There are a few threads around that talk about Fido2 requiring Google Play Services to work on GrapheneOS.
From what I understand there is currently no Open Source implementation of this that we could use.

I am interested in understanding more about what it would take to build one.
As a focused use-case I would like to get my YubiKey UF2 working in Vanadium, but I am also interested in knowing how that might differ if we were to expand to App-based Fido (no browser), using the Titan chip, and other extensions/improvements that should be done. What SHOULD the implementation look like?

Here are a couple of prompting questions:

  • Does this need to be build into Vanadium / GrapheneOS or build a a Standalone App/Service?
  • How do we get Vanadium to use this implementation? Does the App need to register as some kind of handler and implement a specific API?
  • How does this app interface with the YubiKey and/or Titan chip?
  • Are there any technical blockers that would prevent someone building this?

I saw fido-browser mentioned in another thread but it's no longer maintained. I would also like to stick with Vanadium if possible.

Feel free to correct any assumptions I've made in the above.
Any technical information / guidance / links around this will be much appreciated :)

I have an open source implementation of FIDO2 that could be used. https://github.com/BryanJacobs/FIDOk/ . It's one of only two I know of, and is more complete than MicroG's implementation. It builds and works fine on Android.

That's cool @BryanJacobs . Thanks for sharing.
Is this something that could be hooked up to Vanadium?
I don't completely understand how all the pieces fit together yet (Chromium source code is big).

I've gotten as far as this note for the Bluetooth implementation:

sender: "Phone as a Security Key"
          description:
            "Chrome on a phone can communicate with other devices for the "
            "purpose of using the phone as a security key. This WebSocket "
            "connection is made to a Google service that aids in the exchange "
            "of data with the other device. The service carries only "
            "end-to-end encrypted data where the keys are shared directly "
            "between the two devices via QR code and Bluetooth broadcast."
          trigger:
            "The user scans a QR code, displayed on the other device, and "
            "confirms their desire to communicate with it."
          data: "Only encrypted data that the service does not have the keys "
                "for."
          destination: GOOGLE_OWNED_SERVICE

A software developer, like me but not me, would need to either:

  • change Vanadium's source code to use the library above instead of Google Play Services (not hard)
  • change GrapheneOS to use the library above to provide FIDO2 functions, instead of trying to use Google Play Services (hard)

Things could also work if GrapheneOS used microG, or if the sandboxed Google Play Services FIDO were repaired.

That said, Google Play Service's FIDO implementation is... bad at best. It doesn't seem to support the hmac-secret extension, and it tries to get you to use a google-account passkey instead of using a hardware authenticator like a Yubikey.

    Is this for Vanadium to authenticate websites using a hardware key? There is an open source FIDO2 key called the Solokey v2 that may also be of use documentation wise.

      BalooRJ

      It is something that some application (such a a web browser) could use for FIDO2 authentication. I am not aware of any applications that use it.

      8 days later

      I had a little bit of time to dig into the Chromium source code and it looks like the main file that needs to change is Fido2ApiCallHelper.java which is called by Fido2CredentialRequest.java.

      There are also references to gms that may need to be mocked in Fido2AppCall.java such as

      • com.google.android.gms.fido.fido2.internal.regular.IFido2AppService
      • com.google.android.gms.fido.fido2.internal.regular.IFido2AppCallbacks
      • com.google.android.gms.fido.fido2.regular.START
        Not sure if calls like data.enforceInterface("com.google.android.gms.fido.fido2.api.IByteArrayCallback") will fail without Google Play Services installed.

      Lots of guessing here since I'm not familiar with the code base. When I get more time I'll try and build Vanadium and hook it up with BryanJacobs FIDO Library.

      matchboxbananasynergy

      Are you able to use a physical hardware key (like a Yubikey) as a "passkey" (NOT "security key") on Github?

      Last I checked, the Google Play implementation lets you use U2F with a physical key, or lets you use FIDO2 with a Google Account, but doesn't let you use FIDO2 with a physical key.

        BryanJacobs

        I have mine configured as "security keys" or I would test it. I have read reports that agree with you but can't confirm.

        • Edited

        BryanJacobs You can, but you first need to go to Settings app > Passwords and accounts and toggle off every provider that currently supports passkeys. Then, upon selecting to sign in with a passkey on a website, you will be given the option in Vanadium to use a different device, including a USB security key. It works, but it's not ideal. I will be checking soon how it behaves on stock PixelOS with the newest updates to Play Services.

        Edit: it doesn't seem currently possible to register a passkey onto a security key on GrapheneOS. There is a GitHub issue already on this. If you figure out a way to do it, please let me know.