Authentication
POC on FIDO2 API in Android
Most secured way to authenticate.
A few days back I had to make an Android POC on FIDO Protocol and when I started browsing about it, I had not got much of any help from the official documentation and due to which it took more time than I had excepted.
So, I am writing this blog to simply things which caught me back when I was developing this.
What you will get in this blog?
- A basic idea how FIDO Authentication works.
- Much explanation about why things are not working.
- And, some surprise in the end 🤩
What you will not get in this blog?
- Working of FIDO server.
Why use FIDO Authentication?
Because it is easy and most secured way authenticate right now.
Working of FIDO Authentication
We will try to understand this in steps :
- You ask FIDO server to register your account.
- In return of that request, it sends you a challenge ( an encrypted string ) which your Android mobile phone authenticator will decode and give you a response.
An authenticator can your phone’s PIN, Fingerprint, Face unlock etc.
3. The authenticator generates user credentials. A user credential has both a public and a private key component. The public key is shared with your service, while the private key is kept secret by the authenticator.
4. Now, the response is shared is sent to the FIDO server. It will check whether is correct or not by using the public key.
5. If it is correct then, it will register the account.
POC
The above link is of Google Codelab. You can find the sample app in it.
Now, if there is already a demo project provided by Google then why am I writing this blog?
Because there is a lot which I was getting while I was playing with the app and there was no sign of it in the documentation. So, to clear those I am writing this :)
Have a look at the app and try to understand what is happening.
Errors
There are 3 errors which I faced :
- “The incoming request cannot be validated”.
- One reason for this is the wrong ANDROID_PACKAGENAME in .env file on glitch or in assetlinks.json file on server.
- If you put wrong Android package name in this then the same is copied to assetlinks.json file which is generated automatically by the glitch.
- If you are using multiple apps with a single project then check out bonus part.
2. “Cancelled”
- The one reason for this is when you try to sign in to the account by using different Mobile phone from the one you have used during the sign up time.
- The logic behind this can be the wrong private key. Every time you sign up, there is private key which Authenticator keeps and which also decode the challenge string.
- So, when you use a different mobile phone the authenticator also changes with which your private key also changes. I think this can be the reason behind it.
3. “One of the excluded credential exist on the local device”
- This is still a mystery. I want your help in solving this. If you find out anything about solving it, please share it in the comment section.
- The hint can be — It saves the account details when I used authenticator multiple times to decode the challenge string.
- Clearing storage and uninstalling app didn't help.
Bonus
Now, with this setup you can use single android app with a single glitch project. To use multiple apps with a single glitch project, you have to add some thing in server.js on glitch site.
There is something like this in your server.js :
This you have change to :
Why did we did what we did?
Because by adding this in the server.js file it also gets add up in the assetlinks.json and our app is linked with assetlinks.json file.
So, assetlinks.json is really important. If anything goes wrong in it then everything goes off in your app.
This is all from my side.
If there is anything I missed. Please comment below.
Thank you for reading.
Happy Coding.
