I've always wondered why Google never moved FIDO from Play services to AOSP.
FIDO requests are scoped to an origin. Play services implementation verifies that an origin authorizes each client app. This system wouldn't work for web browsers unless every site whitelisted each one.
Conversation
So then, how come the Play services FIDO implementation does work for web browsers? It doesn't work in the general case. They have a separate privileged API for web browsers and Play services has a list of approved web browser app ids and signatures. This is actually horrific.
1
8
For the time being, Vanadium needs to support this until we have our own standalone FIDO2 implementation. We plan on making one simply using the secure element in the phone since it fully supports FIDO2 including physical confirmation and even the optional attestation feature.
1
6
We have no plans to release Vanadium on the Play Store. It also currently uses the org.chromium.chrome app id since it's the direct continuation of our unbranded Chromium builds which have gradually had privacy and security improvements added and continue to be improved.
1
1
5
This is blocking Vanadium from using the Play services FIDO API provided by sandboxed Google Play for users who choose to use it. It would be a nice stopgap for those users until we provide our own implementation. It's entirely in our power to add Vanadium to their list though.
Replying to
FIDO security keys have a broken security model in multiple ways. It's not really Google's fault. They're trying to mitigate one of the problems and the solution is horrific and trusts all those web browsers not to abuse the API or get compromised and have an attacker abuse it.
2
3
Our implementation will avoid all of this because we don't plan on supporting external security keys. Every device supported by GrapheneOS is required to have a proper secure element providing the StrongBox keystore and other features. StrongBox is directly usable for FIDO2.
2
10
Hardware-backed keys are app-specific so there's no need for approval or some hard-wired list of trusted apps.
Can be made into a reusable library implementing FIDO2 via the AOSP hardware keystore API. Can work on every modern phone if it supports falling back to TEE keystore.
1
7