search

bulwarkid / virtual-fido

A Virtual FIDO2 USB Device
MIT License
1.21k stars 55 forks source link

Can this run on Android, or could it? #2

Open talkingtab opened 2 years ago

talkingtab commented 2 years ago

I would love to have a way for users to use Fido based on their iPhone or Android phone.

cmdli commented 2 years ago

I wouldn't completely rule it out, as I haven't investigated it too thoroughly, but it would most likely be somewhat hard to support on mobile devices in its current form. Right now it emulates a USB device to get the base platform to treat it like any other FIDO device, and I suspect that might be hard to do on Android/iOS.

jeroenhd commented 2 years ago

I have tested this from within Termux. Running the server doesn't require root permissions so it should be doable to port this library over! All you need is to have your devices on the same network.

My steps:

  1. pkg add golang git in termux to install the necessary tooling
  2. git clone https://github.com/bulwarkid/virtual-fido/ inside termux to download the repository
  3. Patch out the IP check in `virtual-fido/usbip_server.go (line 32-36) and the import for strings (line 6) using your command line editor of choice within termux
  4. go run main start just like on desktop
  5. On your PC, run usbip attach -r $yourPhonesIpAddress -b 2-2.
  6. The virtual-fido server on your phone is now usable from your PC!

Do note that this approach doesn't use any authentication or verification. Someone else in your network may connect to your device's USB/IP server which is Bad News. I've noticed the connection works over a VPN, though, so with a point-to-point WireGuard setup and a well-configured firewall you may be able to set up something relatively secure.

To get proper phone-based FIDO support, though, I'd personally take another route and develop a full app: run the USB injection on the client and set up some kind of app<->PC communication bridge instead of reading the credentials from a file (leverage smartphones' secure storage APIs for the keys! maybe use biometrics for presence detection!). Maybe add some cloud messaging/Bluetooth LE/whatever messaging to exchange the signature securely between devices as well. Basically, let the tool only do the key operations on the phone. USB over IP can be quite dangerous because you never know who's in your network!

I think developing such an app shouldn't take more than a few weeks built on this project's foundations, you might even build a business out of this.

If you want to use your phone as a 2FA tool right now and don't feel like spending weeks to develop an app, krypt.co still operates, though it's no longer being developed and hasn't been updated for ages now. I'm not aware of any easily self-hostable alternatives at the moment, though you may try based on the krypton source code.