FIDO2 on Android, Web and in the Server

Feature name: FIDO2 on Android, Web and in the Server

Feature Description

  • The idea is to apply the FIDO2 for Android, web application and for the server;
  • Where the user can authenticate using FIDO2 as two-factor, where he can use “Platform (Windows Hello, Pin, biometric)” and “Cross-Platform (Yubikey)” keys to authenticate;
  • On the server side I use “fido2-net-lib” to treat the FIDO2 data;
  • On Android and in Web application I use the FIDO2 API of Android and the Web Application;
  • This way you guys can remove the old version FIDO U2F, for this version and in this version android FIDO2 works;

Clients / Repos Affected:

  • Server
  • Web
  • Mobile

Timeline to completion (estimate):

I have already FIDO2 running on Android, web application and server.

I am studying FIDO2 for my course and this is my proof of concept, so I want to show you my result, but I need to talk to you alone, if you can send me a message, I can show you the result.

Contact:
https://www.linkedin.com/in/elton-pastilha/

1 Like

I think Bitwarden has already implemented WebAuthn/FIDO2 support in most of their products (everything but mobile?), but it isn’t in an official release yet.

Not too sure what Bitwarden’s status/progress on Android is.

Server:

Web Vault:

We haven’t started on Mobile, it’s actually a card on our development board for Q2, so was going to be the next thing the team snags to start work on (but as of today, has not started).

I will soon (next 4 days) put my project here server, web and mobile, I am just waiting for fido2-net-lib to release a small update that is coming soon to resolve a problem on Android origin on the version 2.0.0. And then you all can check my code on the Android and create one project adapted for WebAuthn.

For android the origin needs to be exemple “android:apk-key-hash:LBpmHljqwJJLdXVNpjfdAz2k2MNojcSFZZIuRj1B4wI”, so the server needs to be prepared to receive hash key and needs to exists assetLinks.json on https://bitwarden.com/.well-known/assetlinks.json.

1 Like

Wow, that is news. Having been told in Q3 last year it was coming in Q4. Then “early in Q1 2021”, then “Q1” and now “we haven’t started”?

I feel a little let down by this to be honest. I paid for BW expecting this to be supported.

1 Like

Yes, there have been some unfortunate delays in updating Xamarin and Xamarin Forms along with some refactors necessary to keep up with the framework changes; as well as some high priority bugs and security fixes that were necessary to tackle in mobile which pushed this out… part of the reality of software development and delivery I’m afraid. It is literally the next card to get attention/work (we’re trying to tie the bow on the Xamarin Forms update this week, but again, that’s if all goes well).

image

3 Likes

Check out this commit (DestruidorPT/mobile/commit/8f0d4c761f1040ced72081872587bb34041133b1), has files with models FIDO2 to send and receive from the server, and has this important files (“Fido2System\Fido2BuilderObject.cs”, “Fido2System\Fido2BuilderDictionary.cs” and “Fido2System\Fido2Service.cs”) where contains how to execute FIDO2 and build the FIDO2 on Android.

And for FIDO2 Android to work, AssetLinks must exist, here is exemple for the web (web/commit/f800b09fa8db4b2ea5d73b978cba3ecd6efd9fd4) and the server (server/commit/cee9e5b2e12b92b68b4b42b9f603be93bce0b231).

My project is posted in this projects:
DestruidorPT/server;
DestruidorPT/web;
DestruidorPT/mobile;
If in some case you wanna check android working send private message I will show you.

@mp-bw , FYI :point_up:

Frustrating as this sort of delay is I very much prefer a belt and braces approach with this sort of software. My passwords are stored in Bitwarden software. I want them to be stored as safely as possible.

If I wanted software which has not been properly tested then companies like Microsoft are available (and they do offer to store people’s passwords, though they are stored extremely insecurely in their software).

I don’t think anyone is advocating inadequate / improper testing, David! We’re just keen to see a key security feature being introduced as soon as possible, with proper testing of course.