Support the W3C Web Authentication specification in Android

[jcjones]

Why/User Benefit/User Problem

Support the W3C Web Authentication specification in Android. Web Authentication is our best tool against phishing on the web, and now is a W3C Recommendation. Firefox supports Web Authentication on Desktop since Firefox 60.

• https://blog.mozilla.org/security/2019/03/19/passwordless-web-authentication-support-via-windows-hello/
• https://developer.mozilla.org/en-US/docs/Web/API/Web_Authentication_API
• https://hacks.mozilla.org/2018/01/using-hardware-token-based-2fa-with-the-webauthn-api/

What / Requirements

Firefox Crypto Engineering started work against Fennec in Q2 2018 and released it in D1148, with announcement on the security blog. Obviously code will need to move around to pull this support into GV / Fenix. However, notably, the platform support for Web Authentication is maintained in com.google.android.gms:play-services-fido, version 17.0.0 or later. Currently it looks like there's desire to avoid having GV depend on play-services, so I wanted to raise the issue of how to provide the support for GV/Fenix early.

Also, Google has updated play-services' privileged whitelist to include Fenix as a permitted application.

Acceptance Criteria (how do I know when I’m done?)

When Web Authentication works for Android Firefox users. See:

• https://webauthn.io/
• https://webauthn.me/
• https://webauthn.bin.coffee/

┆Issue is synchronized with this Jira Task

[vesta0]

@cpeterso do we have the API for this in GV?

[jcjones]

Note I'm leaving now for parental leave. @tvdmerwe is the best point of contact while I'm out, she has knowledge of what Fenix will need to provide to the Google team to get whitelisted for the relevant APIs.

[cpeterso]

bbinto modified the milestones: MVP Backlog, Post-MVP Backlog

If Fennec doesn't currently support WebAuthn, then this is a new feature that probably doesn't need to block Fenix MVP or even the Fennec->Fenix transition.

Here is the Gecko bug to support WebAuthn on Android: https://bugzilla.mozilla.org/show_bug.cgi?id=1391438

@tvdmerwe: IIUC, the patches in that bug would add WebAuthn support inside Gecko/GeckoView. Would Fenix then need to do anything (code or UI) to support logging into WebAuthn-capable websites?

[tvdmerwe]

@cpeterso: Fennec could easily support WebAuthn if we get to land the patch that J.C. has been working on. This could indeed be feasible when J.C. returns from parental leave - it might benefit from some reviewing on the Fennec side while he's away. We think landing it in Fennec would still be beneficial.

As far as I'm aware, the code across Fennec and GV/Fennix should remain largely the same but as mentioned above, Google would need to whilelist Fenix as a permitted application for WebAuthn to work for Fenix.

[callahad]

WebAuthn is now supported in Fennec 68, so we're about four weeks away from this becoming a Fennec parity issue.

[pocmo]

• AC issue: https://github.com/mozilla-mobile/android-components/issues/3036
• GeckoView API: https://bugzilla.mozilla.org/show_bug.cgi?id=1549418

[emilio]

This would be great, I had to log into GitHub using Fennec to comment on this :)

[Markel]

Wanted to note that Fennec (at least in 68) doesn't pass the authenticator type and it's always unspecified. This should not happen, because if the web asks you for a closs-platform solution (a FIDO Key) you should not be able to input your lock screen pattern (a platform authenticator) like I was easily able to do in my Android. Just leaving it here as a note for whoever works in the implementation.

[mlsxlist]

WebAuthn is now supported in Fennec 68, so we're about four weeks away from this becoming a Fennec parity issue.

I am on Fennec 81 and there is no WebAuthn support. Or did I missed something?

[cadeyrn]

I am on Fennec 81 and there is no WebAuthn support. Or did I missed something?

Firefox 68 (internal name: Fennec) is the old Firefox. The internal name of the new Firefox (79 and higher) is Fenix. There no WebAuthn support in the new Firefox / Fenix yet. This is why this issue is still open.

[djc]

@snorp has been making some progress on this in https://bugzilla.mozilla.org/show_bug.cgi?id=1549418.

[onitake]

What's the current stance towards making WebAuthn work without Google Play Services (GMS)?

There are some Android apps that can make use of hardware tokens via USB and NFC without requiring GMS, notably OpenKeyChain. Into which component would something like that need to go, if it was implemented in Fennec?

[pocmo]

@onitake A good start may be filing a bug on Bugzilla here: https://bugzilla.mozilla.org/enter_bug.cgi?product=GeckoView

With the current API the app / Android Components launches an Intent we get from GeckoView. So at the app level we cannot control this part.

[onitake]

Thanks for the clarification - I reported it here: https://bugzilla.mozilla.org/show_bug.cgi?id=1678045

[jonalmeida]

Filed a follow-up UX issue to address next: https://github.com/mozilla-mobile/fenix/issues/17688

Wanted to note that Fennec (at least in 68) doesn't pass the authenticator type and it's always unspecified. This should not happen, because if the web asks you for a closs-platform solution (a FIDO Key) you should not be able to input your lock screen pattern (a platform authenticator) like I was easily able to do in my Android. Just leaving it here as a note for whoever works in the implementation.

Thanks for reporting @Markel ! I've filed this issue against GV: https://bugzilla.mozilla.org/show_bug.cgi?id=1689612

[jonalmeida]

For QA: testing can only be done on release builds (Nightly only for now). You can experiment with webauthn.io and github.com to add your device's biometric scanner as an authentication method. 🙂

[sheikh-azharuddin]

Not working... Stuck in step 2 when using "use this device with screen lock"

[mlsxlist]

Same here. Tested webauthn.me with yubikey 5C and am also stuck at 2.

Nightly 210129 17:03 (Build #2015790219) AC: 73.0.20210128143151, 9673de174 GV: 87.0a1-20210128094617 AS: 67.2.0

[mlsxlist]

Same problem with

Nightly 210130 17:01 (Build #2015790411) AC: 73.0.20210129143134, d3579e015 GV: 87.0a1-20210129095945 AS: 67.2.0

[jonalmeida]

Thanks! I think there is one last part that didn't land yet.

[jonalmeida]

Fixed the issue.

For QA: testing can only be done on release builds (Nightly only for now). You can experiment with webauthn.io and github.com to add your device's biometric scanner as an authentication method. 🙂

This should be applicable now. Thanks folks for the early testing!

[mlsxlist]

Great. Worked for me with Yubikey 5C on Huawei P30 Pro NE, Model VOG-L29. Android 10.

Successfully tested:

https://webauthn.me https://webauthn.io https://github.com https://www.google.com

Nightly 210202 17:02 (Build #2015790987) AC: 73.0.20210201143120, 7db67c01d GV: 87.0a1-20210201094443 AS: 69.0.0

Thanks for implementing this missing feature. I am looking forward to see it in an upcoming regular release.

[babelouest]

Hi, thanks a lot for the patch!

Although the verify credentials works perfectly fine with existing credentials, when I create a credential with fenix, the attestation statement format returned is none, which means it's not possible for the server to authenticate the public key, which may lead to MITM attacks.

Is it possible to create credentials using the Android SafetyNet attestation statement format like in Chrome?

[jonalmeida]

Although the verify credentials works perfectly fine with existing credentials, when I create a credential with fenix, the attestation statement format returned is none, which means it's not possible for the server to authenticate the public key, which may lead to MITM attacks.

This should be fixed with https://bugzilla.mozilla.org/show_bug.cgi?id=1689612.

[abodea]

Fixed the issue.

For QA: testing can only be done on release builds (Nightly only for now). You can experiment with webauthn.io and github.com to add your device's biometric scanner as an authentication method. 🙂

This should be applicable now. Thanks folks for the early testing!

Hello, @jonalmeida please note that we don't have a Yubikey available yet, I will try to get one in order to test this bug!

[jonalmeida]

@abodea having one for testing is handy for sure. If you have a biometric scanner on the test devices device (e.g. fingerprint reader) you should be able to use that as well. 🙂

[babelouest]

@jonalmeida , for what it's worth, I was able to test webauthn using yubikeys 4 and 5, with an android phone (Pixel 4A 5G) and the tests are successful on every case: yubikey 4 or 5 on the USB port, and yubikey 5 on NFC.

The only flaw so far is the credential creation that returns an attestation statement format none.

[abodea]

@abodea having one for testing is handy for sure. If you have a biometric scanner on the test devices device (e.g. fingerprint reader) you should be able to use that as well. 🙂

I'm trying to get one and until then I will do the biometrics tests.

[marcobellaccini]

Great work! 🎉 Basic functionality is fine on my configuration: HMD Global Nokia 6.2 Android 10 Jan 2021 Update Yubikey 5 NFC Firefox Nightly 210204 17:01 (Build #2015791371) AC: 73.0.20210203143122, be0c3c140 GV: 87.0a1-20210203093146 AS: 69.0.0

[abodea]

@jonalmeida Note that I verified this issue on the latest Nightly 10/2 with Google Pixel 4 XL (11) and Samsung Galaxy S10+ (10) for the following websites and it worked as expected, no issues when I logged in:

• https://webauthn.me
• https://webauthn.io
• https://github.com
• https://www.google.com Note that I was able to test only with the following: Pin, Pattern, Face Recognition, and Fingerprint. The Iris scanner is no longer used on the Samsung Devices as the swapped only to the face recognition and I don't have any old device that uses the Iris Scanner (I will try to find one and test that too). I'm still looking for a Yubikey to test that part too.

[Markel]

Good morning 👋 I was testing and the authentication type isn't being applied, anybody else finds the same results? Using https://webauthn.io

Android 9 in a Poco F1

[abodea]

Good morning 👋 I was testing and the authentication type isn't being applied, anybody else finds the same results? Using https://webauthn.io

Android 9 in a Poco F1

Hello, @Markel thank you for testing! What build you used? It was latest Nightly?

[Markel]

Good morning 👋 I was testing and the authentication type isn't being applied, anybody else finds the same results? Using https://webauthn.io

Android 9 in a Poco F1

Hello, @Markel thank you for testing! What build you used? It was latest Nightly?

@abodea

Nightly 210213 17:03 (Build #2015793099) AC: 73.0.20210212205146, 2850e0b9c GV: 87.0a1-20210211092822 AS: 70.0.0

Retested now

EDIT: I've updated and the behavior continues to be the same

Nightly 210214 17:02 (Build #2015793291) AC: 73.0.20210212205146, 2850e0b9c GV: 87.0a1-20210211092822 AS: 70.0.0

[abodea]

Thank you for the response @Markel! Based on my comment and the other confirmations I will close this bug as it was verified as fixed on the latest Nightly build with Google Pixel 4 XL (11) and Samsung Galaxy S10+ (10). @Markel I do believe the issue you got is a specific one, maybe only related to your mobile device. Please open a new bug only with your issue and link it to this one (you can simply add a comment here with the new bug id or mention this bug in your bug description).

[jonalmeida]

@abodea for reference, the issue described by @Markel is tracked here: https://bugzilla.mozilla.org/show_bug.cgi?id=1689612

[huaracheguarache]

I think I might have found a bug during some testing I did today. The Solo Tap key which I use doesn't have a great NFC antenna, and that causes the NFC read process to fail quite often. I use webauthn.hwsecurity.dev to test the WebAuthn implementation. To do this I tap "Create credential" which opens up the Android prompt to hold your security key against the back of your phone. If the NFC read fails when doing this with Chrome I get the following message:

I can then tap "Create credential" again to try to read the NFC security key again. However, when this happens in Firefox Nightly I get the following message:

Tapping "Create credential" doesn't produce a prompt to read the NFC key, it only results in getting stuck on the following message:

There's also an easier way to reproduce this issue by swiping back during the prompt to read the NFC key. This produces the following message in Chrome:

And with Firefox Nightly it results in the same messages as in the previous case.

These test were done with: Firefox Nightly 210226 06:33 (Build #2015795507) AC: 74.0.20210226044101, 2f8e0147b GV: 88.0a1-20210225215504 AS: 71.0.0

[jonalmeida]

@huaracheguarache please file a separate bug for this, thanks!

[hikkidev]

2FA with Yubikey 5C NFC does not work. Tried to insert both USB key and NFC method.

• https://webauthn.io
• https://github.com
• https://www.google.com

Device: Huawei Mate 40 Pro, Android 10 Browser: Firefox Nightly 210226 03:09 (Build #2015795483) AC: 74.0.20210225190305, 56609313c GV: 88.0a1-20210225092306 AS: 71.0.0

Also, I'm trying to toggle webauthn u2f and\or usbstoken, but it did not help.

[uwolfer]

While webauthn.io demo works with platform authenticator and required user verification in nightly, PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() returns false. I'd expect it to return true. Is this a known thing?

Nightly 210305 17:01 (Build #2015796939) AC: 74.0.20210305144553, 58cfb6476 GV: 88.0a1-20210302034602 AS: 72.1.0

[jonalmeida]

Hi folks, please file new bugs if you find any. This issue is closed and is not being monitored. 🙂