How do I use a smart phone as an authenticator when the web application is running on a laptop/desktop?

[roblapp]

I am a little confused as to how the following use case would work... or if it would be supported by the specification:

A user wants to login to an enterprise web application on their laptop or desktop, using their smart phone as an authenticator.

To clarify... the user would type in their username in the web application running in the browser on their laptop. They then click a button that says something like "Password-less Login With Smartphone". They would then click this button at which point they would be prompted on their smartphone for a fingerprint scan. Upon a successful scan they would be logged in to the site. This flow is outlined as an example workflow in the specification here. Also, Google did a nice presentation where they gave an example of something similar except that the web application they were running was already running on the smart phone that was used for authenticating (not a desktop or laptop). I am interested in the use case where a user is running a web application on their laptop or desktop and want to use their smart phone as the authenticator.

This leads me to the following question(s):

At a high level, what is the process for setting up a smart phone as an authenticator? Is this a use case that Web Authentication supports?

What I am looking for is a very high level of how somehow should setup the browser to interact with their smart phone the same way it would when using Yubikey or another similar device. All of the examples I have seen either use Yubikeys/other USB devices as the authenticator or in the case of smart phones the examples outline the process when the web application is being accessed from the smart phone itself. Any insights would be very helpful.

[emlun]

This would likely be done by connecting the phone to the host via Bluetooth or USB. The phone could then implement the CTAP protocol so the browser detects it as an external authenticator. How exactly to set that up would be up to the operating systems of the phone and host.

There are also ideas for a "cloud-assisted BLE" that would enable this over Bluetooth with (almost) no need for traditional Bluetooth pairing, but that's not included in the initial version of the spec. See #909 for details.

Does that answer your questions?

[emlun]

Oh, and I should also note that I'm not aware of any currently working (production ready) implementations of any of this.

[selfissued]

Unless a specification change is being proposed (which I don't see above), this issue should be closed with no action. This would be a fine discussion to have on the public-webauthn@w3.org mailing list but it doesn't look like a description of a specification issue to me.

[roblapp]

@emlun Yes it does make sense. Thank your answer. My company wanted me to see if we could/should implement this new specification. However, our main use case is that a user is using our software on a machine other than their smart phone (laptop or desktop) but would want to be able to authenticate with either a Yubikey (or similar) or their smart phone. But it sounds like the main use cases the specification cover are:

1) The user is using a web application on their smart phone. they then authenticate using the smart phone.

2) The user is using a web application on a laptop. They then authenticate using a Yubikey or other similar device.

I have not seen a use case where the web application is running in a browser on a laptop/desktop but they use their phone as the authenticator. And from your answer it sounds like you don't know anyone who is doing that (a red flag, perhaps). Is my understanding correct?

[emlun]

I know that Google is intent on implementing that exact use case eventually, but I don't know if they have any of it implemented at this time.

As noted above, if you have further questions please send them to public-webauthn@w3.org instead of continuing the discussion here.

[glerchundi]

AFAIK this is exactly how Google Prompt or krypton work, right?

[emlun]

Not quite - unless I'm mistaken, those two work by sending a push notification to the mobile device directly from a server. I think Krypton works by routing the challenge as [RP server -> Browser -> Browser plugin -> Krypton server -> Krypton app], and the response back the same way, and I think Google Prompt is a communication between just the server and mobile device that doesn't involve the browser at all.

By contrast, what's being discussed here is to have the browser communicate directly with the mobile device via Bluetooth or USB, and not by bouncing over the internet.

[ToruAoyagi]

@emlun As a latest you have any example or Demo to get the implementation idea of this?

[emlun]

No, I'm not aware of any implementations of this yet. Others in the WG might know more, but I wouldn't bet on it.

[ToruAoyagi]

This would likely be done by connecting the phone to the host via Bluetooth or USB. The phone could then implement the CTAP protocol so the browser detects it as an external authenticator. How exactly to set that up would be up to the operating systems of the phone and host.

There are also ideas for a "cloud-assisted BLE" that would enable this over Bluetooth with (almost) no need for traditional Bluetooth pairing, but that's not included in the initial version of the spec. See #909 for details.

Does that answer your questions?

@emlun - Some how it looks the answer for me. However can you please explain a more on what you said in this The phone could then implement the CTAP protocol so the browser detects it as an external authenticator. How exactly to set that up would be up to the operating systems of the phone and host. .

Actually we have "face recognition engine" in our FIDO SDK(for Android) that support UAF protocol and now we want to implement this "face recognition engine" as external authenticator for FIDO2. Any input will be helpful for me.

[emlun]

Sorry, I don't know much about how UAF or CTAP device discovery works. Do I understand the UAF architecture diagram correctly in that the UAF protocol you mentioned is for communication between a client (app) and a server? In that case it seems to me like having the UAF protocol implemented won't help much in implementing an external WebAuthn authenticator. What you would need to do is find some way to map the CTAP2 API onto your API, and implement the Bluetooth and/or USB protocols in CTAP2. If you can do that (and I don't know if Android allow apps that much freedom in using Bluetooth/USB), it should work with laptop/desktop clients that support external CTAP2 authenticators. I don't think I can help much more than that.

[yackermann]

@ToruAoyagi From out past experience, the device may emulate BLE client, so that it could be used as BLE authenticator. This implementation would as well be certifiable.

[ToruAoyagi]

Sorry, I don't know much about how UAF or CTAP device discovery works. Do I understand the UAF architecture diagram correctly in that the UAF protocol you mentioned is for communication between a client (app) and a server? In that case it seems to me like having the UAF protocol implemented won't help much in implementing an external WebAuthn authenticator. What you would need to do is find some way to map the CTAP2 API onto your API, and implement the Bluetooth and/or USB protocols in CTAP2. If you can do that (and I don't know if Android allow apps that much freedom in using Bluetooth/USB), it should work with laptop/desktop clients that support external CTAP2 authenticators. I don't think I can help much more than that.

@emlun . Thanks , Yes UAF is for communication between a client (app) and a server. Thank you so much for your quick reply..

[ToruAoyagi]

@ToruAoyagi From out past experience, the device may emulate BLE client, so that it could be used as BLE authenticator. This implementation would as well be certifiable.

@herrjemand Thanks for your input. Now i understand that best to use BLE for Transport-specific Binding but for the testing of this POC i didn`t find any demo client/server that support BLE. I checked this demo support the CTAP2 with USB.

Yubico also having library for testing External Autheticator communicating over USB only. So for Transport-specific Binding i am planning to use USB this time.

Have you aware of any Demo client that also support BLE communication?

[yackermann]

@ToruAoyagi Right now BLE only works with Chrome. You can run ANY web demo, for example https://webauthn.bin.coffee Just go to the chrome://flags/ and search for Bluetooth, and you shall find this: WebAuthn BLE flag.

Enable it, and restart browser. Next time you will use WebAuthn API, you will be able to see that it prompts for BLE.

[ToruAoyagi]

@ToruAoyagi Right now BLE only works with Chrome. You can run ANY web demo, for example https://webauthn.bin.coffee Just go to the chrome://flags/ and search for Bluetooth, and you shall find this: WebAuthn BLE flag.

Enable it, and restart browser. Next time you will use WebAuthn API, you will be able to see that it prompts for BLE.

@herrjemand Thanks. I checked it in chrome beta and now getting the BLE prompts. One more favor i will ask to you. For creating the external authenticator i studied about CTAP but do you have any reference application or code that i can refer to start working on this?

[yackermann]

@ToruAoyagi Sorry, but I dont *(

[ve7jtb]

This should be closed. It is a CTAP issue if anything. Move to the devlopers list.

[snehaved123]

Hi @herrjemand and @roblapp , I am also looking for a solution to the exact same issue. Do you already have something that can help me? Thanks

[Kieun]

FYI, Google is now providing phone as a security key feature. So, you can login to Google account on your laptop with your Android phone. Maybe, this feature will be offered by other service providers as well. For details, please see this: https://blog.google/technology/safety-security/your-android-phone-is-a-security-key/

[snehaved123]

This does help..Do you have any idea about iPhone?

[Kieun]

Regarding iPhone, if Apple does not support such feature (CTAP over BLE or caBLE), you need to implement such feature in your app. There should be a way to that but you cannot fully leverage platform provided features like Android.

[CalldiDoctor]

Do you know which is the difference between how Google is doing this webauthn authentication, and, for instance, how this webauthn demo does it? https://webauthn.io/

With the Google implementation a notification appears on my phone. However, when trying the webauthn.io demo, it seems that the browser does not find any available roaming authenticator.

I'm also trying to perform a proof of concept by myself, but I do not know how the roaming authenticator (my phone) will listen to the calls from the browser, in order to generate the key pair or sign challenges.

Any ideas?

[leshi]

Until caBLE is standardized, Google's roaming authenticator will only work with Google.

[nicksteele]

Hi @CalldiDoctor, I wrote webauthn.io. I would imagine they're using some version of CaBLE in order to create the connection to the phone, rather than handling the phone outright as a bluetooth authenticator. Currently, webauthn.io looks for usb, nfc, and ble transports, if asked for cross-platform authenticators.

I do not know how the roaming authenticator (my phone) will listen to the calls from the browser, in order to generate the key pair or sign challenges.

I would check out how Krypt handles overriding webauthn/u2f requests and sends them to a mobile device.

[CalldiDoctor]

Thanks for your answers!

I will check how Krypt works, thanks. And congrats for the work done, @nicksteele. The webauthn guide, which AFAIK it is somehow related with you, is an amazing resource 🔝

[Trojan295]

I was trying to write an Android app, which works as a CTAP over BLE token, implementing the FIDO2 BLE profile. It isn't in any case production ready and I'm having some issues with pairing the phone with the browser over the Web Bluetooth API, but I was successfull with integrating it with demo Webauthn pages like webauthn.io or use it in Dropbox.

Source code: https://github.com/Trojan295/android-webauthn-token

[GitPointer]

@Trojan295 - Thanks for sharing your sample app.I tried to use it but i am getting stuck in middle. here are the steps i followed:

1. For demo I am using https://webauthn.io on Mac Chrome version-75.0.3770.90
2. Somehow i was able to do the pairing and my mobile device was displaying as Authenticator in this demo.
3. When i clicked on my device for selection it call the onCharacteristicsWrite for GET_INFO command but after this there is no communication happened between FIDO Client and Authenticator. Are you aware of this problem? please suggest how to run your demo app with https://webauthn.io.

Thanks in Advance......

[Trojan295]

@vikastandon can we move this as an issue to https://github.com/Trojan295/android-webauthn-token?

In general, I also experience problems, most probably there are bugs in my code, could be also browser incompatibilities etc. I would like to track them and impove it. Also, if you can get the logs, please add them. Thanks!

[GitPointer]

@Trojan295 - Sure i will create an issue....

[nhtransis]

@Trojan295 - Thanks for sharing your sample app.I tried to use it but i am getting stuck in middle. here are the steps i followed:

1. For demo I am using https://webauthn.io on Mac Chrome version-75.0.3770.90
2. Somehow i was able to do the pairing and my mobile device was displaying as Authenticator in this demo.
3. When i clicked on my device for selection it call the onCharacteristicsWrite for GET_INFO command but after this there is no communication happened between FIDO Client and Authenticator. Are you aware of this problem? please suggest how to run your demo app with https://webauthn.io.

Thanks in Advance......

I guess you are using the old MAC right? Check with a new MAC (e.g., > mid 2015)

[mehakzahra1]

This would likely be done by connecting the phone to the host via Bluetooth or USB. The phone could then implement the CTAP protocol so the browser detects it as an external authenticator. How exactly to set that up would be up to the operating systems of the phone and host.

@emlun Did you get any chance to have a look on any demo implemented yet?

[emlun]

No, I haven't seen any, but I haven't been looking for one either.

[mehakzahra1]

I am looking for the use case/scenario for setting up a smartphone as an authenticator using CTAP2 specifications. I am looking for the use case in which a user set up the browser to interact with their smartphone the same way it would when using Yubikey or another similar security key. I have read all the documentation related to it but unfortunately what I always get an article using Yubikeys / other USB devices as the authenticator. I am looking forward to some interaction where the mobile phone serves a roaming authenticator. By having a look at the documentation and CTAP specification conceptually I know this can be done by having some connection between the phone and the host via • Bluetooth • NFC • USB After the establishment of connection the mobile authenticator could then implement the CTAP2 protocol so that the browser considers it as roaming authenticator. I am also looking forward to seeing the authentication process using some BLE enabled devices. I have already tried log-in using the yubikey security key on the following website: https://webauthn.me/

But I want to achieve the same flow login-mechanism using Bluetooth enable Thetis BLE key or mobile itself. Any insights would be very helpful. I am also looking forward to people working on this particular use case to have a mutual discussion.

[MatteoWebDeveloper]

@mehakzahra1 it sound the same usecase. I have a identity mobile app I would to be use as an autheticator on a website wihch us webauthn. I investigated for a while but I cannot find anything that explain how it could be possible.

[pegah5665]

I was trying to write an Android app, which works as a CTAP over BLE token, implementing the FIDO2 BLE profile. It isn't in any case production ready and I'm having some issues with pairing the phone with the browser over the Web Bluetooth API, but I was successfull with integrating it with demo Webauthn pages like webauthn.io or use it in Dropbox.

Source code: https://github.com/Trojan295/android-webauthn-token

it doesn't work for me, the onCharacteristicsWrite method doesn't call

[yaitskov]

There is a pretty doable workaround for authenticating on Laptop. You have a web application, haven't you. So it is available in smartphone too with a fingerprint scanner. Just send WebPush notification to the mobile page with info about client initiating login on a laptop to scan finger print again.