Support for FIDO2 / WebAuthN
- /e/ version: 0.18-r
- Device model(s): Fairphone FP3
- Device rooted: no (bootloader locked)
Summary
Using a browser with FIDO2/WebAuthN authentication support (e.g. Firefox, Chrome) does not successfully authenticate against device backing (PIN or fingerprint) despite browser APIs being told by OS that FIDO2/WebAuthN is supported.
The problem
Murena cloud offers the way to login with Fido2 but we cannot use it with /e/OS.
Visit https://webauthn.io with a browser that supports FIDO2/WebAuthN. Note how there is no warning that the protocol is not supported - webpage invites you to register a test account with FIDO2.
Enter an arbitrary username and push Register.
Current behaviour is that pushing the "Register" button does nothing. It should instead display the browser's built-in "tap device now" dialog, and subsequently call the device backing to execute the FIDO2 transaction and authenticate the user.
Technical informations
Solutions
There is no workaround.
A discussion on the tester Telegram channel revealed that the solution can be "anywhere" OS-side. There is some needed glue that connects the API calls from the browser to the actual backing (fingerprint sensor or PIN lock handler).
- as the same functionality is in Play Services usually, this glue could be in microG (see microG bug 849)
- but the Chromium ticket linked to in that report makes clear there is no technical reason why this couldn't be directly in AOSP code - it's just not happening
- by corollary, if it could be in AOSP then it could also be a LineagoOS native functionality
- the most realistic option is also hinted upon in that bug 849: create an app that calls a GPLv3 library, and have microG call that app. It's the most clumsy approach of all, but leverages the (only?) existing open source library for that purpose