Re: [webauthn] Where is the code implementation for roaming authenticators? (#1221)

> https://developers.google.com/web/updates/2018/05/webauthn

One year ago (when that blog post was written) Chrome only supported CTAP 1 (U2F USB Transport) authenticators. Today it supports significantly more.

> Also there is no CTAP apps listed in the FIDO "Reference Implementation Library".
> "As part of the standards process, W3C requires that groups demonstrate implementation experience."

It sounds like you are actually more concerned about lack of implementation experience for the FIDO specification, which is outside the W3C's influence.

> Where is the code implementation for roaming authenticators over BLE?

I don't know of any public code to do so. There are for-sale security keys which support BLE with CTAP1, which should work with your Android phone. Chrome desktop support for BLE I believe is currently feature-flagged on Mac.

To date, the security keys for CTAP 2 have been mostly a mix of USB and NFC.

> I really want to implement secure authentication using my Android mobile phone.

I'm not really sure what you want to implement. FWIW, if your implying that the working group was not correctly following W3C process was an attempt to get the location of some sort of BLE source code - I might suggest that taking a different, more diplomatic approach in the future may yield better results.

Having your phone act as a platform authenticator to itself is already an android platform feature. Having those credentials extend to being a BLE authenticator for other devices such as a desktop computer will almost certainly also be desired to tap into that platform-level feature. An app *might* be able to act as an authenticator, depending on platform restrictions and capabilities - but without platform integration, that authenticator would be a different authenticator than the one exposed to android chrome. You'd want to pair both with each website you visit.

_Consuming_ third party BLE authenticators in an app may or may not be possible depending on the platform - the ability to communicate with such authenticators directly may be blocked at a platform level, due to the potential of a bad client to phish the user. In such a case, you'll need to see what the platform provides (as an analogous API to WebAuthn) to interface with authenticators.

-- 
GitHub Notification of comment by dwaite
Please view or discuss this issue at https://github.com/w3c/webauthn/issues/1221#issuecomment-495468974 using your GitHub account

Received on Friday, 24 May 2019 04:34:19 UTC