Support for FIDO2 Webauthn

[ph00lt0]

Firefox for mobile supports FIDO2 Webauthn however this seems disabled in Mull' user config.

security.webauth.webauthn = false

Not sure if anything else is necessary to get this to work?

[SkewedZeppelin]

This is wholly dependent on Google Play Services and proprietary blobs compiled into gecko. The removal patch: https://github.com/Divested-Mobile/Mull-Fenix/blob/master/gecko-liberate.patch

[SkewedZeppelin]

Discussion: https://gitlab.com/fdroid/rfp/-/issues/235#note_922550819

A potential future solution: https://gitlab.com/relan/fennecbuild/-/issues/34 https://gitlab.com/relan/fennecbuild/-/tree/microg

[ph00lt0]

I am aware of the requirements of GMS, did not know about the other requirement. But I think it could be offered to those who chose to use this. The security advances are undeniable.

[JaehaerysNL]

Good evening,

I was wondering if the Mull development team would consider adding FIDO2/WebAuthn via this Android SDK that is not reliant on Google elements, instead of the non-FOSS libs that you do not wish to have in Mull's code.

The SDK is previewed on the website of Nitrokey GmbH: https://www.nitrokey.com/products/android-fido2-sdk

The main website appears to be: https://hwsecurity.dev/

(I am not entirely sure whether it's free, it does seem to show paid options but I am not sure in what context (eg whether's paid is for actual service, similar to OpenVPN))

EDIT: It seems there is a commercial license available, but that is optional, it is otherwise GPLv3, Nitrokey's website says it's GitHub repo page is the following: https://github.com/cotechde/hwsecurity

I hope you will reconsider FIDO2 implementation if you can manage to implement this SDK or any other FOSS-compliant alternative, as I've held to hold back on implementing WebAuthn on several online accounts due to the browser not properly rejecting the requests (for example Google doesn't go toward failed screen, which allows you to select TOTP instead, it waits eternally), but I would prefer not needing to hold back on adding phys. security keys on my accounts.

Hope this information may prove of use to you.

Kind regards, Jaehaerys

[SkewedZeppelin]

@JaehaerysNL see https://github.com/Divested-Mobile/Mull-Fenix/issues/89#issuecomment-1273549239

due to the browser not properly rejecting the requests

it should be rejected: https://github.com/Divested-Mobile/Mull-Fenix/blob/master/prebuild.sh#L305 did you edit anything in about config?

edit: actually probably regressed by: https://github.com/Divested-Mobile/Mull-Fenix/blob/master/preferences/userjs-brace.js#L33 will fix

[JaehaerysNL]

Maybe I am missing something, but I see mentions of MicroG implementation, which isn't useable for GrapheneOS.

And MicroG means still using Google in a way, so I'm not sure how that competes to using a SDK that does not rely on Google directly or indirectly, but maybe I'm just dumb, idk.

(Just speaking my mind here, no offense intended, apologies if it is taken as such)

[SkewedZeppelin]

It would only be using a single component of microG and it wouldn't matter if you had microG or Play installed or not.

DivestOS itself has zero support for microG either, so I wouldn't accept such as solution if it was as you say.

[JaehaerysNL]

Ahh I see, it seems I misread it then, apologies.

It would only be using a single component of microG and it wouldn't matter if you had microG or Play installed or not.

DivestOS itself has zero support for microG either, so I wouldn't accept such as solution if it was as you say.

That is very good to hear, though, I mistook it as still needing MicroG or something, I think MicroG project isn't bad or something, but in the long run one might be shifting the problem with that, which is what made me worry (I think only Vanced MicroG works for GrapheneOS, CalyxOS MicroG does not however, since Graphene lacks things regarding that signature spoofing, I forgot the exact words but I think you know what I might be referring to.