1

If you attempt to login to github on mobile web, it automatically detects that it's a mobile device and lets you authenticate using a NFC key. I cannot find any documentation for implementing NFC 2FA for mobile web, anyone know how this is done?

Thanks, Kevin

Update:

I have found the vocabulary word for this - its "Webauthn" and apparently there is a way for webauthn to use a U2F device that was registered on a desktop web site on a mobile web site using mobile NFC. I've added the tag in the hopes that someone can help.

user1130176
  • 1,772
  • 1
  • 23
  • 33

1 Answers1

1

So First of all remember "WebAuthn is a standard for browsers". It is shipped in all major browsers as an application programming interface (API) that allow users to login into their accounts using roaming authenticators like security keys (USB that support NFC, USB or BLE), platform authenticators like windows Hello,Touch-ID or even it allow users to use screen lock or fingerprint using android OS 7+. WebAuthn supports the following authentication flows:

  • First-factor
  • Second-factor
  • Multi-factor Authentication

Similar question was asked here you can have a look at it.

For android, Google provides FIDO2 API that acts as a webAuthn client and allow developers to register/authenticate users using fingerprint or screenlock.

Link for android fido2 api: https://developers.google.com/identity/fido/android/native-apps

You can get further information by reading the W3C specifications:

https://www.w3.org/TR/webauthn

A gentle introduction to WebAuthn by Yuri Ackermann

https://medium.com/@herrjemand/introduction-to-webauthn-api-5fd1fb46c285

An example from google Codelab for android app + web Application:

https://codelabs.developers.google.com/codelabs/webauthn-reauth/index.html

I hope this helps you, if you any question please let me know.

Community
  • 1
  • 1
Dumb
  • 89
  • 2
  • Thanks for your reply, but what i'm really trying to figure out is 2 specific things - 1) if you add a U2F device via USB on a desktop, how is that github mobile web can read the NFC from that device without ever having registered it with NFC, and 2) how do you render the native mobile (android) interface to buzz your NFC? Note: I'm looking for web only, i have a desktop web app that has a responsive design so in a mobile web browser. – user1130176 Dec 09 '19 at 23:55
  • PART1: Hi @user1130176 You don’t need to register with NFC or Bluetooth it is the transport that is used by the security to communicate with your security key. for you first question the answer lies in the FIDO2 CTAP protocol family. In simple words these security keys have some kind of transport channels through which it communicates that can be either via USB or it can be Bluetooth, or it can be NFC. – Dumb Dec 10 '19 at 22:20
  • PART2: It is completely abstracted from you and the Security keys should have support for it and the browser or some time platform (OS) take responsibility to communicate with your security key. That's why on mobile you get a pop-up to select how you want to register or when you try to login and the client does the rest of the stuff. For your question 2 I am sorry, but I didn’t get it can you rephrase it again? – Dumb Dec 10 '19 at 22:21
  • thanks for your help so far. for question 2, what is the HTML or Javascript that tells the Android device that it should take over the link and show the system interface for NFC ? Once the system interface for NFC returns, how the web app know how to process the results? – user1130176 Dec 13 '19 at 00:19
  • 1
    @user1130176 it's the Webauthn Javascript API that provides those capabilties. Your application would request a credential via the navigator.credentials.get() API and validate the result (serverside) or handle any resulting errors (client side). The transport used is up to the browser and end user to decide. A key registered using USB can be used via NFC, assuming it supports both. – mackie Dec 15 '19 at 17:50
  • @mackie thanks for your reply. Do you know if the U2F registration process generates a public key that is consumable by the webauthn authorization process? In other words on a web page from a desktop, when the user presents their FIDO key, can that same credential be used during another session from a mobile device using NFC? – user1130176 Dec 17 '19 at 11:52
  • @user1130176 correct - when they register the device you'd store down the public key and credential ID (along with a few other bits of info like the signature counter) against the user account - that information is held centrally and is not tied to the host device that was used to register the key (unless ofcourse the key is built-in). The user is then free to use that security key over any transport it supports. E.g. I can register my Yubikey via USB on my PC and then use it via NFC on my phone. – mackie Dec 17 '19 at 13:07
  • This project is worth a look even if not using .Net: https://github.com/abergs/fido2-net-lib – mackie Dec 17 '19 at 13:08
  • Also, you mention U2F (and your other question is explicitly about U2F) but you can of course register U2F complaint devices via the WebAuthn API too - FIDO2 and CTAP2 offer backwards compatibility. This also means that credentials registered using U2F can be used via WebAuthn. Given WebAuthn and FIDO2 are now ratified and widely supported you can consider U2F to be effectively obsolete now. – mackie Dec 17 '19 at 15:39