Donate to e Foundation | Murena handsets with /e/OS | Own a part of Murena! Learn more

Skip to content

Support for FIDO2 / WebAuthN

  • /e/ version: 0.18-r
  • Device model(s): Fairphone FP3
  • Device rooted: no (bootloader locked)

Summary

Using a browser with FIDO2/WebAuthN authentication support (e.g. Firefox, Chrome) does not successfully authenticate against device backing (PIN or fingerprint) despite browser APIs being told by OS that FIDO2/WebAuthN is supported.

The problem

Murena cloud offers the way to login with Fido2 but we cannot use it with /e/OS.

Visit https://webauthn.io with a browser that supports FIDO2/WebAuthN. Note how there is no warning that the protocol is not supported - webpage invites you to register a test account with FIDO2.

Enter an arbitrary username and push Register.

Current behaviour is that pushing the "Register" button does nothing. It should instead display the browser's built-in "tap device now" dialog, and subsequently call the device backing to execute the FIDO2 transaction and authenticate the user.

Technical informations

Screenshot_20211005-094137_Firefox

Solutions

There is no workaround.

A discussion on the tester Telegram channel revealed that the solution can be "anywhere" OS-side. There is some needed glue that connects the API calls from the browser to the actual backing (fingerprint sensor or PIN lock handler).

  • as the same functionality is in Play Services usually, this glue could be in microG (see microG bug 849)
  • but the Chromium ticket linked to in that report makes clear there is no technical reason why this couldn't be directly in AOSP code - it's just not happening
  • by corollary, if it could be in AOSP then it could also be a LineagoOS native functionality
  • the most realistic option is also hinted upon in that bug 849: create an app that calls a GPLv3 library, and have microG call that app. It's the most clumsy approach of all, but leverages the (only?) existing open source library for that purpose
Edited by Aude M