USB Support for FIDO CTAP/CTAP2 for U2F & WebAuthn

tejado / Authorizer

Authorizer is a Password Manager for Android. It emulates an HID keyboard over USB and enters your credentials on your target device. Additionally it supports OTP :key::mobile_phone_off:

484 stars 53 forks source link

USB Support for FIDO CTAP/CTAP2 for U2F & WebAuthn #33

Open tejado opened 4 years ago

tejado commented 4 years ago

I'm working on the support of WebAuthn over USB. For this, the Android device needs to have special USB HID descriptor (CTAP) and Authorizer needs to implement the device logic (key creating and authentication).

The latest spec of the Client to Authenticator Protocol (CTAP) can be found here: https://fidoalliance.org/specs/fido2/fido-client-to-authenticator-protocol-v2.1-rd-20191217.html

The USB HID descriptor is already available in USB Gadget Tool (recently released by me).

And a first PoC to implement the WebAuthn device logic was successful.

Next step:

Defining of how these WebAuthn keys and metadata will be stored in the pwsafe3 format
Clarifying how Authorizer will listen for incoming CTAP requests (USB HID keyboard will be triggered by Authorizer. For WebAuthn, the trigger is on the USB Host side, so that Authorizer needs to react on incoming requests).
Implementing device logic into Authorizer
Adding relevant UI elements

tejado commented 1 year ago

First public debug version of Authorizer with FIDO U2F/WebAuthn over Bluetooth (unfortunately, CTAP over USB is not yet integrated and will take still a while): https://github.com/tejado/Authorizer/issues/52#issuecomment-1442443328

harhitosw commented 7 months ago

Hello @tejado what is the current progress of CTAP2 over USB ? can you create maybe a separate branch for that and we collab and work on that if possible , moreover I found that when you will be able to register your mobile via USB in the Windows Azure directory you can use the mobile as a security key to log into windows workstation but the only issue is that we need to have USB implementation of CTAP .

tejado commented 7 months ago

Thats a good idea. I will create a new branch so you are able to see the progress. But its more in an alpha state.

What part in Microsoft Entra ID requires USB? Wouldnt it work with Bluetooth?

harhitosw commented 7 months ago

Hello @tejado , I tried to register the Authorizer as security key for Windows 10 workstation . Hereafter I found out that when you try to register in the Microsoft Entra ID only options you have for a security key are USB and NFC based keys . . Moving with that I tried registering Authorizer for a given account in MS Entra ID but I was only able to create the credentials in Authorizer , on the Relying Party end ( here it would be MS Entra ID ) I was NOT able to register it , the registration failed with some error . This is the reason I believe that once we enable CTAP2 over USB we can register Authorizer in MS Entra ID and than use CTAP2 over BLE to authenticate any time in future . I hope this clears your question . Moreover if you create a branch we can figure out more such use cases for Authorizer .

harhitosw commented 7 months ago

Hello @tejado can you please have a look at this issue and create a branch for CTAP2 over USB ? we can discuss and get that working as soon as possible .

harhitosw commented 6 months ago

Hello @tejado any updates ? on this