I am working on an android and iOS application that needs to have a password-less solution for login. We are trying to implement WebAuthn/Fido2 device.
The problem is that Fido is still new and there is no React-Native library that implements that. So I have a few questions regarding it.
Can we read and write our own key in the Fido2 device?
=> Till we get a proper library, I want to store an encrypted password on the fido2 device as a key, read it every time on login, and decrypt it. Is it sounds good to implement and is it possible to do?
#DevPy
To support WebAuthn/FIDO2 from your React Native iOS application, the recommended solution is to integrate one of two Apple iOS system browsers (ASWebAuthenticationSession or SFSafariViewController) that support WebAuthn APIs. ASWebAuthenticationSession would be my first choice as this browser is for authentication through a web service, specifically the OAuth 2 flow. This provides the interface, built-in APIs for interacting with the FIDO2 authenticator, like the YubiKey, and gives the developer control with callback to the session and authentication token. Another way to integrate WebAuthn is to utilize a third-party SDK for communicating with OAuth 2 providers. For example, AppAuth for iOS has a React Native bridge, available here. I believe the AppAuth SDK uses the ASWebAuthenticationSession.
As for the initial question of writing/reading your own custom key, the FIDO2 devices are limited in storage space but the YubiKey offers two options that may work for you. One is the option to create a static password (not encrypted) or utilize the Yubico OTP. Both options use the system keyboard to type out the password or OTP into any text/password field within your app. No SDK or system browser required.
FIDO2/WebAuthn is specifically a browser API. Since you're talking about authentication within a (React) native app then you'll probably want to fall back to equivalent native OS API's instead.
For Android you can use the Fido2ApiClient, which will let you leverage existing FIDO2 credentials on your server for in-app authentication:
https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/Fido2ApiClient
I think the equivalent on the iOS side of native app development is Authentication Service. They have a page specifically about leveraging "passkeys" in your app that will probably help get you started:
https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication
Related
CTAP2 allows apps on mobile phones to act as roaming authenticators. An app may implement the protocol over one or more of the supported transports.
However, there are use cases where the web or native app being accessed would be run on the same mobile device as the roaming authenticator. Can this use case be supported by CTAP2?
PS: Why is there no ctap or ctap2 tag? I used 'fido' as a proxy.
However, there are use cases where the web or native app being accessed would be run on the same mobile device as the roaming authenticator. Can this use case be supported by CTAP2?
CTAP defines a protocol that is used between devices. For apps to provide credentials on the same device, the OS of that device would need to support them plugging into the standard APIs.
We (Google) said yesterday, “Please stay tuned for more updates from us in the next year as we introduce changes to Android, enabling third party credential managers to support passkeys for their users.” But I believe that's the most that any of the platforms have said on this point so far.
I want to be able to remember a user's device using Amplify's hosted UI with React. I set up MFA as required in the user pool. In "devices" I set Do you want to remember your user's devices? to "User-Opt In" and Do you want to use a remembered device to suppress the second factor during multi-factor authentication (MFA)? to "Yes". In the React side I'm using the withAuthenticator HOC.
The problem is when I login, I get redirected to the confirm sms code page without the application or amplifying remembering the device. Also if I look at the device in the user pool, it has the status: note_remembered.
Is there any way to configure this through the hosted Amplify UI and if not how would I do it programatically?
I looked through all the docs and don't see anything even though this seems like a pretty ubiquitous use case.
It has been a while since I developed an Authentication Engine using Amplify. After going through the official Amplify Auth documentation and several Github threads, I was unable to find any API or technique to implement Cognito's Device remember feature.
In this case, I would recommend using a hybrid approach and using the GetDevice, ConfirmDevice, and UpdateDeviceStatus API calls in the native AWS JavaScript SDK, as the functionality is completely supported there.
Apropos which, Amplify is lacking a lot of imperative Cognito features, and I would implore you to raise a support request with the concerned AWS team.
I am looking for the use case/scenario for setting up a smart phone as an authenticator using CTAP2 specifications.
I am looking for the use case in which a user setup the browser to interact with their smart phone the same way it would when using Yubikey or another similar security key. I have read all the documentations related to it but unfortunately what I always get an article using Yubikeys / other USB devices as the authenticator. I am looking forward for some interaction where mobile phone serves a roaming authenticator.
By having a look at the documentation and CTAP specification conceptually I know this can be done by having some connection between the phone and the host via:
Bluetooth
NFC
USB
After establishment of connection the mobile authenticator could then implement the CTAP2 protocol so that the browser considers it as roaming authenticator. I am also looking forward to see the authentication process using some BLE enabled device. I have already tried log-in using yubikey security key on website. But I want to achieve the same flow login-mechanism using Bluetooth enable Thetis BLE key or mobile itself.
Any insights would be very helpful. I am also looking forward for people working on this particular use case to have a mutual discussion.
First, you need to follow this spec to develop your roaming authenticator. FIDO2 standard is recommended if you start the development now. There are 2 modules which may take your time to research & develop your authenticator: BLE, FIDO Crypto logic. This is the hardest work because there is no kind open source published for reference, you must be totally working with spec.
Second, you can use one these clients to test your authenticator while developing:
https://webauthn.io
https://demo.yubico.com/webauthn-technical/registration
...
Note: It's not convenient to do iOS authenticator now. Please check this issue to see why
Third, you may use FIDO Conformance Tools to validate your authenticator.
Finally, you may go get certified and register on MDS if need
I am searching for the same thing. For future readers as of now 2020, below resources are helpful if anyone else is looking.
You could look into https://github.com/solokeys/solo which provides open source implementation for hardware and firmware. It is a great starting point. As they have ctap implemented they also have hid emulation using usb_gadget for linux.
You could also look into https://github.com/github/SoftU2F which is a software u2f for MacOS using mac keychain.
Currently our app uses OAuth requests in web-views.
Google will not allow OAuth requests in an embedded browser called "web-views".google_developer_blog
So, we are planning to use Firebase Authentication.
This method is not in best practice, but I would like to tell you if there is any problem.
Thank you in advance.
Google OAuth plans to deprecate embedded webviews. However, you are OK to use SFSafariViewController for iOS apps and Chrome Custom Tab for Android Apps. If none of these are supported, you can open a system browser. All of these flows are allowed for OAuth flows and are more secure than embedded webviews.
i'm building a website that uses WebRTC to share audio and video. Now i'd like to access WebRTC features on Android devices so i can create an app that can receives audio and video streams from the website.
I've looked for a technology allowing me to do that and I've found SkylinkJS.
It looks great but i'm wondering something. Can i build a custom authentication system on top of SkylinkJS logic. What i mean is that i'd like to make sure the connection to SkylinkJS rooms are initiated by users actually authenticated on my platform.
At the moment, i do that using socket.io but i can do it since i'm using raw WebRTC. How can i do that using SkylinkJS? Using the REST API?
Thanks.
PS: i cannot tag this question with 'skylinkjs' since it's a new tag, but it mights be cool if someone could do it.
Yes you can integrate that with the REST API in this Applications REST API link here - . You can generate your own credentials.
You can generate the connecting credentials from your server and then when the User logs in, generate the credentials for Users to connect to the Room. See more in their support article.
SkylinkJS uses key based authentication mechanism to authenticate against the Temasys signaling servers. This ensures that any application using Skylink can only connect to calls in your application if the app can provide the same secure keys (from your Temasys developer account).
Your best bet in looping in Android would be to use the android counterpart. http://skylink.io/android/