Webauthn: Provide a tutorial on creating Authenticators

Created on 10 Feb 2019  路  15Comments  路  Source: w3c/webauthn

Hello. I have searched the Internet and have not found any good example how to create an own Authenticator.

Could you please create a tutorial/sample project implementing a simplest Authenticator possible utilizing all the API, alongside with the instructions how I can plug it into Firefox and Chromium?

editorial

Most helpful comment

@KOLANICH You might be interested in https://github.com/danstiner/rust-u2f, which emulates HID via /dev/uhid on Linux.

All 15 comments

This is the wrong list for this question.

You need to look at the CTAP2 specification for authenticators.

People have made plugins for FireFox, and Chrome to intercept WebAutn calls and redirect them to propriatary authenticators.

As far as I know browsers only talk to external authenticators over CTAP, OS platform authenticators via OS API on Android and Windows, or build them directly into the browser like Chrome on OSX.

You need to determine if what you want to do is possible. Making a CTAP authenticator is certinly possible.
Thry this list
https://groups.google.com/a/fidoalliance.org/forum/#!forum/fido-dev

Regards
Close issue

People have made plugins for FireFox, and Chrome to intercept WebAutn calls and redirect them to propriatary authenticators.

Yes, I saw these WebExtensions, just injecting/hooking u2f API into a webpage, it doesn't feel like the right way to implement them now.

You need to look at the CTAP2 specification for authenticators.

That spec is for USB and BlueTooth, but I wanna implement a pure software authenticator.

In other words: I don't want to buy any hardware devices, I don't want to use the stuff implemented in OS (SafetyNet is incompatible for libre hardware and software, it's a shame that w3c promotes it), all of these are completely unsuitable for me and lot of people, I want to implement a pure software authenticator (no TEE and any other non-libre stuff) with the security guarantees slightly better than a password manager. I guess there should be some interface, so I register a native library in the system, for example in the similar way it is done to OpenCL ICDs (a file is created in a predefined folder, then the loader looks at that folder, read paths to native libs from each file and loads the selected lib).

But I haven't found an example doing that. Is it possible at all? If it is not currently possible, maybe it should be defined in the standard?

Also I think we need a WebExtension API allowing creation of Authenticators loadable as WebExtensions.

@KOLANICH Emulate HID with software driver, etc. SoftU2F is an example for you https://github.com/github/SoftU2F/

Again, this is not a question to WebAuthn specs. This is CTAP specs.

Emulate HID with software driver

I have already seen this and I don't feel that creating a driver in order to interface to the software supporting the spec is a right solution for a pure software Authenticator. IMHO there should be a way to do the stuff without this kind of perversions.

@KOLANICH Those are the only solutions available

Is it possible to fix it? For example create quickly a spec on native and WebExtension authenticators and then ask browsers' vendors to implement it?

@KOLANICH You can try convincing browser, desktop, and mobile system developers to implement what ever vision you have.

In order to do it I need the accepted spec. Browser vendors are unwiling to implement anything not prescribed by a spec.

@KOLANICH You are free to propose properly a well defined change to the specs, that will benefit the standard, work with TWG on the discussions, and write a pull request.

So far your only solutions are:

  • Make an extension(s) that will override the webauthn API
  • HID driver

In any way, this is not a discussion for WebAuthn working group. This groups work is related to WebAuthn API and FIDO2.

@KOLANICH You might be interested in https://github.com/danstiner/rust-u2f, which emulates HID via /dev/uhid on Linux.

@holycleugh Thanks, it should be definitely useful.

I have already seen this and I don't feel that creating a driver in order to interface to the software supporting the spec is a right solution for a pure software Authenticator. IMHO there should be a way to do the stuff without this kind of perversions.

Didn't I mentioned that you can emulate HID before? I said the drive because on Windows you need to create HID driver. But on *nix you don't *)

Didn't I mentioned that you can emulate HID before? I said the drive because on Windows you need to create HID driver. But on *nix you don't *)

You did, we still need APIs allowing to do that without any drivers.

I think we are safe to closing this issue

Was this page helpful?
0 / 5 - 0 ratings