Missing NFC Authentication Option in Android Signup Process

[gkatrakazas]

In the case of Android, during the signup process, when attempting the first authentication, we do not have the option to use NFC or USB (Security key) authentication, similar to what's available on webauthn.me. Instead, the process progresses towards to use device authenticator.

wwWallet	webauthn.me

[emlun]

I think support for this is missing in Android, and all we can do is wait. The difference between wwWallet and webauthn.me is that webauthn.me creates the WebAuthn credential with the option residentKey: "discouraged", while wwWallet uses residentKey: "required". To confirm this, you can try this on webauthn.io instead: first expand "Advanced settings" and set "Discoverable Credential" to "Discouraged". Then click "Register" and you should see the USB and NFC security key options. Then change "Discoverable Credential" to "Preferred" or "Required" and click "Register" again, you should now see the same thing as in wwWallet.

We use the residentKey: "required" in wwWallet because this creates a discoverable key, or passkey, which is what allows us to not need usernames to identify users. A non-discoverable key is stored in the credential ID stored on the server, so that credential ID needs to be retrieved from the server before the key can be used, so the server needs to first identify the user in order to know which credential IDs to return. A discoverable key is stored in the authenticator (for example YubiKey or phone) which means it can be used without first having to identify the user.

Once Android implements support for resident keys on external security keys, this should automatically work with no changes needed in wwWallet.

[gkatrakazas]

Thank you, Emil, for your detailed explanation of this issue. It seems that the only thing we can do at the moment is to wait.