Login/Register
Can multiple Android Applications(same device) share same key-pair for Passwordless Authentication using FIDO 2 Protocol?
Asked Answered
authenticationandroid-securitygoogle-identitywebauthnfido
H

4

9

Problem Statement:

I want to solve the user authentication on Android applications using the FIDO2 protocol(by providing an SDK), without doing multiple registration ceremonies for different applications on the same device. For example, If a user has been Registered(generated Public-Private key pair) in an Android application A, he/she shall not be required to Registered in an Android application B(Given App A and App B are on the same device).

What could be the possible Solutions(as per my knowledge):-

  1. A common SDK integrated with application A and B to provide authentication.
  2. Separate Authentication App.

I want to go forward with Solution 1 as Solution 2 might not be desirable because it needs an extra step of downloading an extra app(Authentication App).

What am I able to achieve right now:- We are able to do passwordless authentication of a user for app A and app B by maintaining separate private keys for app A and app B .

enter image description here In the above diagram:-

  1. User XYZ logs-in to App A and registers himself with app A on this device.
  2. During the registration step a Public-private key pair is generated by the authenticator.
  3. PrivateKey_1(PrivateKey) gets created and is stored in the Keystore and PublicKey_1(PublicKey) gets created and is shared with the server.
  4. Let's say now that User XYZ wants to login to the app B. Same process gets repeated for user XYZ to register him with app B.
  5. In this process, A PrivateKey_2 gets created and is stored in the Keystore and PublicKey_2 gets created and is shared with the server.
  6. So in above scenario User XYZ is able to authenticate on App A and App B using private key PrivateKey_1 and PrivateKey_2 respectively.

I want to know the feasibility of the following Scenario? I want to do passwordless authentication of user XYZ for app A and app B, where applications(app A and app B) can use the same credentials (public and private key pair ) and do not need to perform a repeated registration ceremony(creating public and private key) for the same user on the same device for multiple applications sharing the common SDK(app A and app B).

enter image description here In the above diagram:-

  1. User XYZ logs-in to App A and registers himself with app A on this device.
  2. In this process, a PrivateKey_1 gets created and is stored in the Keystore and PublicKey_1 gets created and is shared with the server.
  3. User XYZ wants to login to the app B.
  4. App B should be able to verify user XYZ using the previously generated credentials(by app A).

Is this even possible? Is there any gap in my understanding?

Any Suggestion and help is really appreciable :) :)

Harriot answered 11/2, 2022 at 10:44 Comment(0)
B
3

FIDO2 credentials can be reused wherever the API is available so long as you reference the same RP ID whenever you attempt authentication. FIDO credentials are bound to a unique RP ID, and as long as you can prove ownership of an RP ID then you'll be able to request authentication with any credentials associated to that same RP ID.

In the case of Android, you'll be able to auth across apps so long as both apps are connected to a single website and its unique RP ID. To connect your app to a website, check out the FIDO2 API for Android docs, particularly its section on Interoperability with your website. It links to Google's page for setting up Digital Asset Links on your site so that you can prove ownership of an RP ID and use credentials associated with it for authentication across apps.

Once your apps and website are linked and the user has registered in one app you should then be able to use Fido2ApiClient.getSignPendingIntent() to authenticate in your second app so long as you specify your site's RP ID (the same one specified during registration) as the rpId in the PublicKeyCredentialRequestOptions you pass to the method.

P.S. What's nice about all of this is that credentials you register using Fido2ApiClient (or any equivalent API on other platforms for that matter) in a native app can later be used to log into your website using the WebAuthn API in the browser; you just need to reference the same RP ID in the PublicKeyCredentialRequestOptions you pass to WebAuthn's navigator.credentials.get()!

Bereave answered 11/2, 2022 at 14:35 Comment(6)
I'd also recommend checking out Google's Codelab about using Android's FIDO2 API: codelabs.developers.google.com/codelabs/fido2-for-android/#0Bereave
What exactly you mean by "FIDO2 credentials can be reused wherever the API is available". But in context of android only the app which generated the private key can use that. So how is that possible.Noncontributory
In android we are not able to share the private keys between the apps.( I think its an os restriction). So how do I authenticate second app with credentials from the first app.Noncontributory
I apologize, I should have prefaced that I don't have hands-on experience with Fido2Client (though I have some Android experience) so I answered from the perspective of WebAuthn. If Android handles registration per-app and private keys are siloed to specific apps then you'd probably need to host your own OIDC server and handle cross-app auth that way.Bereave
Check out this link on how to link multiple apps to a single site via Asset Links: developers.google.com/identity/smartlock-passwords/android/… . I'm not seeing anything about Fido2Client specifically that locks credentials to a single app, but specifically on FIDO land credentials can be reused so long as you use a consistent RP ID and can prove ownership of it and it's associated domain. For Android that's Asset LinksBereave
I think at this point it would help a lot if you edit your question with some code so we can see how you're attempting to make this work.Bereave
S
1

One of the main benefits of FIDO2 is that it prevents man-in-the-middle attacks where an attacker is trying to impersonate a genuine replying party. The FIDO2 key will only respond to the RP for which the private key is registered. Sharing authn across multiple RPs would break this model. I don't know what is possible on an Android device but I would have thought you would need some form of authentication broker (an IdP) which you auth to with the Key and it is responsible for proving auth to the apps.

Steffie answered 15/2, 2022 at 9:20 Comment(0)
M
0

Are these accounts registered on the same service? Reading the Android FIDO2 API Interoperability with your website section, it seems possible to host https://example.com/.well-known/assetlinks.json with multiple Android apps listed.

Macaronic answered 11/2, 2022 at 14:35 Comment(0)
L
-1

I saw your problem statement and I think you should use SAWO Labs API for solving the authentication part as it is very easy to use. You can use one API key in multiple applications to use the authentication and also this API has a trust feature where you have to authenticate from each application where the same API is used for one time and you will no longer need authentication every time. SAWO Labs API is a passwordless user authentication tool.

You can know more about the SAWO Labs API from the link given below: https://sawolabs.com/

Laywoman answered 20/3, 2022 at 11:46 Comment(2)
Sawo API for this usecase doesn't work on Android. Can you please redirect to the code which you are referring to?Harriot
@SachitSharma Repo Links : github.com/sawolabs/android-kotlin-demo, github.com/sawolabs/android-java-demoLaywoman

© 2022 - 2024 — McMap. All rights reserved.