FIDO2 Authentication in Native Apps

G5 Cyber Security

1 month ago

TL;DR

Yes, FIDO2 authentication can be used for native applications (mobile and desktop). It requires using platform-specific APIs to interact with authenticators like security keys, fingerprint sensors, or face recognition. Libraries exist to simplify this process across different operating systems.

How it Works

FIDO2 is an open authentication standard that enables passwordless logins and stronger multi-factor authentication. It consists of two main protocols: CTAP (Client to Authenticator Protocol) and WebAuthn (Web Authentication). Native apps generally use the underlying CTAP protocol directly, or a wrapper around it provided by the OS.

Step-by-Step Guide

Choose a FIDO2 Library: Several libraries simplify integration. Some popular options include:
- libfido2 (C/C++): A low-level, cross-platform library offering maximum control.
- YubiKey SDKs: If you specifically target YubiKeys, their SDKs provide dedicated support.
- Platform-Specific APIs: Android and iOS have native FIDO2 support (see steps below).
Android Implementation:
1. Add Dependencies: Include the necessary dependencies in your build.gradle file.
```
implementation 'com.yubico:fido2-android:1.0.3'
```
2. Check for FIDO2 Support: Use the Fido2Manager to determine if the device supports FIDO2.
```
boolean isSupported = Fido2Manager.isFido2Supported(context);
```
3. Register a New Credential: Initiate the registration process using the register() method.
4. Authenticate with an Existing Credential: Use the authenticate() method to verify the user’s identity.
iOS Implementation:
1. Use CryptoKit: Apple’s CryptoKit framework provides FIDO2 support starting from iOS 13.4.
```
import CryptoKit
```
2. Create a WebAuthnCredential: Use the WebAuthnCredential class to manage credentials.
3. Register a New Credential: Implement the registration flow using CryptoKit APIs.
4. Authenticate with an Existing Credential: Implement the authentication flow using CryptoKit APIs.
Desktop Implementation (Windows/macOS/Linux):
1. libfido2: The most common approach is to use libfido2 directly. You’ll need to compile it for your target platform and write code to handle CTAP communication.
2. Platform-Specific APIs: Some operating systems may offer native FIDO2 support, but this varies significantly.
Handle Authenticator Communication: Regardless of the library you choose, you’ll need to handle communication with the authenticator. This typically involves:
- USB HID: For security keys connected via USB.
- Bluetooth Low Energy (BLE): For authenticators communicating over Bluetooth.
- Near Field Communication (NFC): For NFC-enabled authenticators.
Secure Credential Storage: Store FIDO2 credentials securely on the device. Use platform-specific secure storage mechanisms like:
- Android Keystore System: For Android apps.
- iOS Keychain: For iOS apps.

Important Considerations

User Experience: Design a clear and intuitive user experience for registering and authenticating with FIDO2.
Error Handling: Implement robust error handling to gracefully handle authentication failures and unexpected errors.
Security Best Practices: Follow security best practices when storing and managing FIDO2 credentials.
Authenticator Support: Ensure compatibility with a wide range of authenticators.