Mobile Authenticator using CTAP2 specifications - authentication

I am looking for the use case/scenario for setting up a smart phone as an authenticator using CTAP2 specifications.
I am looking for the use case in which a user setup the browser to interact with their smart phone the same way it would when using Yubikey or another similar security key. I have read all the documentations related to it but unfortunately what I always get an article using Yubikeys / other USB devices as the authenticator. I am looking forward for some interaction where mobile phone serves a roaming authenticator.
By having a look at the documentation and CTAP specification conceptually I know this can be done by having some connection between the phone and the host via:
Bluetooth
NFC
USB
After establishment of connection the mobile authenticator could then implement the CTAP2 protocol so that the browser considers it as roaming authenticator. I am also looking forward to see the authentication process using some BLE enabled device. I have already tried log-in using yubikey security key on website. But I want to achieve the same flow login-mechanism using Bluetooth enable Thetis BLE key or mobile itself.
Any insights would be very helpful. I am also looking forward for people working on this particular use case to have a mutual discussion.

First, you need to follow this spec to develop your roaming authenticator. FIDO2 standard is recommended if you start the development now. There are 2 modules which may take your time to research & develop your authenticator: BLE, FIDO Crypto logic. This is the hardest work because there is no kind open source published for reference, you must be totally working with spec.
Second, you can use one these clients to test your authenticator while developing:
https://webauthn.io
https://demo.yubico.com/webauthn-technical/registration
...
Note: It's not convenient to do iOS authenticator now. Please check this issue to see why
Third, you may use FIDO Conformance Tools to validate your authenticator.
Finally, you may go get certified and register on MDS if need

I am searching for the same thing. For future readers as of now 2020, below resources are helpful if anyone else is looking.
You could look into https://github.com/solokeys/solo which provides open source implementation for hardware and firmware. It is a great starting point. As they have ctap implemented they also have hid emulation using usb_gadget for linux.
You could also look into https://github.com/github/SoftU2F which is a software u2f for MacOS using mac keychain.

Related

When using Transmit Security, Can I use the WebAuthn SDK to build backchannel authentication flows?

What are other capabilities for WebAuthn SDK for backchannel authentication flows?
Curious to see if this is possible?
Yes - in fact there are two options, one is already available and the other will be released towards the end of 2022.
The first one leans on the cross device authentication flows. As described in the guides https://developer.transmitsecurity.com/guides/webauthn/sample_flow_sdk/#1-initiate-cross-device-flow - the APIs allow you to start a flow on one device and continue on another device.
While the guide focuses on a "desktop to mobile" flow, you could in fact use a backend to initiate the cross device flow, and otherwise follow the above guide:
Calling https://developer.transmitsecurity.com/openapi/webauthn/auth-session/#operation/startUnauthorizedSession and obtain an auth_session_id
Use this auth_session_id as part of a message to invoke the front authentication (send an SMS, etc) - which is performed according to the guide (this is the part described as "mobile" in the guide)
Have the backend poll on the auth_session_id using https://developer.transmitsecurity.com/openapi/webauthn/auth-session/#operation/getSessionStatus
As mentioned, we are soon releasing a CIBA API that will allow performing this in an OIDC compliant way. We will of course release a guide for this as well.

Using CTAP2 to authenticate to an app on the same device

CTAP2 allows apps on mobile phones to act as roaming authenticators. An app may implement the protocol over one or more of the supported transports.
However, there are use cases where the web or native app being accessed would be run on the same mobile device as the roaming authenticator. Can this use case be supported by CTAP2?
PS: Why is there no ctap or ctap2 tag? I used 'fido' as a proxy.
However, there are use cases where the web or native app being accessed would be run on the same mobile device as the roaming authenticator. Can this use case be supported by CTAP2?
CTAP defines a protocol that is used between devices. For apps to provide credentials on the same device, the OS of that device would need to support them plugging into the standard APIs.
We (Google) said yesterday, “Please stay tuned for more updates from us in the next year as we introduce changes to Android, enabling third party credential managers to support passkeys for their users.” But I believe that's the most that any of the platforms have said on this point so far.

Can we store and read keys in Fido2 device (yubikey)

I am working on an android and iOS application that needs to have a password-less solution for login. We are trying to implement WebAuthn/Fido2 device.
The problem is that Fido is still new and there is no React-Native library that implements that. So I have a few questions regarding it.
Can we read and write our own key in the Fido2 device?
=> Till we get a proper library, I want to store an encrypted password on the fido2 device as a key, read it every time on login, and decrypt it. Is it sounds good to implement and is it possible to do?
#DevPy
To support WebAuthn/FIDO2 from your React Native iOS application, the recommended solution is to integrate one of two Apple iOS system browsers (ASWebAuthenticationSession or SFSafariViewController) that support WebAuthn APIs. ASWebAuthenticationSession would be my first choice as this browser is for authentication through a web service, specifically the OAuth 2 flow. This provides the interface, built-in APIs for interacting with the FIDO2 authenticator, like the YubiKey, and gives the developer control with callback to the session and authentication token. Another way to integrate WebAuthn is to utilize a third-party SDK for communicating with OAuth 2 providers. For example, AppAuth for iOS has a React Native bridge, available here. I believe the AppAuth SDK uses the ASWebAuthenticationSession.
As for the initial question of writing/reading your own custom key, the FIDO2 devices are limited in storage space but the YubiKey offers two options that may work for you. One is the option to create a static password (not encrypted) or utilize the Yubico OTP. Both options use the system keyboard to type out the password or OTP into any text/password field within your app. No SDK or system browser required.
FIDO2/WebAuthn is specifically a browser API. Since you're talking about authentication within a (React) native app then you'll probably want to fall back to equivalent native OS API's instead.
For Android you can use the Fido2ApiClient, which will let you leverage existing FIDO2 credentials on your server for in-app authentication:
https://developers.google.com/android/reference/com/google/android/gms/fido/fido2/Fido2ApiClient
I think the equivalent on the iOS side of native app development is Authentication Service. They have a page specifically about leveraging "passkeys" in your app that will probably help get you started:
https://developer.apple.com/documentation/authenticationservices/public-private_key_authentication

Best Practices for Web App Authentication in Industrial Settings

I'm creating a web application intended for a heavy industrial setting. Would like the operators to be able to use a central tablet or computer as an interface to the application, so multiple operators would be sharing a device during a given work shift. Plenty of information on standard personal devices, but not shared industrial settings.
Question - What is the best way for web app security/authentication and what are the various alternatives?
Would they all use the same authentication session (this is not preferable, as I'd like to uniquely identify the active user)?
Obviously I could use standard username/passwords with token based sessions that expire, however, this leaves a lot of potential for account hijacking.
Ideally, they'd be able to log on very quickly (PIN, perhaps?) and their session would end when they are done.
In industrial settings, you typically want ruggedized hardware. This is fairly specialist kit, and typically much more expensive than "vanilla" computing hardware. Depending on the environment, you may need waterproof and dustproof enclosures. Google will provide a range of options. Non-ruggedized equipment will usually not withstand the harsh conditions, and is likely to fail quickly or unpredictably.
If you want to audit who made particular entries, you'll want some kind of authentication mechanism. Biometric logins - fingerprint etc. - are available on a range of devices, and will make it easy for people to log in without entering usernames and passwords (which are often shared). In this model, the user authenticates to the operating system, not the web application; gluing those together is do-able, but heavily dependent on your enterprise identity management system and the frameworks you're using for building your web application.
Another option is to use RFID cards - again, many ruggedized computers support RFID readers which can read a card or keyring style physical object. This is less secure than biometric authentication as people do share cards. Again, authentication here is at the operating system level.
The benefit of using the operating system's authentication tools is that you benefit from all the work done to secure access in a range of environments. For instance, most OSes allow you to set a policy to lock screens after a certain time out (and unauthorized users cannot override this).
Building authentication into the web application is also an option, but AFAIK biometric solutions are still a little esoteric for web apps. Username/password is easy enough in most frameworks, and if you set a short session time out, the chances that someone will forget to log out and leave the browser logged in are slim. Not good enough for the nuclear launch codes, but for a line-of-business app, probably OK.
You could also look at alternatives to username/password authentication, without using biometrics - e.g. a passcode or image recognition option ("here are 16 random images, which is your grandmother?"). AFAIK, that's not a standard feature in most web development frameworks, so you'd have to roll your own.
Thank you for posting this cool problem.
Is the device in a controlled setting, where only authorized workers can have access to it? Is the possibility of theft of the device low, as in the people who have access to it are unlikely to move it?
Is your main interest, in other words, identification and not authentication? If so, how do you quickly identify who is operating the computer without interfering with the work or making it too cumbersome to use? Do you need to identify the person in order to carry-out the work, or is having the identity merely a precaution for later audit, to answer the who did it question?
One option is to use face recognition or simply capture a photo. Other biometrics are possible such as voice and fingerprint. An id card or dongle can be passed around, has to be fished-out in order to use, and the worker has to remember to bring it. A pin or other secret can be readily shared as well. Capturing a biometric is a reliable way to identify the worker.
Can you do smart card auth? That's how we used to do it in the old days. This was circa 2006, using Windows XP. Smart Card reader was a USB device, the auth was standard windows with smart card, however I can't recall anything about the cards.
Login to the device by reading the operators smart card, then do kerb auth against the service. If kerb is too old school, you could probably turn OS auth into OIDC without too many dramas using something like Okta or Auth0.
Alternatively have the device use the same credential for all users, but get the os user name from the request context somehow.
EDIT
For some more concrete examples of this:
Here's the windows article on smart card auth: https://learn.microsoft.com/en-us/windows/security/identity-protection/smart-cards/smart-card-how-smart-card-sign-in-works-in-windows Getting hold of the cards / card reader is not something I've got any experience with, but it's usually bread and butter for industrial sites where a user has to clock on / clock off.
Once the user is authenticated to the OS then it's a matter of use that auth context to get a web friendly auth scheme.
You could also use SAML Federation between an IdP and ADFS/AzureAD which would allow you to issue a OAuth2 access token
Okta supports can do SSO (by effectively hiding the SAML Federation) using a browser plugin: https://help.okta.com/en/prod/Content/Topics/Apps/Apps_Browser_Plugin.htm.
End result is that for a user logged in to Windows you can issue an Oauth2/OIDC access token
The web app can use standard OAuth2 access token authentication
A lot of this is nothing to do with the web app, it's all about how to take the OS auth context and use that to get something "normal" for the web app to consume.
Good luck!

Can i create a custom authentication system on top of SkylinkJS

i'm building a website that uses WebRTC to share audio and video. Now i'd like to access WebRTC features on Android devices so i can create an app that can receives audio and video streams from the website.
I've looked for a technology allowing me to do that and I've found SkylinkJS.
It looks great but i'm wondering something. Can i build a custom authentication system on top of SkylinkJS logic. What i mean is that i'd like to make sure the connection to SkylinkJS rooms are initiated by users actually authenticated on my platform.
At the moment, i do that using socket.io but i can do it since i'm using raw WebRTC. How can i do that using SkylinkJS? Using the REST API?
Thanks.
PS: i cannot tag this question with 'skylinkjs' since it's a new tag, but it mights be cool if someone could do it.
Yes you can integrate that with the REST API in this Applications REST API link here - . You can generate your own credentials.
You can generate the connecting credentials from your server and then when the User logs in, generate the credentials for Users to connect to the Room. See more in their support article.
SkylinkJS uses key based authentication mechanism to authenticate against the Temasys signaling servers. This ensures that any application using Skylink can only connect to calls in your application if the app can provide the same secure keys (from your Temasys developer account).
Your best bet in looping in Android would be to use the android counterpart. http://skylink.io/android/