GitPlanet

Cheap and reliable Node.js hosting starts at $3/month, and $1/month static HTML hosting

Created with love in Canada, visit hostnodejs.com today

Feel like to post an Ad? Learn Details
All Projects → duo-labs → android-webauthn-authenticator

duo-labs / android-webauthn-authenticator

Licence: BSD-3-Clause license
A WebAuthn Authenticator for Android leveraging hardware-backed key storage and biometric user verification.

Programming Languages

java
68154 projects - #9 most used programming language

Labels

androidandroid-libraryandroid-securitywebauthnfido2webauthn-library

Projects that are alternatives of or similar to android-webauthn-authenticator

keycloak-radius-plugin
Make the radius server as part of keycloak SSO
Stars: ✭ 102 (+0.99%)
Mutual labels:  webauthn, fido2
line-fido2-server
FIDO2(WebAuthn) server officially certified by FIDO Alliance and Relying Party examples.
Stars: ✭ 350 (+246.53%)
Mutual labels:  webauthn, fido2
wp-webauthn
🔒 WP-WebAuthn allows you to safely login to your WordPress site without password.
Stars: ✭ 85 (-15.84%)
Mutual labels:  webauthn, fido2
clarion
WebAuthn (U2F) helper for CLI operations (e.g. SSH Log in)
Stars: ✭ 78 (-22.77%)
Mutual labels:  webauthn, fido2
uru-card
Arduino based firmware for FIDO2 Authenticator
Stars: ✭ 114 (+12.87%)
Mutual labels:  webauthn, fido2
FIDO-Server
Open-source FIDO server, featuring the FIDO2 standard.
Stars: ✭ 17 (-83.17%)
Mutual labels:  webauthn, fido2
adfsmfa
MFA for ADFS 2022/2019/2016/2012r2
Stars: ✭ 86 (-14.85%)
Mutual labels:  webauthn, fido2
go-libfido2
libfido2 bindings for golang
Stars: ✭ 42 (-58.42%)
Mutual labels:  webauthn, fido2
webauthn-example
Basic WebAuthn client and server in go
Stars: ✭ 53 (-47.52%)
Mutual labels:  webauthn, fido2
awesome-yubikey
Curated list of awesome Yubikey resources, open source projects, tools and tutorials.
Stars: ✭ 22 (-78.22%)
Mutual labels:  webauthn, fido2
Solo
Solo 1: open security key supporting FIDO2 & U2F over USB + NFC
Stars: ✭ 1,986 (+1866.34%)
Mutual labels:  webauthn, fido2
webauthn-demo
WebAuthn demo with Ionic/Angular and Spring Boot
Stars: ✭ 22 (-78.22%)
Mutual labels:  webauthn, fido2
Opensk
OpenSK is an open-source implementation for security keys written in Rust that supports both FIDO U2F and FIDO2 standards.
Stars: ✭ 2,114 (+1993.07%)
Mutual labels:  webauthn, fido2
Awesome Reverse Engineering
Reverse Engineering Resources About All Platforms(Windows/Linux/macOS/Android/iOS/IoT) And Every Aspect! (More than 3500 open source tools and 2300 posts&videos)
Stars: ✭ 2,954 (+2824.75%)
Mutual labels:  android-security
Insider
Static Application Security Testing (SAST) engine focused on covering the OWASP Top 10, to make source code analysis to find vulnerabilities right in the source code, focused on a agile and easy to implement software inside your DevOps pipeline. Support the following technologies: Java (Maven and Android), Kotlin (Android), Swift (iOS), .NET Full Framework, C#, and Javascript (Node.js).
Stars: ✭ 216 (+113.86%)
Mutual labels:  android-security
apkutil
a useful utility for android app security testing
Stars: ✭ 52 (-48.51%)
Mutual labels:  android-security
Android Security
Android Security Resources.
Stars: ✭ 207 (+104.95%)
Mutual labels:  android-security
Apk Medit
memory search and patch tool on debuggable apk without root & ndk
Stars: ✭ 189 (+87.13%)
Mutual labels:  android-security
Evabs
An open source Android application that is intentionally vulnerable so as to act as a learning platform for Android application security beginners.
Stars: ✭ 173 (+71.29%)
Mutual labels:  android-security
Androidlibrary
Android library to reveal or obfuscate strings and assets at runtime
Stars: ✭ 162 (+60.4%)
Mutual labels:  android-security
View All Similar Projects ➔

Android WebAuthn Authenticator Library

This library is meant to serve as an example implementation of the WebAuthn authenticator model. While the specification is currently in Candidate Recommendation, this library conforms as much as possible to the guidelines and implementation procedures outlined by the document.

This implementation currently requires Android API level 28 (Android 9.0) due to the use of the BiometricPrompt.

Quickstart

You can use JitPack to include this module in your Android project, or you can include the source code.

Using JitPack

Add this in your root build.gradle:

    allprojects {
        repositories {
            ...
            maven { url 'https://jitpack.io' }
        }
    }

Add this to your dependencies list:

    dependencies {
        implementation 'com.github.duo-labs:android-webauthn-authenticator:master-SNAPSHOT'
    }

Using Source

Pull the source

$ cd ~/your/project/src/directory
$ git clone [email protected]:duo-labs/android-webauthn-authenticator.git

Add the module to your Android project

In Android Studio: File -> New -> Import Module and then point it at the android-webauthn-authenticator directory.

Add the module as a dependency

In Android Studio: File -> Project Structure -> App -> Dependencies -> + -> Module Dependency

Select the android-webauthn-authenticator module. After a Gradle sync, you should be able to use the duo.labs.webauthn package.

Usage

You must first instantiate an Authenticator object.

// Authenticator(Context ctx, boolean authenticationRequired, boolean strongboxRequired)
Authenticator authenticator = new Authenticator(context, true, true);

The Authenticator object is safe to instantiate multiple times.

The arguments passed to the constructor determine whether the keys it generates will require biometric authentication (i.e. can be turned off for testing) and if keys should be stored by the StrongBox Keymaster.

Note that StrongBox is only available on some Android devices.

Make Credential (User Registration)

You can create a new credential by passing an AuthenticatorMakeCredentialOptions object to Authenticator.makeCredential(). You can instantiate an AuthenticatorMakeCredentialOptions object directly and manually set its fields, or use our JSON format.

Our JSON format mostly tracks the arguments to authenticatorMakeCredential from the WebAuthn specification, with a few changes necessary for the serialization of binary data. Here's an example:

{
    "authenticatorExtensions": "", // optional and currently ignored
    "clientDataHash": "LTCT/hWLtJenIgi0oUhkJz7dE8ng+pej+i6YI1QQu60=", // base64
    "credTypesAndPubKeyAlgs": [
        ["public-key", -7]
    ],
    "excludeCredentials": [
        {
            "type": "public-key",
            "id": "lVGyXHwz6vdYignKyctbkIkJto/ADbYbHhE7+ss/87o=" // base64
            // "transports" member optional but ignored
        }
    ],
    "requireResidentKey": true,
    "requireUserPresence": false,
    "requireUserVerification": true,
    "rp": {
        "name": "webauthn.io",
        "id": "webauthn.io"
    },
    "user": {
        "name": "testuser",
        "displayName": "Test User",
        "id": "/QIAAAAAAAAAAA==" // base64
    }
}

Note that requireResidentKey and requireUserPresence are effectively ignored: keys are resident by design, and user presence will always be verified. User verification will always be performed if the Authenticator is instantiated with authenticationRequired set to true; otherwise biometric authentication will not be performed and credential generation will fail if requireUserVerification is true.

(Per the spec, requireUserPresence must be the inverse of requireUserVerification)

Create the options object from JSON:

AuthenticatorMakeCredentialOptions makeCredentialOptions = AuthenticatorMakeCredentialOptions.fromJSON(options);

Then, make a new credential with the options given.

AttestationObject attestationObject = authenticator.makeCredential(makeCredentialOptions);
// or if you want to require user verification and need the biometric dialog:
AttestationObject attestationObject = authenticator.makeCredential(makeCredentialOptions, context, cancellationSignal);

makeCredential requires an application context in order to show the BiometricPrompt, and also accepts an optional CancellationSignal to allow user-initiated cancellation.

Once you have an AttestationObject, you can also retrieve its CBOR representation as follows:

byte[] attestationObjectBytes = attestationObject.asCBOR();

Get Assertion (User Login)

Similar to makeCredential, getAssertion takes an AuthenticatorGetAssertionOptions object which you can either instantiate manually or deserialize from JSON.

The JSON format follows authenticatorGetAssertion with some changes made for handling of binary data. Here's an example:

{
    "allowCredentialDescriptorList": [{
        "id": "jVtTOKLHRMN17I66w48XWuJadCitXg0xZKaZvHdtW6RDCJhxO6Cfff9qbYnZiMQ1pl8CzPkXcXEHwpQYFknN2w==", // base64
        "type": "public-key"
    }],
    "authenticatorExtensions": "", // optional and ignored
    "clientDataHash": "BWlg/oAqeIhMHkGAo10C3sf4U/sy0IohfKB0OlcfHHU=", // base64
    "requireUserPresence": true,
    "requireUserVerification": false,
    "rpId": "webauthn.io"
}

Create the options object from JSON:

AuthenticatorGetAssertionOptions getAssertionOptions = AuthenticatorGetAssertionOptions.fromJSON(options);

Step 7 of authenticatorGetAssertion requires that the authenticator prompt a credential selection. You can use our provided SelectCredentialDialogFragment to provide an interface for user-selection, or implement the CredentialSelector interface to receive a callback when it is time to select a credential.

Programmatic Credential Selection

If you want to programatically select credentials, you'll need to implement CredentialSelector, which is a simple interface:

public interface CredentialSelector {
    public PublicKeyCredentialSource selectFrom(List<PublicKeyCredentialSource> credentialList);
}

Here's a barebones example:

AuthenticatorGetAssertionResult assertionObject = authenticator.getAssertion(getAssertionOptions, new CredentialSelector() {
    @Override
    public PublicKeyCredentialSource selectFrom(List<PublicKeyCredentialSource> credentialList) {
        return credentialList.get(0);
    }
});

User-driven Credential Selection

You can also create a credential selector dialog by using the SelectCredentialDialogFragment helper class, which takes a DialogFragment:

SelectCredentialDialogFragment credentialSelector = new SelectCredentialDialogFragment();
credentialSelector.populateFragmentActivity(fragmentActivity);
AuthenticatorGetAssertionResult assertionObject = authenticator.getAssertion(options, credentialSelector, context, cancellationSignal);

The fragmentActivity supplied should be the main Activity with which the user is currently interacting.

As with the makeCredential operation, in the user-driven case, getAssertion requires an application context in order to show the BiometricPrompt and accepts an optional CancellationSignal to allow user-initiated cancellation.

Note that the project description data, including the texts, logos, images, and/or trademarks, for each open source project belongs to its rightful owner. If you wish to add or remove any projects, please contact us at [email protected].