D:
2 Likes
To support non-Google browsers, I thought about implementing a QR-generator and BLE adapter into my CTAP-bridge which would intercept the calls to the virtual ““USB authenticator”” and instead reroute it via caBLE, but that is quite a complex implementation even when using the Rust module. And it would still only work on Linux.
In addition, I would need to write an Android app which is able to read the QR code and handle the BLE flow, because I don’t use Google Play Services on my phone and microG does not implement this functionality.
It would be quite interesting from an engineering point of view, but its very low on my list of priorities due to time available, and also because I have a bunch of readers already which cover my use-cases.
3 Likes
Thanks for the great explanation! Good work!
Just pushed an update for review.. kind of a game changer.. I enabled optional per-UID PIN caching. If you want to, you can turn on this feature, then when you are prompted for a pin for any token, you can check a box to cache the pin (if the pin successfully authenticated). The pin will be stored with the UID of that token in encrypted storage on the phone. If you want to clear your cache, just disable the feature and it will clear all cached pins.
7 Likes
I’m curious about this. From my research, Firefox on Android appears to rely on Google Play Services for its FIDO2/WebAuthn functionality. If I understand correctly, and I may be wrong, this is the same Play Services integration that Chromium-based browsers use for their FIDO2 implementation.
Edit: I completely understand having a stock android phone that isn’t googlefied. If needed I’d be happy to donate an old samsung s20 phone that you could have to test. Just PM me details to ship it to. Also, I just realized you were talking about desktops. The offer still stands for the android side of things.
Update pushed for review.. includes relying party logging that works for both resident keys and non-resident key authentications.
2 Likes
I have been trying for a few hours now to get my new cybernetic encryptor ring to work. I have the passkey bridge app and the passkey manager app. I am using a Pixel 9a on GrapheneOS. Trying to add a passkey from Vanadium stock browser always gets a transceive failed, ring on or off, straight to it, no swiping. From a Windows laptop, QR, notifies on Android, selected the bridge, and windows security gives a error and to retry, yet the bridge shows it’s added, but the manager shows nothing. The logs for the bridge show they are trying to add but they never add. I was able to get Seedkeeper working great. Google Play and Google Plat services installed and working, exploit protection turned off as well. I also tried Brave and pin caching on and off.
1 Like
This has been a challenge for whatever reason. I don’t have a graphine phone for testing but could explore a pixel 9a and put it on I suppose.
2 Likes
We can try my 7a tomorrow.
4 Likes
this is “giving sus” as the kids say.. saving the credential to the ring is power intensive, and if you are tapping the ring to the phone while wearing it, such that the ring stands perpendicular to the phone’s surface, then it is likely going to brown out during the write process and you will get this kind of NFC error.
Have you tried taking the ring off, laying it flat on the table, and then tapping your phone down on to it so your phone and the ring are parallel to each other? This will maximize power transfer to the ring. You can also use a RSP sticker to focus your phone’s NFC field in a smaller area which should help ring coupling as well.
1 Like
Yes, I had read your posts from 2018 about this. I tried with the ring off, flat on multiple surfaces, with no phone case, moving the phone nfc sensor, straight to the ring over 20 times at different speeds etc.
It does not always say transceive failed. If I’m using the QR method via the bridge, it will show it saves it on the phone. Yet the windows prompt will say error try again right when my phone prompts to scan the ring. When this happens the passkey manager app will show no credentials were saved.
What version of bridge? Make sure you’re up to date?
1 Like
Just downloaded from google play yesterday, 1.2.3
1 Like
We will check it out on graphine and update soon™
1 Like
Ok so we have identified there is a problem with Graphine and how FIDO requests are processed through the OS via Google Play Services. Identifying exactly what that problem is will take some time. I’m procuring a dev phone that can run GOS
4 Likes
This would be amazing, also affecting me on my pixel fold running grapheneos
1 Like
Can anyone with graphine use the QR scanner function at all with laptops etc.? @tac0s phone erroneously says it needs to turn Bluetooth on just after wanting to launch the scanned QR code, even though Bluetooth is actually on already. Doesn’t progress from that point.
2 Likes
Yes, I was able to do all the steps, but was unable to get webauthn to show anything other than zeros
1 Like
Permission issue? Is he using a dedicated qr scanner app? I used the built in one
1 Like
Yes, mine scans the qr fine., you have to enable “nearby devices” permission for Google play Services https://discuss.grapheneos.org/d/12019-passkeys-as-mfa-on-grapheneos-a-guide
Then:
-
On Windows 10/11: In the pop-up that follows: select ‘iPhone, iPad or Android device’. Open the Camera app on GrapheneOS, select ‘QR scan’ and scan the QR.
-
On Linux (tested with Brave): A QR will immediately show. Open the Camera app on GrapheneOS, select QR scan and scan the QR.
Then, on GrapheneOS:
-
Allow Bluetooth
-
Grant Play Services the ‘Nearby devices’ permission when asked (only needs to be done once)
-
Optional: Select ‘Skip the QR code next time’ to allow the devices to remember each other
-
Authenticate with your password manager
3 Likes