Home

Awesome

FIDO-k

This repository contains an early-stage implementation of a FIDO Platform, implementing the WebAuthn-2 and CTAP2.1 standards ("FIDO2"). It also includes some CTAP2.2 and WebAuthn-3 functionality.

A FIDO2 Platform sits between an Authenticator and a Relying Party; it runs on a client device (such as a laptop or smartphone) and allows the user to communicate with Authenticators.

This software can be linked into an application to add FIDO2 authentication capabilities to that application. But it's not an implementation of a Relying Party; this is the software for a client computer potentially talking TO a web service, not the software running on the web server side.

This particular Platform implementation has a few special properties:

Note this means that, despite being a Kotlin project, C code can use this implementation as a replacement for e.g. libfido2!

Implementation Overall Status: Beta

This implementation will likely improve in coverage rapidly! It mostly works, but APIs are not guaranteed to remain stable yet, and there are surely bugs or incomplete sections.

Overview

The core code is all Kotlin/Multiplatform, and can be used from any target. Interfaces for cryptography and communicating with authenticators on a byte-by-byte level are provided by native implementations specific to each platform.

Layers

  1. Low level CTAP layer
  2. Webauthn standard implementation
  3. libfido2 compatibility layer
  4. High level task-specific APIs

Protocol Features

FeatureStatus
CTAP2.0 Prototype Credentials ManagementSupported
CTAP2.1 Credentials ManagementSupported
Authenticator ConfigSupported
Authenticator ResetSupported
Client PIN (set, change, info)Supported
setMinPINLength CommandSupported
PIN Protocol OneSupported
PIN Protocol TwoSupported
PIN tokens using PIN without permissionsSupported
PIN tokens using PIN with permissionsSupported
PIN tokens using onboard UVSupported
minPinLength ExtensionSupported
credProtect ExtensionSupported
hmac-secret ExtensionSupported
credBlob ExtensionSupported
largeBlobKey ExtensionSupported
uvm Extension (Webauthn)Supported
Key Algorithm TypesES256, EdDSA
LargeBlob managementUnsupported
Bio EnrollmentUnsupported
Authenticator SelectionIncomplete
MakeCredentialSupported
GetAssertionSupported
Self AttestationSupported
Basic AttestationIncomplete
Enterprise AttestationIncomplete
FIDO Metadata Data ServiceUnsupported
Android-key AttestationUnsupported
TPM AttestationUnsupported
CTAP1/U2FUnsupported

Implementation Features

LevelStatus
Raw CTAPWorking
TestingIncomplete
Well-documented APIsIncomplete
Well-documented Build/IntegrationNo
Webauthn LayerWorking
Easy Task-Specific APIsIncomplete
Command LineWorking
Graphical User InterfaceIncomplete
Authenticator ProxyingWorking from HID

Platforms

PlatformStatus
JVM "fat" JARWorking
C/C++ Shared LibraryWorking
Linux Executable/SOWorking (.so, elf native binary, AppImage, RPM, DEB)
MacOS X86 Executable/frameworkWorking (can only be built on Mac OS X86 or Rosetta)
MacOS Arm64 Executable/frameworkWorking (can only be built on Mac OS Arm64)
Windows Executable/DLLWorking (.dll, .exe native binary)
iOS FrameworkUnimplemented
Android JAR/SOIncomplete
Android Demo ApplicationWorking (.apk)
Web Page :)Unimplemented

Authenticator Types / Protocols

AttachmentWhat is this?StatusLinuxMacWindowsJVMAndroidiOS
USB-HIDPlug-in USB tokensWorkingYYNAs NativeY
USB-CCIDSmart Card Readers (via USB)WorkingY (via PC/SC)NY (via PC/SC)As NativeN
NFCNear-field tokens (via an antenna)WorkingN (Y via CCID)NN (Y via CCID)As NativeY
Bluetooth-HIDVery strange, not found in the wildWorkingYNNAs NativeN (and *1)
Bluetooth LEWireless, battery powered tokensWorkingYNNY*1
BLE PC/SCSmart Card Readers (via BLE)Partial *2YNNAs NativeN
TPMChips built into computersUnimplemented
CaBLEAuthenticators using the Internet!Incomplete

*1 - Bluetooth LE support for Android is implemented, but for reasons unknown Android restricts the ability to access BLE FIDO tokens to "system" applications, so FIDOk can't be used with BLE authenticators over BLE in a normal install

*2 - The only currently-supported reader is the ACR1255U-J1, from Advanced Card Systems, Ltd (ACS). This reader uses a proprietary-but-documented protocol, and FIDOk contains a working implementation of that protocol.