search

davidearl / webauthn

An implementation of webauthn in PHP on the server side (e.g Yubico 2 and Google Titan keys)
https://webauthn.davidearl.uk
MIT License
129 stars 24 forks source link

Webview android #25

Closed hregis closed 4 years ago

hregis commented 4 years ago

it's possible to use "navigator.credentials" with Android Webview ?

navigator.credentials.get() and others are present in webview, but nothing happens! you have to allow something on the "server" side or in the application that uses the "Webview"?

Thank you

davidearl commented 4 years ago

I don't know I'm afraid. I believe it was introduced in Chrome 67 and that Android Webview is based on Chromium, so if it is >= 67 then I assume it would be supported.

However, navigator.credentials isn't specific to webauthn. It is used for other things as well, so its presence in the browser doesn't mean webauthn is supported.

Any use of webauthn must be supported by the server. The challenge (both on registration and authentication) must come from the server, otherwise anyone could fabricate one. You'll need to store the registration server-side as well, as that's needed to authenticate.

See the example for how it works. That simulates a login, but you would do something similar when used for 2FA.

dschuermann commented 4 years ago

Androids WebView will not support WebAuthn (source). If you are still searching for a solution: https://hwsecurity.dev/guide/fido-webview/