FIDO2 support for macOS and Linux desktop client

tgreer · March 3, 2021, 4:25pm

Calendar year - the Gregorian calendar, specifically

codemichael · March 19, 2021, 3:00pm

The updated roadmap no longer specifically calls out this feature. Has it fallen off, or just no longer worth of being called out specifically?

tgreer · March 19, 2021, 3:14pm

It’s still there - we’ll update the image for the roadmap timeline to reflect it.

codemichael · July 6, 2021, 12:58pm

Looks like the most recent roadmap update only calls out the mobile apps. Are desktop apps covered by any of the roadmap items or is it no longer a planned feature?

tgreer · July 6, 2021, 1:08pm

Windows desktop is already live with FIDO2, macOS is in progress

codemichael · July 6, 2021, 1:22pm

Great news!

Sorry to be “that guy”, how about Linux?

tgreer · August 27, 2021, 8:37pm

Mobile is underway:

github.com/bitwarden/mobile

FIDO2 WebAuthn support for mobile

bitwarden:master ← bitwarden:feature-fido2webauthn

opened 08:25PM - 27 Aug 21 UTC

mportune-bw

+261 -121

Support for FIDO2 WebAuthn in iOS & Android. Since iOS only supports FIDO2 via …Safari, the decision was made to ditch the native API in Android and use a single code path for both platforms (using `WebAuthenticator`; I'll push the native API work to a separate branch in case we ever want to revisit). This has the added benefit of not excluding our F-Droid users since the native API is part of Google Play Services, as well as being able to ship this ASAP without waiting for [these changes](https://github.com/passwordless-lib/fido2-net-lib/pull/237) to make it into production. Additional changes: Reworked the method of showing the progress dialog/spinner during use of `WebAuthenticator` based on issues discovered while working on FIDO that I accidentally avoided while working on SSO. Brought these changes to captcha as well to smooth out the flow. Also discovered the latest version of WebAuthenticator supports ephemeral webviews which has the additional side-effect of _not_ prompting to open the view on iOS, so I applied this to both WebAuthn & captcha to smooth out the experience (left in place for SSO because of our use of cookies across sessions). Tested with a YubiKey 5C NFC & 5Ci, which covers NFC, USB-C, and Lightning. Notes on NFC: This process is clumsy on Android due to the speed of the handoff to the default scan handler after the FIDO2 scan is complete, combined with the way the system treats impromptu scans. If you don't physically distance the key soon enough after the FIDO2 scan the default handler scans it again and opens a web browser showing a Yubico page. You can time it with the device vibrations to get a perfect scan - a successful WebAuthn scan will result in 2 distinct vibrations. If you feel a 3rd one, you waited too long. And if you only feel 1, you pulled away too soon and the scan will fail with an error. (For the record this happens with the native FIDO2 API as well). Technically iOS does this as well but they trigger a notification instead of opening a browser, so the user doesn't have to worry about their reflexes during login. Edit: Forgot to mention some UI work is still needed for the mobile webauthn-connector: ![android](https://user-images.githubusercontent.com/59324545/131185277-edd2eead-fd2f-4b38-8a73-cbee05238254.png) ![iOS](https://user-images.githubusercontent.com/59324545/131185288-cfd7072e-0906-4ec7-baf8-5deb093b26b6.png)

@codemichael I’ll have to check on Linux timing, but overall Fido2 is a big priority for us

Hans_Mata · September 22, 2021, 8:41am

I just downloaded from playstore and FIDO2 on Android does not appear to be working with my Yubikey NFC and 5c. Only OTP works, same as last year. After I disabled Yubikey OTP, the android app now says “Login Unavailable … none of the configured two-step providers are supported on this device.” Android app does not even attempt to read via NFC. It’s back to KeePass again.

tgreer · September 22, 2021, 11:24am

@Hans_Mata hang tight! We’re about to release FIDO2 support in the next app version later this week.

Ayitaka · September 22, 2021, 11:45pm

Any (iOS) TestFlight available for this, by chance?

tgreer · September 22, 2021, 11:47pm

It was just published in the App Store actually!

Ayitaka · September 23, 2021, 12:23am

Not yet available for self-hosted? /webauthn-mobile-connector, is live at Bitwarden Mobile WebAuthn Connector, but I am not seeing it in the nginx config on github nor on the latest released self-hosted version.

tgreer · September 23, 2021, 12:25am

Ah! Not quite yet

The self hosted updates are normally delayed a few days as we monitor the release on our SaaS solution.

Hans_Mata · September 30, 2021, 1:12am

Still not working with Yubikey 5c and Yubikey NFC, via NFC nor USB-C. With the 5c, I get two vibrations then it goes to Yubikey OTP site. If I disconnect immediately after one vibration, nothing happens.

With Yubikey NFC, nothing happens.

I guess it’s back to KeePass again.

blackph0en1x · October 23, 2021, 8:25pm

@tgreer any news for this on MacOS. Would really like to get rid of Authy and only use my shiny new yubikey with webauthn.

tgreer · October 24, 2021, 12:05am

Heh, I understand! I think we are still waiting on an Electron fix for this and another request with TouchID.

@hinton do you happen to know the issue with electron specifically?

blackph0en1x · October 24, 2021, 9:30am

Please put this on a high priority because it tampers security. As I am not using the Desktop app very often I think I will drop it completely until webauthn will be implemented.

Thanks for the reply @tgreer

Hinton · October 27, 2021, 8:20am

We are blocked by Electron not supporting the WebAuthn dialogs on macOS, feat: webauthn dialog support by sentialx · Pull Request #28349 · electron/electron · GitHub.

blackph0en1x · October 27, 2021, 1:08pm

Thank you @Hinton.
This really messes things up

anon75118202 · October 31, 2021, 10:51am

This feature seems to be at every other platform besides MacOS, so can you implement this feature for the MacOS desktop app as well. The weird part is that in the last Vault Hours this was asked, but the team said that it is already implemented even though it isn’t.