After scouring the web for an answer to this question, it's still unclear to me whether electron supports authenticating users via public key credentials and the WebAuthn specification.
Since v4+ (Chromium 69), electron has had support for both navigator.credentials API and the PublicKeyCredential interface. However, attempting to create a new credential using navigator.credentials.create() results in the request timing out (if PublicKeyCredentialCreationOptions.timeout is set). Additionally, PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() resolves to false which indicates that platform authenticators such as Windows Hello and TouchID are not supported in electron.
In Chrome and other supported browsers, the call to navigator.credentials.create() results in an authorization prompt where the user can enter their security key (eg. biometric scanner or physical usb device). Has anyone had success in implementing similar behaviour an electron app?
Related
I am working on a functionality to send an email to user whenever a they log in to my website with a new device. For example if a user logged in to their account from iOS app, notify them that a new device login is detected. If at a later point, same user logs in from web browser, send another notification that a new device login is detected.
I came across UIDevice uniqueIdentifier deprecated - What to do now? and Is there a unique Android device ID?.
I wanted to confirm few things:
Does UIDeviceIDentifierForVendor for iOS change with iOS updates and app version updates?
A unique Device id - (UIDeviceIDentifierForVendor for iOS - https://developer.apple.com/documentation/uikit/uidevice/1620059-identifierforvendor and IMEI for android(since hardware identifier would be sufficient for our use-case) - https://developer.android.com/training/articles/user-data-ids should be sufficient for my use-case.
Is there any similar way to uniquely identify a web browser or is a persistent cookie the only option to uniquely identify a web browser - Using cookies with Android volley library?
Note: Feel free to suggest any other better way to uniquely identify user devices(if any).
I looked through different questions on stack overflow and browsed through different blogs describing Device fingerprinting and offering services to get a device fingerprint.
I'm expecting to find the best practices around uniquely identifying devices and methods used widely for uniquely identifying user devices on iOs, Android and Web browsers.
When implementing WebAuthn authenticator registration on my site, I ran into the issue that during the attestation / registration process, Safari returns a modal saying "The operation cannot be completed" after I attest using one of my devices. The process works on other browsers, but fails on Safari.
The Error Message
This is because Safari fails WebAuthn registration for any attestation request asking for an additional attestation statement via the attestation conveyance.
I couldn't find this documented anywhere, but I played around with the Auth0 WebAuthn registration debugger and came to the conclusion that the "attestation" field was what was causing this popup. I would assume that Safari is being super defensive against any additional data being given about WebAuthn enabled devices via the protocol?
But in summary, ensuring:
navigator.credentials.create({
...
attestation: 'none',
});
worked to prevent the popup for me.
I maintain an application written in C++Builder 2009. Part of it involves using a TWebBrowser control (based on Internet Explorer) to send users to a Google login page in order to obtain an OAuth key. This has worked well for a while, but now Google, bless their hearts, has implemented some kind of security upgrade, and now my users get to a page that says "Couldn't sign you in, this browser or app may not be secure". FYI, I am already setting a Registry key that is supposed to make IE run in version 11 emulation mode.
I do have a couple of workarounds: If the user runs IE first in admin mode, signs on, leaves it up while running my application, we don't get the problem. Second, I can start up the default browser - Chrome, IE, whatever - and send them to the URL for OAuth, then it avoids the error message.
The problem with this solution is that without being able to hook into TWebBrowser events, I don't have any way to automatically retrieve the OAuth key - it is necessary for the user to cut/paste it into my application. I'd like to avoid these clunky solutions.
I should also mention, this problem occurs only for certain Gmail accounts. I have no idea what the difference is between accounts that work and don't work. Any ideas on that?
So, is there any way to configure IE or TWebBrowser so this security issue is bypassed? Or, if I was to update to a modern version of C++Builder and use TWebBrowser (or something else?), would this problem be avoided? Any other ideas to fix this problem?
The latest C++Builder supports Google's Chromium engine, it's probably safe to say it'll be compatible with Google's security upgrades.
Powerful Chromium Based WebView Component To Host Web Content In Your Delphi/C++ Builder FireMonkey Apps
when login using Auth0 Webauth in React-Native it opens the browser for login.
I want to create a smooth login so that the user should not able to experienced whether I logged in using App or Browser jut like a webview anyone any idea?
Just to be clear are you asking if Auth0 supports doing this without a browser? Given that it's likely using OAuth2 or OpenID Connect then the short answer is no.
Further to that WebAuthn is a browser-based Javascript API so by definition would require a browser with these features to be available.
That said, there's probably nothing preventing you from implementing a native WebAuthn-like experience using CTAP2 (the protocol that sits underneath WebAuthn) directly or a platform-specific wrapper around the same.
I have a question mainly related to the Iphone web browser but I am hoping the same solution would work on other browsers that are webkit based.
I have a application (Iphone + Android) that registers a handler for custom URI (appuri://) on the Phone. I am able to launch the application by making a link to "appuri://act/launch" from my web pages. This works only if my application is installed on the device. If the device does not have the app installed then a message comes up "Safari was not able to open ....".
What I want to do is detect if the URI Scheme is supported from the browser and then prompt my own message saying "please download the app ..blah blah blah" if the handler for the URI scheme is not found.
Is there a way I can detect or find the list of URL Scheme handlers on the Phone from the Web Browser ?
Protocol handlers are implemented below the browser, and giving foreign code direct access to operating system internals would be a pretty horrible idea, so, not without a plugin.
And since you can't run plugins in Mobile Safari, the answer's probably going to be "no."