Using CTAP2 to authenticate to an app on the same device - authentication

CTAP2 allows apps on mobile phones to act as roaming authenticators. An app may implement the protocol over one or more of the supported transports.
However, there are use cases where the web or native app being accessed would be run on the same mobile device as the roaming authenticator. Can this use case be supported by CTAP2?
PS: Why is there no ctap or ctap2 tag? I used 'fido' as a proxy.

However, there are use cases where the web or native app being accessed would be run on the same mobile device as the roaming authenticator. Can this use case be supported by CTAP2?
CTAP defines a protocol that is used between devices. For apps to provide credentials on the same device, the OS of that device would need to support them plugging into the standard APIs.
We (Google) said yesterday, “Please stay tuned for more updates from us in the next year as we introduce changes to Android, enabling third party credential managers to support passkeys for their users.” But I believe that's the most that any of the platforms have said on this point so far.

Related

Can we store and read keys in Fido2 device (yubikey)

I am working on an android and iOS application that needs to have a password-less solution for login. We are trying to implement WebAuthn/Fido2 device.
The problem is that Fido is still new and there is no React-Native library that implements that. So I have a few questions regarding it.
Can we read and write our own key in the Fido2 device?
=> Till we get a proper library, I want to store an encrypted password on the fido2 device as a key, read it every time on login, and decrypt it. Is it sounds good to implement and is it possible to do?
#DevPy
To support WebAuthn/FIDO2 from your React Native iOS application, the recommended solution is to integrate one of two Apple iOS system browsers (ASWebAuthenticationSession or SFSafariViewController) that support WebAuthn APIs. ASWebAuthenticationSession would be my first choice as this browser is for authentication through a web service, specifically the OAuth 2 flow. This provides the interface, built-in APIs for interacting with the FIDO2 authenticator, like the YubiKey, and gives the developer control with callback to the session and authentication token. Another way to integrate WebAuthn is to utilize a third-party SDK for communicating with OAuth 2 providers. For example, AppAuth for iOS has a React Native bridge, available here. I believe the AppAuth SDK uses the ASWebAuthenticationSession.
As for the initial question of writing/reading your own custom key, the FIDO2 devices are limited in storage space but the YubiKey offers two options that may work for you. One is the option to create a static password (not encrypted) or utilize the Yubico OTP. Both options use the system keyboard to type out the password or OTP into any text/password field within your app. No SDK or system browser required.
FIDO2/WebAuthn is specifically a browser API. Since you're talking about authentication within a (React) native app then you'll probably want to fall back to equivalent native OS API's instead.
For Android you can use the Fido2ApiClient, which will let you leverage existing FIDO2 credentials on your server for in-app authentication:
https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/Fido2ApiClient
I think the equivalent on the iOS side of native app development is Authentication Service. They have a page specifically about leveraging "passkeys" in your app that will probably help get you started:
https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication

Mobile Authenticator using CTAP2 specifications

I am looking for the use case/scenario for setting up a smart phone as an authenticator using CTAP2 specifications.
I am looking for the use case in which a user setup the browser to interact with their smart phone the same way it would when using Yubikey or another similar security key. I have read all the documentations related to it but unfortunately what I always get an article using Yubikeys / other USB devices as the authenticator. I am looking forward for some interaction where mobile phone serves a roaming authenticator.
By having a look at the documentation and CTAP specification conceptually I know this can be done by having some connection between the phone and the host via:
Bluetooth
NFC
USB
After establishment of connection the mobile authenticator could then implement the CTAP2 protocol so that the browser considers it as roaming authenticator. I am also looking forward to see the authentication process using some BLE enabled device. I have already tried log-in using yubikey security key on website. But I want to achieve the same flow login-mechanism using Bluetooth enable Thetis BLE key or mobile itself.
Any insights would be very helpful. I am also looking forward for people working on this particular use case to have a mutual discussion.
First, you need to follow this spec to develop your roaming authenticator. FIDO2 standard is recommended if you start the development now. There are 2 modules which may take your time to research & develop your authenticator: BLE, FIDO Crypto logic. This is the hardest work because there is no kind open source published for reference, you must be totally working with spec.
Second, you can use one these clients to test your authenticator while developing:
https://webauthn.io
https://demo.yubico.com/webauthn-technical/registration
...
Note: It's not convenient to do iOS authenticator now. Please check this issue to see why
Third, you may use FIDO Conformance Tools to validate your authenticator.
Finally, you may go get certified and register on MDS if need
I am searching for the same thing. For future readers as of now 2020, below resources are helpful if anyone else is looking.
You could look into https://github.com/solokeys/solo which provides open source implementation for hardware and firmware. It is a great starting point. As they have ctap implemented they also have hid emulation using usb_gadget for linux.
You could also look into https://github.com/github/SoftU2F which is a software u2f for MacOS using mac keychain.

How to authenticated in an SAP hybrid app against SMP and a backend system with different users?

Following situation:
An SAP OnPremise system is connected over cloud connector to SAP HCP
In the cloud version of the SAP mobile plattform (SMP) I configured the system
I have a hybrid app (using SAP Kapsel SDK) and try to connect to
a) SMP itself (registring)
b) also to the real backend sytem with the data needed
User name of SMP and backend system is not the same
Does anyone have a good tutorial / documentation link how to setup this correct?
I found a very good tutorial about the Kapsel plugins:
- https://blogs.sap.com/2016/10/20/getting-started-kapsel-part-1-sp13/
With a trial account and a trial backend account (same user name) it seems somehow working. But in my situation it is more complex.
Problem in other words (Edit)
I am searching for a way to use user & password from OnPremise system to authenticate against HCPms over a Hybrid app.
May I ask why you require two different users at all? From a usability point of view, it is very awkward for a user to give two sets of credentials for an app. I'd typically recommend to either
configure SCIM in Mobile Services. This would allow you to register with Mobile Services using your back-end credentials
configure no-auth in Mobile Services. While users still need to give their credentials for back-end access, they can register with Mobile Services without credentials at all
The rest depends on your back-end configuration. For example, if it requires Basic auth, configure your back-end connection accordingly and leave the user/password fields empty. When you supply those with your client requests, they will be forwarded to your back-end.
Edit: I misread the question and thought you were using "SAP Cloud Platform Mobile Service", the cloud equivalent of the SAP Mobile Platform. The answer basically remains the same, only the terminology changes (italic):
configure HTTP(s)-based Basic Authentication SSO in Mobile Platform. This would allow you to register with Mobile Platform using your back-end credentials.
configure no-auth in Mobile Platform. While users still need to give their credentials for back-end access, they can register with Mobile Platform without credentials at all
Either way, SCIM for Mobile Service is described in the documentation, and so is Basic authentication for Mobile Platform.

How to identify request from a mobile device

I am making a wcf rest service which will be used from mobile devices. If the request is not from a mobile device, it will not be possible to access the service.
So I need to identify if the request is from android, iphone or windows mobile.
Is there any way that I can identify the request?? I tried to google it but did not get any suitable answer...!!
Unfortunately, User-Agent can be easily faked. Some mobile or desktop browsers allow changing the user-agent string.
This is workable if you are not too concern about it.
If you absolutely must secure the service only accessibly from a mobile device, you would need some kind of authentication / authorization method.
For example, I would develop a mobile application (android or ios) and only allow my service to interact through the application that I developed. The mobile application can then provide an authentication code when establishing contact with my service. Probably the authentication code can be hard-coded inside the mobile app.
However, it's possible that the app can be run from an emulator sdk. You could probably write further checks inside your app to get the hardware details from the mobile device to verify it is actually an mobile hardware. (This i'm not so certain as I haven't really got into it)
I think the only way to identify a mobile device is matching the User-Agent against a list of known mobile UA strings.
Here you have a list: http://www.zytrax.com/tech/web/mobile_ids.html

User permission to make a call

There might have been a restriction on originating (making) calls (voice or data)
from mobile phones without an explicit user permission
i.e. a window would pop-up, asking the user to press 'Yes'/approve or 'No'/cancel
for a call attempt made by a software application on that cellphone/mobile.
There seems though to exist API for making calls, voice calls and data calls, on various
embedded OS like WM, Symbian and Android. Do they require a user button-press then?
This is about runtime security model.
When you develop a mobile application, you also make a list of the APIs it might want to use. If these APIs are protected by a "capability" or "permission", you need to declare it in the application manifest file or makefile.
Depending on the target handset security policy and the access your application requires you may need to have it signed by a trusted third party (verisign, geotrust, google, apple, your mobile network operator, your handset manufacturer...)
The J2ME security model is: the user is asked about API access based on who trusts your application (i.e: your mobile network operator checks that your application won't cripple their network, so it's OK to only ask the user once about whether (s)he doesn't mind being charged for data download).
The native Symbian OS security model is: your application will not install unless it is trusted by somebody with enough power (i.e.: only the handset manufacturer has enough power to trust a new hardware driver)
A non-jailbroken iPhone security model is presumably all or nothing: If apple trusts your application it can do whatever it wants.
I don't know whether anybody has actually made a partially-trusted Android application that isn't available on the Android store and that can be installed on an operator-subsidised android handset.