make an alternative FIDO implementation not depending on Play Services

[thestinger]

No description provided.

[geppi]

@thestinger You mentioned the COTECH browser as an example for a WebView-based browser with an implementation not based on Play services in GrapheneOS/os-issue-tracker #816.
The COTECH browser seems to be based on the open source Hardware Security SDK from heylogin GmbH which explicitly doesn't require PlayServises. So potentially the alternative FIDO implementation could be based on it?

However, I grabbed the APK from the Playstore and installed it on a Pixel 6 with GrapheneOS in the main profile which doesn't have any PlayServices stuff installed, i.e. no sandboxed PlayServices. Unfortunately I couldn't login into my Github account from this browser with my Solo key, neither connecting via NFC nor USB.
I also tried the COTECH browser on a Samsung Galxy S7 with standard Android 8.0 and full PlayServices available and it also didn't let me login into my Github account while Chrome on the Samsung had no problem.

On the Hardware Security SDK Github site it states that

This open source release does not reflect the newest version of the SDK. Some parts are currently not released as GPLv3.

So it looks like the open source version does indeed lack an important part or could it still be used as a starting point?

[geppi]

Would an alternative FIDO implementation enable the use of the Pixel 6 internal Titan M2 chip for 2FA?

[lberrymage]

Yes. In fact, using the device's secure element is the only option planned to be supported.

[ph00lt0]

Yes. In fact, using the device's secure element is the only option planned to be supported.

Supposing that FIDO2 support will only be added for StrongBox and not for external security keys, how does one log in to the accounts already secured with FIDO2 keys? F.x. if you are in Google' Advanced Protection Program this will be the only way to log in... so one would have to disable this and re-enable it afterwards? Seems not like an ideal plan. Would highly appreciate support for external hardware keys.

[thestinger]

https://g.co/sc exists although it may go away in the long term. Both devices have to be in local proximity (checked via local network or bluetooth). Adding support for NFC, Bluetooth and USB keys would be a huge amount of work.

[viktoriasee]

Adding support for NFC, Bluetooth and USB keys would be a huge amount of work.

While I understand that I am missing the solution based approach. How many hours would it take to enable at least one way? How many hours to enable all of them? Who can do the work? What is the hourly wage of those people?

It's clear to me that for the target group of GrapheneOS support for FIDO2 is crucial.

[thestinger]

The next release of GrapheneOS (today) will support it in Vanadium via sandboxed Google Play as a starting point.

[thestinger]

It works via sandboxed Google Play for major browsers already but Vanadium isn't whitelisted.

[Zoraver]

Android 14 will add support for apps to act as passkey providers by implementing the CredentialProviderService. Chromium is working on adding support for using FIDO2 credentials provided by this system (see https://bugs.chromium.org/p/chromium/issues/detail?id=1427843).

One way forward for this issue would be to ship an app that implements CredentialProviderService using the secure element once GrapheneOS based on Android 14 and CredentialManager support in Chromium ship.

[Opening-Button-8988]

@Zoraver Thank you for that information, I've been looking for this!