerning the communication between the browser and the Android smartphone through Ble:

     *    Navigator.credentials.create is the method that allows the browser to call the authenticator to create credentials. From what I’ve understood, the browser will call the AuthenticatorMakeCredential method to effectively request the authenticator to create credentials. But, how is browser able to discover authenticators paired with the laptop through ble? Is something that is done autonomously or needs something like a specific plugin to be developed?
     *   How my android application can announce itself as an authenticator?
     *   Is there any valid library in android that implements the CTAP2 protocol? And, moreover, which are exactly the two members that have to communicate through this protocol? I mean, for sure one of this two is represented by the Android application, but which is the other? A javascript client application, a plugin, or something else?
Any answer to one of this question will be very helpful. Thank you for your attention.
Best regards.


Fabio Pandolfo

Received on Wednesday, 10 October 2018 13:56:07 UTC