Unable to Authenticate from Android

[noumanqaiser]

Hi team,

I am am new to smartcard and am learning about javacards/FIDO for secure web authentication.

I bought a NXP J3R180 Smart card, used GlobalPlatform to load FIDO2 applet onto the card.

Once loaded, I went on to https://webauthn.io/ to test if I could register and authenticate using the card.

here are some notes:

1. When using on a PC, I used a USB ISO7816 Contact Smart card reader, I was able to register/authenticate only when I set 'User verification' was set to 'Discouraged', Other settings that worked for me as shown below for any other users who might be trying:

2. On Android 13 (Oneplus 8T), with Chrome v130 and Latest Firefox version, I tried NFC aswell as USB C ISO7816 Smart reader connected via USB OTG, in both cases, I was not succesfull in registering or authenticating. While using NFC, I could see that selecting a NFC security key and then tapping the card would show 'You are all set' but then when you remove those popups, you could see an error on the webauthn page saying: 'The operation Either timed out or was not allowed'.

My questions are following:

1. Is there a specific reason why the javacard works only when 'User verification' was set to disabled?
2. For Android, what could be done to make the smart card work via NFC, is there any configuration needed for the Applet(before building/post installation).

Thanks, Nouman

[BryanJacobs]

My questions are following:

1. Is there a specific reason why the javacard works only when 'User verification' was set to disabled?

Are you running the latest version of the applet?

Do you have a PIN set on the authenticator?

2. For Android, what could be done to make the smart card work via NFC, is there any configuration needed for the Applet(before building/post installation).

Have you read the compatibility note on the main page about Android?

[noumanqaiser]

HI Bryan, Many Thanks for a prompt response,

The cap file I was using was a few weeks old, I just downloaded the latest one onto the smart and with that registration/authentication works perfectly on windows with default parameters on webauthen.io

Regarding Android, I had read your note about Android Chrome only working with CTAP1, I have been reading about CTAP1/2 but I believe I've still got a lot to read.

I tried obtaining parameters and then installing the applet as below:

python get_install_parameters.py --enable-attestation This returned: a800f50505061820071904000818200918fe0a1904000b190400

Then I used the following Gpcommand: Gp -r "Generic USB Smart Card Reader 0" --install FIDO2.cap --default --params a800f50505061820071904000818200918fe0a1904000b190400 The installation did complete with the following error:

C:\packages\jc applets>Gp -r "Generic USB Smart Card Reader 0" --install FIDO2.cap --default --params a800f50505061820071904000818200918fe0a1904000b190400
FIDO2.cap loaded: us.q3q.fido2 A000000647
[WARN] GPSession - Installation parameters did not parse as valid TLV, assuming simple app parameters!

With the above, It still did not run on Android Chrome, I am sure I am missing something here, Would be thankful for any guidance.