January 7th, 2016
After an unusually warm but cozy Christmas we at Fidesmo are slowly getting back to full power. Besides presents (and a lot of good food) December brought with it several important announcements in the context of U2F and Android:
Our partner Ledger has released Ledger FIDO U2F on the Fidesmo platform! The app is available through the Fidesmo app on Android and installable on all Fidesmo enabled devices currently available. It is free for users with Ledgers own Ledger Unplugged and costs 6€ to install on other Fidesmo enabled devices. Install Ledger FIDO U2F on your Fidesmo enabled device by following this link or navigate to it in the Fidesmo Android app. Because Ledger is awesome they’ve even open sourced Ledger FIDO U2F under the Apache 2.0 licence enabling you look at the code and compile the app yourself!
Although the FIDO Alliance U2F specification for NFC was released during the summer last year nothing but rumors about implementations were produced until Google finally added support for U2F in their app Google Authenticator on the 7th of December. The support is exciting and completely different (but way better) than I imagined it to be! I fully expected every Android developer to have to add NFC support to their app themselves and only get guidance from FIDO/Google. On the contrary; Google has added the feature as an intent in the Google Authenticator app that other apps can call upon. Google Authenticator then instructs the user how to tap their token to get the U2F going. When the communication with the token is finished the user is sent back to the caller app. Hopefully Google plans to open up this API and the documentation that goes with it, enabling others to build on this great building block.
In a perfect world no extra work would have to be done by the developers of websites that already support U2F via USB. It shouldn’t matter to them if the authentication happens via USB, NFC or Bluetooth as long as it is securely authenticating the user. My limited testing with Chrome on Android (to my knowledge the only app that uses Google Authenticator for U2F over NFC) shows that this, at least currently, is not the case. Google’s own account security website, that on desktop allows you to register U2F devices, says that the feature is not compatible with the Chrome browser on Android. The account security site on GitHub seems to support the feature is a bit better. When pressing the button to add a token to the account it properly launches Google Authenticator to register the U2F device. When tapping the card and returning to the GitHub site however it doesn’t seem to have registered that anything has happened.
Let us put the pieces that we have together and see the result!
Without the API documentation available it is very hard to do anything. However, looking at the application manifest after decompiling Google Authenticator (using Dexplorer or similar tools) shows several interesting activities:
And some interesting services:
It seems Google has already prepared the app for Bluetooth Low Energy (BLE) devices!
Sadly that is as far as I was able to get. The only intent I managed to call was NfcSecurityKeyActivity but that activity immediately shut down. My guess would be that I did not attach the right data to the call (probably the U2F URL or something) and the activity could therefore not properly function and crashed. If anybody has other good guesses on how to get further: I’m all ears!
That was really awesome! Good job Google on making the implementation as easy as possible using Google Authenticator! Now go publish the API so that we can do cool stuff with it! While you are at it you should probably add some UI in Google Authenticator hinting at the U2F functionality. Finally it would be awesome if the app would react to a Fidesmo card that doesn’t have a U2F app installed and help the user get the needed app by sending her to the Fidesmo app store. Thanks! 😉