webauthn.io | The source code for webauthn.io , a demonstration | Authentication library
kandi X-RAY | webauthn.io Summary
kandi X-RAY | webauthn.io Summary
This is the source code for webauthn.io, a demonstration of the Web Authentication specification, or WebAuthn. This server provides a simple reference implementation of how to add WebAuthn to an application using the duo-labs/webauthn Go library.
Support
Quality
Security
License
Reuse
Top functions reviewed by kandi - BETA
Currently covering the most popular Java, JavaScript and Python libraries. See a Sample of webauthn.io
webauthn.io Key Features
webauthn.io Examples and Code Snippets
Community Discussions
Trending Discussions on webauthn.io
QUESTION
I'm intending to use WebAuthn for authentication, as shown at the demo site https://webauthn.io
Turns out that Android's WebView (and its iOS counterpart) does not implement this and it is explicitly stated that this won't be happen. One is getting referred to use a Chrome Tab.
But what I want to do is not to use any HTML/JavaScript for this when on a mobile device, that is, inside the App. In the app I would like to use a Java library similar to Firebase but which does provide the means to use the same account which got set up via WebAuthn, or to set up an account via the library on the App which can then later be accessed in a Browser by using WebAuthn.
I have come across AppAuth https://github.com/openid/AppAuth-Android and am unsure if this is related to WebAuthn.
My goal is to use a password- and email-less authentication system in order for users to use it on the Web via WebAuthn as well have their App access the backend via the library on their behalf. A system that doesn't require someone to have a user account at Facebook, Google or any other provider.
I would want to avoid using a workaround like a Chrome Tab in the Android App, it should all be handled in Java and the user interaction via Fragments.
Which are my options? Is FIDO2 capable of offering all that is needed to provide this? How does it relate to OAuth 2.0?
...ANSWER
Answered 2019-Aug-27 at 18:13WebAuthn is a standard for browsers, which means it can only be implemented in browsers as of today. On Android, it's indeed restricted to the browser of ChromeCustomTabs. On iOS, it may be allowed in internal webviews - but still in a web component.
There is no way to have it working with the native UI, especially because WebAuthn authentication is bound to an URI (which there isn't in a native mobile application UI).
WebAuthn and OAuth2 are not related. OAuth2 is a API access control protocol: you first get tokens on the authorization server using a web flow (except in some special cases), which typically involves an authentication and authorization process, and then consume these access tokens on an API that verifies them. WebAuthn is an authentication scheme: after initial enrolment, a user can authenticate with an authenticator without presenting a password.
The only way these two things are related is that WebAuthn can be used as an authentication scheme in the OAuth2 authentication process (instead of a password, an OTP sent by email or SMS, a push notification...).
If you want to have single authentication process between your native application and some of your web applications on the same mobile device, the way to go is to have a unique, central authentication service which will deal with authentication and SSO (Single Sign-On). It prevents a user from having multiple accounts, registration and authentication processes.
To do that, your native mobile application has to use it too - and therefore use web authentication. AppAuth is a library that allows doing such a thing, and uses the OAuth2 protocol (and therefore provides with OAuth2 access tokens, to access APIs). Since your native application has no data within itself, but needs to retrieve data somewhere (probably an API), that might be what you want. But you can't achieve SSO with fragments as far as I know, because any non-ChromeCustomeTab component will not share cookies outside of the application.
QUESTION
I have tried my firefox 62 and chromium on various webauthn examples and I could not make any of them work. Are those supposed to work without special hardware? I activated security.webauth.webauthn_enable_softtoken in about:config. Though I can't find much documentation on what exactly it does. Is webauthn ever supposed to work without special hardware?
ANSWER
Answered 2018-Oct-13 at 19:56Well, WebAuthn is evolving technology. Supported only in Firefox/Chrome Desktop and Chrome Mobile browsers.
You'll need some U2F stuff like https://www.yubico.com/products/yubikey-for-mobile/
or AddOns like https://krypt.co/
QUESTION
I am doing a presentation on the FIDO2/Webauthn standard in a few days and I was excited to see this article on Yubico's website stating that Apple has added support for FIDO authentication via NFC like Android has for years. I had a few of my colleagues go to the various Webauthn test sites out there (webauthn.me, webauthn.io etc) on a newer device running iOS 13.1 but they all display errors stating that the browser is not supported (both safari and chrome). Is there something you have to do to enable this functionality or are we waiting for an update from Apple to enable the feature?
...ANSWER
Answered 2020-Mar-16 at 21:03UPDATE: Starting with iOS 13.3, WebAuthn support is added in Safari. WebAuthn compatible security keys using NFC, Lightning or USB should work with current implementations of the API. I have been able to verify this using my Yubikey 5Ci using Lightning.
Original answer: At the moment, there is no support for the WebAuthn API in iOS/iPadOS and there is also no method to enable it. As far as I know, FIDO authentication on iOS currently only works for apps that have integrated it.
On this page you can see exactly what browsers support the WebAuthn API (ar any other web API) at the moment.
QUESTION
When using WebAuthN (https://w3c.github.io/webauthn/) to authenticate, is it possible to hide certain authentication options?
For example, when testing on webauthn.io, my android device shows available authentication types like hardware keys, Bluetooth, and fingerprint. Is it possible for me to configure it somehow to not accept hardware keys and bluetooth.
Also, when selecting and using my fingerprint to login, if I force it to fail by using the wrong finger, it defaults to then asking for my unlock pattern and if I enter my unlock pattern, I still get a success. In my opinion an unlock pattern is not secure as a dirty screen leaves the pattern on the screen with a smudge mark. Also parents give the pin to children. Can I stop this behaviour and if the fingerprint fails error instead?
...ANSWER
Answered 2020-Feb-13 at 09:20Not an expert but this is what I discovered when I recently implemented WebAuthn/FIDO2 support in our identity provider:
authenticatorSelection.authenticatorAttachment- When you create the request fornavigator.credentials.create()you can specify whether it should useplatform(i.e. built-in biometric/PIN) orcross-platform(e,g, an external USB/BT/NFC device). Note this just gives the user agent a hint about what you're after.authenticatorSelection.userVerification- set this torequiredand it will require the user of an additional factor beyond mere verification of presence - i.e. a PIN or biometric challenge- Attestation - A FIDO2 compliant device can provide attestation information that can be verified via the Metadata Service. This will expose the capabilies of the device and you can base policy on that. E.g. you could insist that it must use tamperproof hardware to protect the private key.
- Authentication result - can provide information about how the user was verified so you could build a policy around that. The spec for this extension is here: https://www.w3.org/TR/webauthn/#sctn-uvm-extension
The recommenation is not to specifically black/white-list devices yourself but the MDS does support revocation of certification and that should be respected by relying parties.
QUESTION
The web authn standard is coming and it works great on my phone.
However when trying on my browser on computer I get
I would assume we should somehow be able to link our phone with the browser so the phone gets prompted... How can we do this?
A cool and well crafted demo: https://webauthn.me/
edit sep 2019: I also like https://webauthn.io/
...ANSWER
Answered 2019-Mar-05 at 05:07Portability is not part of the standard according to the people who created it. I guess it's gonna be useless without being able to use it on different devices. So your out of luck right now.
QUESTION
I can able to send GET_INFO to the webauthn.io . After that, I can able to read MAKE_CREDENTIAL request partially. Total MAKE_CREDENTIAL data length is 400+. But I am getting just 90+ bytes. I am not getting entire request for MAKE_CREDENTIAL.
The request I have received is
[-125, 1, 95, 1, -91, 1, 88, 32, 75, 1, 9, -33, -61, -39, 69, -54, -3, 113, -4, -77, 29, 83, 121, 14, -83, -123, 70, -121, -15, -106, -17, 121, 107, -118, -7, 32, -44, -74, 71, 20, 2, -94, 98, 105, 100, 107, 119, 101, 98, 97, 117, 116, 104, 110, 46, 105, 111, 100, 110, 97, 109, 101, 107, 119, 101, 98, 97, 117, 116, 104, 110, 46, 105, 111, 3, -93, 98, 105, 100, 74, -44, -98, 1, 0, 0, 0, 0, 0, 0, 0, 100, 110, 97, 109, 101, 100, 117, 115, 101]
As per length data total bytes should be 405. But I am receiving just 94 bytes. I debugged and analysed the code, I couldn't able to figure out the issue.
Please help me to proceed. Thanks in advance.
...ANSWER
Answered 2019-Jul-04 at 06:16Please check this spec
When WebAuthn reads Control Point Length characteristic, you should return MTU - 3 bytes. Later, whenever WebAuthn wants to send data to authenticator, WebAuthn will consider to split the data to many chunks which its length will be equal to or less than MTU - 1. The frame you received is just the first frame. There will be many more frames after that, you should handle it.
Note:
3 in MTU - 3 is bytes: MSG byte, HLEN byte, LLEN byte
1 in MTU - 1 is serial number of each packet
QUESTION
The following strings are different for server-generated and client-generated challenges:
+->-/->_=->(empty space)
Why do we need to do substitution to solve this?
Source code used for reference.
...ANSWER
Answered 2019-May-30 at 13:17It looks like it the difference between the plain Base64 encoding and Base64 URL, and padding vs. no padding options (trailing =s). The latter is safe to use in URLs, contrary to the former. See also https://en.wikipedia.org/wiki/Base64#URL_applications
Webauthn requires using Base64 URL encoding while some functions (such as javascript's atob or btoa) the plain Base64 encoding scheme, hence the need to convert from one to another.
QUESTION
I am not an android developer and stuck at an android thing. I hope someone here can help me out.
I am implementing WebAuthn/FIDO2 on my website, which is working perfectly fine with the browsers. But when I open my website in my android app (android.webkit.webview), it gives me the error
...ANSWER
Answered 2019-May-22 at 14:48Simply put: it is not and won't be implemented in Android Webview (source), for security reasons.
So as to use WebAuthn from your application, you have to redirect to the browser, either directly or using SFSafariViewController (iOS) or Android Custom Tab (Android) as explained in RFC8252 - Appendix B.
Community Discussions, Code Snippets contain sources that include Stack Exchange Network
Vulnerabilities
No vulnerabilities reported
Install webauthn.io
You can use webauthn.io like any standard Python library. You will need to make sure that you have a development environment consisting of a Python distribution including header files, a compiler, pip, and git installed. Make sure that your pip, setuptools, and wheel are up to date. When using pip it is generally recommended to install packages in a virtual environment to avoid changes to the system.
Support
Reuse Trending Solutions
Find, review, and download reusable Libraries, Code Snippets, Cloud APIs from over 650 million Knowledge Items
Find more librariesStay Updated
Subscribe to our newsletter for trending solutions and developer bootcamps
Share this Page
