Skip to content
New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

FIDO: Add credential selection #2463

Open
wants to merge 5 commits into
base: master
Choose a base branch
from

Conversation

TheMartinizer
Copy link
Contributor

It was near impossible to start working on credential selection without touching code that had already been touched in my previous pull requests, so this pull request contains all the code of pull requests #2194 and #2199, and builds on top of that. Sorry I couldn't find a better way to do this.

If there are several available credentials when trying to sign in to a web page and the allowList is empty, the user is now brought to a page that displays a list of available credentials. The credential chosen from the list is used to log in to the page. If the credentials are taken from the Screen Lock credential store, each credential in the list also has a button to delete the credential (I didn't find another, better place to put this functionality).

Each time a user tries to sign in or register a new key using the ScreenLock mechanism, the key store is cleaned up by deleting invalidated keys. Keys can become invalidated for instance if the user adds new fingerprints to their biometric reader. User info (including display name and icon) is tied to each credential key using an SqLite database in ScreenLockCredentialStore.kt. Each time the database is accessed, it is pruned by removing entries that refer to keys that no longer exist, for instance if they were deleted or invalidated.

Since Android keys require biometric authentication to be unlocked, and we don't know which credential to unlock until the user has selected it, the AuthenticatorActivity no longer receives the credentials themselves, but instead an asynchronous function to get the credential. In case the credential is already available (such as for credentials from an NFC or Bluetooth key), this function just returns the credential directly. In the case of Screen lock credentials, this function prompts the user for biometric authentication and uses this to unlock the key from the keystore, and then returns the credential.

I have tested this with NFC and Screenlock credentials on my own phone. I don't have access to a Bluetooth key, so this is still untested.

At the moment, the list of available credentials from the Screenlock method is shown before the user has supplied any biometric authentication. If you think this is a security risk, I could change it so the user has to provide authentication before being shown the list, but in that case I think the user would still have to give biometric again later to unlock the chosen credential.

@ale5000-git
Copy link
Member

@TheMartinizer
The other 2 PR are now merged, could you please remove the already merged changes from this PR?

@TheMartinizer
Copy link
Contributor Author

All right, I rebased the credential_selection branch onto the current microG master and pushed it again! Thanks to you guys for looking through the other pull requests, and I'm glad they were useful! :-)

@ale5000-git
Copy link
Member

Certainly, it is a very good contribution.
Thanks a lot for the help.

@ale5000-git ale5000-git changed the title FIDO: Credential selection, PIN authentication, screenlock authentication fixes FIDO: Add credential selection Aug 19, 2024
@dylangerdaly
Copy link
Contributor

dylangerdaly commented Aug 28, 2024

Woah, will this totally add support for microG to manage/store/use Passkeys?

It'd be really great for this to work without being signed into a Google account.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment
Projects
None yet
Development

Successfully merging this pull request may close these issues.

3 participants