Support for QR codes in FIDO

[carlos22]

Hi,

I'm pretty new to this thingy, it looks all well and I think the Bluetooth FIDO is implemented in https://github.com/tejado/Authorizer/pull/54. I tried to use it with okta.com but my chromium presents me a QR code that I should scan and it contains a FIDO:/ url, i'm not sure how to proceed with that. Any help? I think its not yet implemented to use QR codes with FIDO?! It also asks me to register over Bluetooth but when I press "Accept" nothing happens.

[tejado]

Hi carlos22 Thanks a lot for the feedback. QR codes in FIDO is interessting - I have to check this. But as you get already the Buetooth registration, there might be some issue with the App: what is the other device where you run Okta in thw web browser? Windows, Linux, iOS, macOS, Android as well?

[harhitosw]

Hi @tejado I too wanted to try out the app , but same issue here when I try to register into any WebAuthN supported website on Google Chrome or Edge it asks to scan for QR code , after that I used the Google Authenticator Android Mobile app to scan the QR code . Hereafter the passkeys were created I was asked some permissions and than I got registered . While this I observed that Google Play services coming into foreground and doing all things , maybe you can try it here on this website in any browser https://webauthn.io/ . You can register/authenticate without Authorizer here

[carlos22]

Hi carlos22 Thanks a lot for the feedback. QR codes in FIDO is interessting - I have to check this. But as you get already the Buetooth registration, there might be some issue with the App: what is the other device where you run Okta in thw web browser? Windows, Linux, iOS, macOS, Android as well?

The web browser was Chromium on Arch Linux.

Yes the google play services offer that API apparently. Not sure if this is something that could also be picked up by micro-g (which is what I use https://github.com/microg - and is baked into a lot of custom roms like CalyxOS).

EDIT: As it seems they also implement some parts of it at least, not sure if its use able or not need to test that... See: https://github.com/microg/GmsCore/commit/b3032b94c107380899632effdeccf7707fcbdf55 But only USB as it seems: https://github.com/microg/GmsCore/wiki/Implementation-Status

[tejado]

Ah yeah, I forgot. The FIDO QR codes are there for caBLE. So basically over the QR code, the link to the device is created. Unfortunately, this is only device-proximity and no FIDO registration will take place over this channel. The actual FIDO registration is done over usual network (-> Internet). As Authorizer is designed to run on devices without any network connectivity, this is not planned to be implemented.

But this doesnt mean you can't use FIDO with Authorizer over Bluetooth: If you register a new account (e.g. on https://webauthn.io/) you have to choose "Security key" and not "iPhone, iPad, or Android device". Can you test this, @harhitosw ?

@carlos22 I will try Chromium on Arch on the weekend. I also pushed few updates to the repo which fixed some bugs but I didn't released a new version yet for this. I will do this on the weekend as well so it would be great if you can then test this out.

Regarding FIDO over USB: I got a PoC running but have to do some additional work before this gets released. EDIT: The FIDO USB topic at GmsCore is for connecting FIDO devices to it, not implementing one on Android (like Authorizer is doing)

[tejado]

@carlos22 I installed arch + chromium and could not reporudce your issue with my latest version. So Authorizer was full functional and I could register & authenticate on https://webauthn.io. Could you check this site as well? I will provide the new apks tomorrow.

[harhitosw]

@tejado I tried out this on a couple of more websites like https://webauthnworks.github.io/FIDO2WebAuthnSeries/ and also https://webauthn.me/ it works fine as we select security key . For record this works fine in both the browsers Edge as well as Chrome in Windows 11 workstation. Moreover I would be happy to contribute in Authorizer !

[tejado]

@harhitosw thats great! Every contribution is more than welcome! If you have any questiona how to contribute or where to start, you can create a new discussion.

@carlos22 How is it looking for you?

[harhitosw]

@tejado can I get source code implementation details , as I am new to the code I find it tough to go through the code and understand flow of the app !

[carlos22]

@tejado it is working with webauthn.io, but still not with the original app, I was able to use a different method for the app. Thanks four your help.