StrongKey Android Client Sdk - FIDO Certification

Question

StrongKey Android Client Sdk - FIDO Certification

mani516 opened this issue 3 years ago · comments

Hello Arshad & Team,

I tried the sample android application which uses StrongKey Android Client Library (the SACL).

Looks like, the sacl solution is not built for the fido certification. Is there any reason for that? Or you guys have any plans to make one?

Arshad Noor · Answer 1 · Fri Jun 18 2021 00:52:19 GMT+0800 (China Standard Time)

We do plan to go for certification, Manikanta. But, we're waiting on a couple of things to happen first: 1) We need to complete the SACL and we're looking for an iOS developer to work on a StrongKey iOS Client Library so we can go for certification of both libraries simultaneously; 2) I don't believe the FIDO Certification process has a test for Android Key Attestation (AKA) yet since no one had implemented FIDO2 for Android; the attestation Google's API produce is the SafetyNet attestation - which does not provide the same level of assurance as the AKA (SafetyNet only provides assurances about OS level security, while AKA provides hardware-level security details as well as a guarantee that the keys were generated in either the TEE or with a Secure Element). We do plan to go for certification, but have many things to do with the FIDO server and this library still (WebAuthn Level-2 implementation is our focus for the next quarter as well as getting SACL to become a production release). What is your use-case, out of curiosity?

…

On 6/17/21 8:01 AM, Manikanta B wrote: Hello Arshad & Team, I tried the sample android application which used StrongKey Android Client Library (the SACL). Looks like, the sacl solution is not built for the fido certification. Is there any reason for that? Or you guys have any plans to make one? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#139>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/ABWSVTT7765QBCQTWIVCKXLTTIE4DANCNFSM4633O2IQ>.

Manikanta B · Answer 2 · Fri Jun 18 2021 11:07:40 GMT+0800 (China Standard Time)

Thanks for the quick response Arshad.

We have developed an enterprise security solution, using which the organizations can provide logins and authorizations, for eg: GSuite logins for their employees. All they have to do is to install our mobile app and do initial setup using an Invite Code (provided by the org-admin) etc. Once the initial setup is done, the app can be used to login into gsuite apps by entering a pin or verifying the biometrics.

The communication between relying party application, wed/mobile (where the login happens) and our app is based on push notification or a qr scan. Internally we use PKI and AndroidKeyStore - android side. The overall solution is quite similar to FIDO recommendations. But many changes are needed for the compliance to be in line with the proposed protocols.

So now, we want to go for fido certification, for both Server and Client. The goal is to have

Fido certified server (UAF & FIDO2)
Fido certified client sdk for Android - client/authenticator - UAF - Functional and then Level 1.
Fido certified client sdk for iOS - client/authenticator - UAF - Functional and then Level 1.

Manikanta B · Answer 3 · Thu Jun 24 2021 15:04:59 GMT+0800 (China Standard Time)

Hey Arshad,

So you have any idea about how to make a FIDO compliant android client and authenticator sdk? Can you atleast refer to some resources to get started or to have an overall idea on how such implementation would look like?

I can only see Servers and Authenticators which got certified for FIDO2 protocol (no Clients). But there are many Client, Client/Authenticator Combo Sdks which got certified for UAF1.0, UAF 1.1.

So if I want to make a FIDO compliant Client, Authenticator Sdk, I should only choose UAF protocol and not FIDO2? And this would require a UAF server. Since FIDO2 doesnt support UAF?

Ankit Patel · Answer 4 · Thu Jun 24 2021 19:11:39 GMT+0800 (China Standard Time)

You're welcome to check out our StrongKey Android Client Library (SACL), Manikanta. Not sure if you want to reinvent this wheel or choose to work with us on a support contract (that is how we make money on our FOSS FIDO implementations) to get guaranteed SLAs. https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl It hasn't been certified yet, but it is in our roadmap for next year. WRT UAF, it is a capable protocol for a mobile device - but with the exception of a few companies who invested in it before FIDO2 was standardized, there is little interest in UAF in the marketplace. One reason is because it is not compatible with FIDO2.

…

On 6/24/21 12:05 AM, Manikanta B wrote: Hey Arshad, So you have any idea about how to make a FIDO compliant android client and authenticator sdk? Can you at least refer to some resources to get started or to have an overall idea on how such implementation would look like? I can only see Servers and Authenticators which got certified for FIDO2 protocol (no Clients). But there are many Client, Client/Authenticator Combo Sdks which got certified for UAF1.0, UAF 1.1. So if I want to make a FIDO compliant Client, Authenticator Sdk, I should only choose UAF protocol and not FIDO2? And this would require a UAF server. Since FIDO2 doesnt support UAF? — You are receiving this because you are subscribed to this thread. Reply to this email directly, view it on GitHub <#139 (comment)>, or unsubscribe <https://github.com/notifications/unsubscribe-auth/AT42KL4YEAO473R2W4PBA4LTULKKLANCNFSM4633O2IQ>.