Feature name: FIDO2 on Android, Web and in the Server
Feature Description
The idea is to apply the FIDO2 for Android, web application and for the server;
Where the user can authenticate using FIDO2 as two-factor, where he can use “Platform (Windows Hello, Pin, biometric)” and “Cross-Platform (Yubikey)” keys to authenticate;
On the server side I use “fido2-net-lib” to treat the FIDO2 data;
On Android and in Web application I use the FIDO2 API of Android and the Web Application;
This way you guys can remove the old version FIDO U2F, for this version and in this version android FIDO2 works;
Clients / Repos Affected:
Server
Web
Mobile
Timeline to completion (estimate):
I have already FIDO2 running on Android, web application and server.
I am studying FIDO2 for my course and this is my proof of concept, so I want to show you my result, but I need to talk to you alone, if you can send me a message, I can show you the result.
I think Bitwarden has already implemented WebAuthn/FIDO2 support in most of their products (everything but mobile?), but it isn’t in an official release yet.
Not too sure what Bitwarden’s status/progress on Android is.
We haven’t started on Mobile, it’s actually a card on our development board for Q2, so was going to be the next thing the team snags to start work on (but as of today, has not started).
I will soon (next 4 days) put my project here server, web and mobile, I am just waiting for fido2-net-lib to release a small update that is coming soon to resolve a problem on Android origin on the version 2.0.0. And then you all can check my code on the Android and create one project adapted for WebAuthn.
For android the origin needs to be exemple “android:apk-key-hash:LBpmHljqwJJLdXVNpjfdAz2k2MNojcSFZZIuRj1B4wI”, so the server needs to be prepared to receive hash key and needs to exists assetLinks.json on https://bitwarden.com/.well-known/assetlinks.json.
Yes, there have been some unfortunate delays in updating Xamarin and Xamarin Forms along with some refactors necessary to keep up with the framework changes; as well as some high priority bugs and security fixes that were necessary to tackle in mobile which pushed this out… part of the reality of software development and delivery I’m afraid. It is literally the next card to get attention/work (we’re trying to tie the bow on the Xamarin Forms update this week, but again, that’s if all goes well).
Frustrating as this sort of delay is I very much prefer a belt and braces approach with this sort of software. My passwords are stored in Bitwarden software. I want them to be stored as safely as possible.
If I wanted software which has not been properly tested then companies like Microsoft are available (and they do offer to store people’s passwords, though they are stored extremely insecurely in their software).
I don’t think anyone is advocating inadequate / improper testing, David! We’re just keen to see a key security feature being introduced as soon as possible, with proper testing of course.
As we move into June now, I am wondering if there has been any progress on the U2F on Android support? Has development started now? Any projections on likely availability?
Its interesting to notice when it comes to security, the phones are now more widely and frequently used then PCs but every single app doesnt support security keys. They do support it on desktop however. For instance Tutanota email… if you set up free account and add security keys, forget about using it on your phone (where you actually need it the most) cause the app doesn’t support security keys, it’s ridiculous!
Also really need this. Would it be possible to just use the fido2 hardware key as a main login method? I have a ledger nano x with a pincode, and it seems to be more secure than password login anyway. It gets really annoying typing my long master password on mobile.
