Support for U2F / Fido2 / webauthn? #849
Comments
|
Same question here. |
|
Here's a Chromium ticket confirming this is handled by Google Play Services. I just wanted to throw in that the PIN implementation is especially important to me. |
|
Hi everyone, I was wondering if anybody is currently working on this issue? |
|
It seem that this issue should affect CalyxOS, /e/ OS and some others as well. I guess that now with more workers doing their job from home their enterprise will ask for some security level using keys like Yubikey, OnlyKey... |
|
I'm very interested in this feature as well. At least support for simple Registration/Sign-In could probably be implemented fairly easily using https://github.com/cotechde/hwsecurity. I've considered trying that route but I'm unsure regarding the licenses. This project is Apache 2.0 licensed, hwsecurity is GPLv3. From my (admittedly very limited) understanding of Open Source license compatibility, this means we can't even link against that library. Is that correct? Can anyone with more knowledge on that subject confirm/deny before I waste time on an unusable implementation? |
|
You should not link to that directly or this project would need to switch to GPLv3. However, you could expose an API at this project level that could be implemented in a separate app, like what is done with location providers. This way the supposed hwsecurity "mfa-provider" (or whatever we call it) itself could be a GPLv3 app, keeping microG on the other side of the API, and no licensing issues. |
|
Yeah, that's what I thought, thank you for confirming. While not ideal for the end user, I guess this is still the most viable solution. I currently don't have a phone that is suitable for microG but I do plan on getting one. I'll give this a go if I can manage to find the time. |
|
Just a small note from us, the devs of the Hardware Security SDK at https://github.com/cotechde/hwsecurity: Currently, the SDK is dual-licensed under the GPLv3 and a proprietary license. This allows us to have a business model by selling the SDK under the proprietary license that allows our customers to include it in their closed-source software. Our business no longer works when we would license the SDK under Apache v2 since the Apache license allows the inclusion in closed-source apps. That said, feel free to build one GPLv3 app with the SDK that exposes the API via AIDL and the call it from microG. |
|
+1 here, from someone using FIDO2/WebAuthN in production at day job, and having implemented FIDO2 server-side protocol in PHP. Having support either in MicroG or the OS build would be great. Noting from the Chromium ticket referenced above, this is nothing that would /have to/ live in MicroG but could go all the way down to AOSP. Sad that there's no resource in AOSP for this to happen. I guess an app+linking to HWSecurity code is the easiest way forward short-term. |
|
I just want to point out, that there's another issue regarding FIDO implementation: last time I tried using FIDO (YubiKey 5 NFC) on a regular Google Play Services enabled Android phone, the only browser that worked with it was Google Chrome. Other browsers didn't work. Now, I don't know if it's Google's FIDO implementation that intentionally makes it unusable in other browsers (since other browsers like Firefox technically do have support for FIDO, just look in If we were to implement FIDO in microG or all the way down to AOSP, we would still have to wait for third party browsers to implement the API. |
|
Btw, is there anything wrong with switching microG to GPLv3? Just curious. |
|
I tried current Firefox 92 on a Samsung S6 with stock Android 7 and that supported FIDO2 just fine. I.e. can't confirm a "Chrome only". |
|
Are the microg maintainers against bountys because if not I'd like to put one on this |
|
I added a 20$ bounty for this |
Hmm, then they've probably fixed it since the last time I tried. I don't have Google Services anymore, so I can't test it again. But that's not important anyway, the important part right now is getting FIDO support to microG. Would it be possible to make the mfa-provider-app-thingy able to translate Google Services FIDO API calls into API calls compatible with the HWSecurity SDK? Because that would make FIDO enabled browsers, that are currently working with Google Services, work with microG. Another thing I wanna point out is this, don't know how it's gonna play out with the (hopefully) upcoming microG implementation. |
|
Important to note that as of version 92 Firefox Android supports webauth.
https://www.mozilla.org/en-US/firefox/android/92.0/releasenotes/ |
It still doesn't work with microG tho, I tried it a couple of days ago. |
correct |
|
I would also be interested in FIDO2 support.
Where can I add a bounty? |
https://www.bountysource.com/issues/75974640-support-for-u2f-fido2-webauthn |
|
Are bounties still interesting here? On bountysource, microG project says that other methods should be considered instead. I'd be OK if @mar-v-in takes this, but if this is not an "official priority" I'd be also ok sponsoring somebody external to the project for this task (would love to confirm if he would, too). Should we just fund the bountysource? Anyone's estimate of worth raising for this feature to land? |
|
If needed I'd be willing to raise my bounty in order to get a guarantee this feature will be implemented, |
|
Please don't put any bounties on bountysource. They failed to pay out for several months now. As of now, I haven't looked into what it takes to implement the U2F APIs at all, so I also don't know how much work it would be. I do have it on my list though. |
|
Great to hear. Would be a useful feature to have. Just donated to your GH sponsor instead because this project is what makes my phone usable while maintaining my privacy. Happy to take a stab at some Java/C glue code once it's clear what actually needs to be done. |
I have also just set up a recurring donation via GH sponsors so this might hopefully get some extra attention! (I understand that you might be too busy; just trying to help) |
|
Nice to see a milestone added to this. Thanks for prioritizing it somewhat, @mar-v-in. Glad to be a sponsor as well. |
|
Logcat of two attempts at login below. |
|
Maybe I'm again living in the past with my Fairphone 3 /e/OS 1.4 build, apologies. In case not: I tried to register the Fairphone against a server that required Passwordless compatibility (userVerification required, residentKey required, keyProps report requested, credProtect = 2 required). Basically the client-side JS you can find here: https://github.com/simplesamlphp/simplesamlphp-module-webauthn/blob/release-2.0/www/assets/js/webauthn.js#L116 To my surprise, the microG "token" went through a successful registration but did not report about a resident key being created (it did execute and report about userVerification being done). This is not a conformant implementation: if residentKey is set to required, it needs to fail the registration process if it cannot assert resident keys. And if it does support resident keys with the credProps client extension, it needs to respond with credProps or fail the request if it doesn't understand the extension. Of course, once it properly creates and stores and reports about resident keys, a natural question would be how the security of the stored credentials is ascertained. Like, does microG use TEE storage if available on the phone, etc. |
|
Hi @restena-sw First of all, thanks for looking into these things, it's very much appreciated. The WebAuthn implementation on Android is a little bit more complex than on desktops. This is because parts of what the client / user agent is supposed to do according to the WebAuthn specification are done in the browser app, while other parts are done in Play Services / microG. Browsers do not forward the credProps extension from the webauthn registration operation to microG. Either it is meant to be handled entirely in the browser, or not supported at all. credProps was also not part of WebAuthn L1, so maybe support for L2 is just not available to Android yet (enterprise attestation also is not supported). microG does store the keys in the Android key store, which will use TEE or SE on supported devices. Since 304c352 we also have support for the android-key attestation statement on supported devices (and android-safetynet attestation statement for unsupported devices). |
|
I believe https://github.com/microg/GmsCore/wiki/Implementation-Status needs updating to indicate partial support? |
|
Hi, |
|
Re the firefox tests on e/OS/: my bad... yes, I tried Firefox which means there is no Level 2 support - Firefox has open bugs and lots of votes on passwordless FIDO. Also on a desktop, Firefox doesn't know how to handle passwordless. I should really have run those tests with a Chromium-based browser, where Level 2 is available. So I used the e/OS/ built-in fork of Bromite, but that doesn't have any FIDO capabilities at all :-( So, for the moment, there is no way for me to test UV, resident keys or credProtect on this device. IOW: forgot what I said. FWIW, credProps is indeed part of WebAuthN Level 2, see chapter 10.4 (https://www.w3.org/TR/webauthn/#sctn-authenticator-credential-properties-extension) |
|
@restena-sw According to https://chromestatus.com/feature/5701094648840192 credProps extension support is only available on Chrome/Chromium Desktop since version 89. Mobile Chrome (and forks) are still at L1. The latest (beta) version of the official fido library for Android (available here) is dated January 2021 and does not support L2, the PR for WebAuthn L2 is dated February 2021 and Chrome 89 was released March 2021. So for now, no support for WebAuthn L2 on Android (when using the official fido library, other implementations like the Hardware Security SDK might be able to support it in case you need it). |
@luken-dev |
|
@mar-v-in |
|
I don't have a key with Bluetooth yet, so I couldn't test and thus didn't start development |
|
Meanwhile I will report whether it works or not with USB once it is arrived. |
|
@Yannik see here: #849 (comment) |
|
@mar-v-in |
|
@ale5000-git It's not directly related to FIDO code but was introduced with adding support for DroidGuard attestation for MinuteMaid account sign-up flow (which indeed is new in 0.2.25). |
|
Just confirmed that a Fairphone 3 with e/OS/ 1.5 Android 12 (microG 0.2.24.223616-101) can both register and authenticate WebAuthN with the fingerprint sensor of the device. Hooray! |
|
@restena-sw |
|
@mar-v-in |
|
Nightly is updated. I'm closing this issue now, as I feel that Bluetooth support, caBLE support and the non-browser Fido API are minor functionality (which I also probably won't tackle in near future). |
|
Hi, sorry for bringing this issue up again. I waited a long time for this feature to be implemented and I just tested v0.2.25.x and cannot get FIDO2 to work 🤔 This is me trying to log into github: It immediatly fails without a prompt. So therefore I have tried webauthn.io: Any idea what is happening? Or did I misunderstand the implemented feature? My security key is a Solokey 1 NFC. |
|
webauthn.io: If you are using a SoloKey via NFC or USB: microG only supports user verification performed on the authenticator itself, which typically means they need a fingerprint scanner. If you're using the option of using the devices screen lock, that should provide user verification. On webauthn.io you can also disable "require user verification" under advanced settings. GitHub does work for me and if it fails without a prompt, the key itself can't be the issue. Can you please provide a logcat (feel free to do a new issue for this)? |
|
@Nuc1eoN: I suggest also to try with the latest nightly build since some bugs were fixed after the release, the NFC timeout was also increased. |
Oh I did not know that! Yes you are right after unticking user verification it works ;)
Thank you I followed your suggestion and opened a new issue: #1817 |
@mar-v-in Could you clarify please: Is using a FIDO2-Token with a PIN (e.g., a yubikey) not supported at all? Or is this just something with the SoloKey? |
|
microG currently does not support FIDO2 authentication methods that require a PIN to be entered on the client (if PIN is entered on the authenticator, there is no issue, but only few authenticators support that). PIN is required for most popular security keys (incl. Yubikey and Solokey) when user verification is required, but often is optional if user verification is not required. Rule of thumb: If you need to enter your PIN when using your Yubikey for sign-in on your desktop (which typically means your browser asks for your PIN) it won't work with microG. This is the same restriction as is currently present in Play Services, as is reported in this issue in Chromium bug tracker. I'm not saying that we can't go beyond the feature set of Play Services, but it is not a primary objection of microG. If someone wants to implement this (shouldn't be too hard) I'd be happy to accept a PR. |
|
@mar-v-in Oh, that's too bad. Thank you for the explanation. |
|
Hi there, I'm on 0.2.26.223616-37 and U2F works both via NFC and USB. WebAuthn works on registration via USB but not authentication. NFC for WebAuthn doesn't work at all. Device Pixel 4a. |
|
@Chinchzilla If you can. also update microG GmsCore to v0.2.27.223616 (or higher) please. |
and others
Hey there,
I use LineageOS for MicroG on my NFC enabled phone and recently bought a Yubikey 5 NFC. While the phone does detect the Yubikey via NFC or UCB-OTG, there seems to be no support for U2F/ Fido2 / webauthn. I used the Yubico U2F demo site to test it.
If I understand correctly, this functionality is provided on stock Android with the usual Google Apps through the Google play services library, which then exposes it via an API to the mobile browser. On my device, depending on the browser I either get "The user agent does not support public key credentials" (Jelly), or I get a timeout while trying (Chrome, Firefox, Brave).
On a non LineageOS / non-microg device with the Chrome browser, the Yubico demo site works fine.
The browsers (except Jelly) all have support for U2F if I am not mistaken, so that is not the reason I think...
Are there any plans to incorporate this in MicroG? I could not find any info on it, so I'm asking here.
Thanks for any leads - and of course for MicroG in general, I appreciate it very much!
The text was updated successfully, but these errors were encountered: