-
-
Notifications
You must be signed in to change notification settings - Fork 272
New issue
Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.
By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.
Already on GitHub? Sign in to your account
Can we make a Solo SoftKey? #460
Comments
webauthn on android works with fingerprint. you can test it with test page and google crome in android phone. software authenticator cant be secure enough... because there are many ways to grab ram from another thread/process/dll injection/ ring-0 access / etc Arduino UNO have another CPU https://en.wikipedia.org/wiki/Arduino_Uno good idea to use phone and its security layer as FIDO2 authenticator..... but i dont see here a place for code from this repository) |
BTW. |
@merlokk I see. My main thing is, okay that I have a key but I want it as a backup key. I do not want to move and go press a button on my pc or usb hub. I want to emulate a key based on biometric or something else. From my desktop or mobile. Security issue that you have stated could occur with software when they are cached or saved. But what about if it mimics the hid as if it is a virtual hid fido device? I see that now on latest updates android shows a fido security key bluetooth button in notification panel. Which is used by Google at least for now. So from my pc via bluetooth gmail sents notification to my phone for authentication. Which could be neat if it could be used by other websites like website -> key popup -> solo ble -> android. Here solo ble interprets android response and sends it back to os as virtual hid result. I mean I'm not a system level programmer so I do not know if this is just plain stupid or not. But something based on GitHubs soft key plus solo. |
However, I'm not sure what you are trying to do.
|
@coelner I think you are understanding it wrong. Here check this google link. Now do you understand what I am saying? I have a FIDO Key hyper fido mini. Let me clear some things here.
Here are some screenshot of this Bluetooth Service on my Phone (Huawei Honor Play, Android 9) Now in respect to this + Github's MacOS SoftKey. Why can't we use Windows or Android's built-in key generation for CTAP2? I mean this. I am work from home, Why should I reach out to my PC to click a button when I can do it from my PC or Phone. I know some might say it's useless or not secure enough or something else. But it's perspective. I mean why not? I carry my key if I go to office. I should have soft + hard key option. Have you heard of Card-Less ATM? People might say why? but, Why not? And I know this might not work on Azure or other platforms like Microsoft. But, I feel it is a starting point in unifying stuff. Why should I buy another hardware which I definitely have to replace in few years to update security and carry multiple things with me. |
Yeah, you know, the features in Android / windows are based on a crypto device. You need to interact with the hardware device (separate dongle, smartphone, integrated whatshowever in the x86) to legitimate a specific transaction. Otherwise you could use a simple arduino uno which parse a static string. As I understand you are lazy to reach this button. Use an esp8266 and build a button remote. (The hyper fido mini device can be opened, it contains a infinion chip, but the button could be triggered by an esp8266 gpio. E.g. use two of the esp8226 and the espnow implementation. maybe similiar to this https://revspace.nl/EspNowSkip ) The hyper fido mini is only FIDO (aka U2F aka CTAP1), not FIDO2 (aka CTAP2). the same is for MacOS SoftKey, it is only a U2F. |
No, its not just that. It's inconvenience of plugging it into the desktop and mainly the cost of FIDO2 devices in India.
Cuz, I can't no one supports it except google. I can't seem to find any API on Android for that.
I will try that, I haven't got time to fiddle with this. I thought someone else might have already done it so I opened an issue here first Weird thing is, If you check this flow diagram. It states internal authenticator, but no mention in docs. |
I think you need dig in the google service api, it is not a aosp feature. Yes it says internal authenticator...like a crypto chip which is certified by the fido alliance. |
Hi, I am kinda new to this ctap and stuff. I am researching for a few days now. I couldn't find a software authenticator. Close to what I am asking for is this library by Github SoftKey which is only for MacOS. I currently have a U2F key but it is not supported by Microsoft Azure Login.
Also, I want flexibility of using nearest device to authenticate instead of pushing a button on my key.
I have a few doubts and ideas. I hope someone can clear my doubts and correct me. Thank you.
Idea
Doubts
Thank you for helping me here.
The text was updated successfully, but these errors were encountered: