U2F via NFC on Android

January 7th, 2016

After an unusually warm but cozy Christmas we at Fidesmo are slowly getting back to full power. Besides presents (and a lot of good food) December brought with it several important announcements in the context of U2F and Android:

Ledger FIDO U2F

Our partner Ledger has released Ledger FIDO U2F on the Fidesmo platform! The app is available through the Fidesmo app on Android and installable on all Fidesmo enabled devices currently available. It is free for users with Ledgers own Ledger Unplugged and costs 6 to install on other Fidesmo enabled devices. Install Ledger FIDO U2F on your Fidesmo enabled device by following this link or navigate to it in the Fidesmo Android app. Because Ledger is awesome they’ve even open sourced Ledger FIDO U2F under the Apache 2.0 licence enabling you look at the code and compile the app yourself!

Android U2F support

Although the FIDO Alliance U2F specification for NFC was released during the summer last year nothing but rumors about implementations were produced until Google finally added support for U2F in their app Google Authenticator on the 7th of December. The support is exciting and completely different (but way better) than I imagined it to be! I fully expected every Android developer to have to add NFC support to their app themselves and only get guidance from FIDO/Google. On the contrary; Google has added the feature as an intent in the Google Authenticator app that other apps can call upon. Google Authenticator then instructs the user how to tap their token to get the U2F going. When the communication with the token is finished the user is sent back to the caller app. Hopefully Google plans to open up this API and the documentation that goes with it, enabling others to build on this great building block.

Google Authenticator U2F

Google Authenticator asking user to put up NFC U2F token

Websites using U2F

In a perfect world no extra work would have to be done by the developers of websites that already support U2F via USB. It shouldn’t matter to them if the authentication happens via USB, NFC or Bluetooth as long as it is securely authenticating the user. My limited testing with Chrome on Android (to my knowledge the only app that uses Google Authenticator for U2F over NFC) shows that this, at least currently, is not the case. Google’s own account security website, that on desktop allows you to register U2F devices, says that the feature is not compatible with the Chrome browser on Android. The account security site on GitHub seems to support the feature is a bit better. When pressing the button to add a token to the account it properly launches Google Authenticator to register the U2F device. When tapping the card and returning to the GitHub site however it doesn’t seem to have registered that anything has happened.

Testing it out

Let us put the pieces that we have together and see the result!

  1. You need to get a U2F device with NFC support: With its far superior antenna and versatility we recommend our own Fidesmo card. 🙂 If you choose a Fidesmo device you’ll also have to buy the Ledger FIDO U2F app and install it onto your card.
  2. Make sure you are running a recent version of Chrome and the latest version of Google Authenticator on your Android device (which needs to have NFC).
  3. Visit https://u2fdemo.appspot.com/ in Chrome on Android and after thinking long and hard about giving it access to your account accept it and move on. I am not the developer of the demo and guarantee nothing. I have not looked at the source (which is available here). The reasoning behind “logging in” with your Google account seems to be to register the key to your account on the demo. This gives you access to the key on any other device you visit the demo from (with the same account).
  4. Press “Register U2F Authenticator”
  5. Tap the card when prompted. If successful you’ve now registered your card with the demo.
  6. Press “Test Authentication”
  7. Tap the card when prompted. The box should now flash green as you have successfully authenticated yourself to the demo! (This is ONLY authenticating you to the demo and is not tied to anything else.)
U2F NFC from browser using Google Authenticator

Gif showing the full flow. Click image to see it in action

3rd party support

Without the API documentation available it is very hard to do anything. However, looking at the application manifest after decompiling Google Authenticator (using Dexplorer or similar tools) shows several interesting activities:

com.google.android.apps.authenticator.api.NfcSecurityKeyInstructionsActivity
com.google.android.apps.authenticator.api.NfcSecurityKeyActivity
com.google.android.apps.authenticator.api.SelectSecurityKeyActivity
com.google.android.apps.authenticator.api.BleSecurityKeyActivity
com.google.android.apps.authenticator.api.BleSecurityKeyPairActivity

And some interesting services:

com.google.android.apps.authenticator.api.BleSecurityKeyService
com.google.android.apps.authenticator.api.NfcSecurityKeyService

It seems Google has already prepared the app for Bluetooth Low Energy (BLE) devices!

Sadly that is as far as I was able to get. The only intent I managed to call was NfcSecurityKeyActivity but that activity immediately shut down. My guess would be that I did not attach the right data to the call (probably the U2F URL or something) and the activity could therefore not properly function and crashed. If anybody has other good guesses on how to get further: I’m all ears!

Awesome stuff

That was really awesome! Good job Google on making the implementation as easy as possible using Google Authenticator! Now go publish the API so that we can do cool stuff with it! While you are at it you should probably add some UI in Google Authenticator hinting at the U2F functionality. Finally it would be awesome if the app would react to a Fidesmo card that doesn’t have a U2F app installed and help the user get the needed app by sending her to the Fidesmo app store. Thanks! 😉

Thanks for reading and stay tuned for more things like this to our Twitter, LinkedIn and Google+. Happy new year from me and the rest of Fidesmo!

//Theo Franzén