Menu
Look is it just me or doesn't the W3C spec say this should be happening already: -
1.2.2. Authentication
On a laptop or desktop:
User pairs their phone with the laptop or desktop via Bluetooth.
User navigates to example.com in a browser and initiates signing in.
User gets a message from the browser, "Please complete this action on your phone."
Next, on their phone:
User sees a discrete prompt or notification, "Sign in to example.com."
User selects this prompt / notification.
User is shown a list of their example.com identities, e.g., "Sign in as Mohamed / Sign in as 张三".
User picks an identity, is prompted for an authorization gesture (PIN, biometric, etc.) and provides this.
Now, back on the laptop:
Web page shows that the selected user is signed in, and navigates to the signed-in page.
===============
My WebAuthn code happily interacts with Windows Hello for user verification via PIN. My Samsung Android phone happily interacts with the https://webauthn.appspot.com demo and accepts fingerprint verification.
But I can't seem to use my phone as an Security key like a YubiKey connected on my computer?
I can pair it with the PC via Bluetooth or tether it with a USB cable, but Windows will not recognize it as a security key.
Is this possible, or is the functionality restricted? If we could use our phone as security keys, we'd need no special dongles for platform agnostic authentication.
567
Open the Windows Settings app, select Accounts, select Sign-in options, select Security Key, and then select Manage. Insert your security key into the USB port or tap your NFC reader to verify your identity. Select Add from the Security Key PIN area, type and confirm your new security key PIN, and then select OK.
To set up a USB security key, you need a USB drive and a USB security key app. You install the app on your computer, set it up, and then use it to create your USB security key. Whenever your computer is on, the app constantly scans your USB ports for a device that contains a specific encrypted file.
In order for that to work, the phone device manufacturer would have to either always present itself as a FIDO2 authenticator, or have some sort of switch that allows it to change mode, kind of like how you can configure USB connection to be for charging or for data transfer. I don't see any technical reason why that could not be done, in fact it's come up multiple times in various discussions, but to my knowledge that is not an Android feature, at least not yet.
109
For that either smartphone OS or a 3rd party application needs to implement CTAP protocol to receive and process authentication operations on the phone. Currently, Android does - but not in a way to be used as a cross-platform authenticator to not stick to only one PC. For 3rd party apps, there are some certified solutions that are listed on the FIDO Alliance website as certified authenticators.
30
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
