惯性聚合 高效追踪和阅读你感兴趣的博客、新闻、科技资讯
阅读原文 在惯性聚合中打开

推荐订阅源

T
Threatpost
OSCHINA 社区最新新闻
OSCHINA 社区最新新闻
Engineering at Meta
Engineering at Meta
T
The Blog of Author Tim Ferriss
Recent Announcements
Recent Announcements
G
Google Developers Blog
Google DeepMind News
Google DeepMind News
The Register - Security
The Register - Security
MongoDB | Blog
MongoDB | Blog
U
Unit 42
B
Blog
H
Hackread – Cybersecurity News, Data Breaches, AI and More
L
LangChain Blog
Stack Overflow Blog
Stack Overflow Blog
P
Privacy International News Feed
L
LINUX DO - 最新话题
博客园_首页
博客园 - Franky
大猫的无限游戏
大猫的无限游戏
小众软件
小众软件
Threat Intelligence Blog | Flashpoint
Threat Intelligence Blog | Flashpoint
T
Tor Project blog
V
Visual Studio Blog
让小产品的独立变现更简单 - ezindie.com
让小产品的独立变现更简单 - ezindie.com
P
Privacy & Cybersecurity Law Blog
C
Cyber Attacks, Cyber Crime and Cyber Security
K
Kaspersky official blog
C
Cisco Blogs
博客园 - 【当耐特】
阮一峰的网络日志
阮一峰的网络日志
I
Intezer
罗磊的独立博客
MyScale Blog
MyScale Blog
Last Week in AI
Last Week in AI
A
About on SuperTechFans
G
GRAHAM CLULEY
Y
Y Combinator Blog
Microsoft Security Blog
Microsoft Security Blog
GbyAI
GbyAI
T
Threat Research - Cisco Blogs
P
Proofpoint News Feed
D
DataBreaches.Net
The Hacker News
The Hacker News
Spread Privacy
Spread Privacy
AWS News Blog
AWS News Blog
I
InfoQ
T
The Exploit Database - CXSecurity.com
Simon Willison's Weblog
Simon Willison's Weblog
博客园 - 叶小钗
Project Zero
Project Zero

Passkeys Developer Resources on passkeys.dev

Client Hints Related Origin Requests Bootstrapping Reauthentication What are passkeys? Libraries Test Sites & Tools iOS & iPadOS Chrome OS macOS Windows Known Issues Specifications Terms About passkeys.dev Device Support Privacy Policy
Android
2022-09-04 · via Passkeys Developer Resources on passkeys.dev

Resources for passkeys in Android

Local Authenticator

(create and use passkeys from the local device)

External Authenticator

(create and use passkeys from another device)

Overview  

The platform authenticator in Android 9+ has the following capabilities:

  • creating and using passkeys that are backed up to Google Password Manager
  • using a passkey from the local Android device to sign into services on another device (such as a laptop or desktop), using FIDO Cross-Device Authentication

Android 14 adds the following capabilities:

  • creating and using passkeys in a third-party passkey provider
    • NOTE: some Android devices from a small number of OEMs do not support third party passkey providers in Android 14

Platform Notes  

Cross-Device Authentication  

Android devices can be an authenticator for FIDO Cross-Device Authentication (CDA) .

Android devices can be persistently linked to the browsers/platforms below:

  • Windows 11 23H2+

macOS (Safari, Chromium-based browsers, and native apps), iOS (global), and iPadOS (global) do not support persistent linking.

When an authenticator is not persistently linked, a QR code must be scanned on every use.

Native APIs  

  • Credential Manager is a new Android Jetpack API that supports multiple sign-in methods, including passkeys, in a single API, thus simplifying the integration for developers.

    Credential Manager API  

WebViews  

Embedded WebViews (EWV)  

WebView is the embedded WebView (EWV) on Android. Embedded WebViews allow the calling app full control over the embedded web session, including modifying and intercepting requests, so many web platform features are limited in these contexts.

WebAuthn is currently not directly supported in embedded WebViews on Android, but adding additional code can allow you to break out of the EWV to call the platform’s Credential Manager APIs.

This is documented at Android Developer: “Integrate Credential Manager with WebView .

NOTE:

Embedded WebViews run in the context of the calling app, meaning only passkeys for the linked web domain (RP ID) can be created or used for sign in.

Said differently, only use EWV when sign in is handled by your own service (non-federated). When supporting multiple identity providers, System WebView should be used (see below).

WebView docs @ Android Developer

System WebViews (SWV)  

Custom Tabs is the System WebView (SWV) on Android. All Web Platform features that are available in the user’s default browser, including WebAuthn, are available in a custom tab.

Sites loaded in Custom Tabs are isolated from the calling app and run in the context of the top level site, just like in a full browser. This means that sign in flows on third party domains, such as a federated identity provider, can use passkeys for signing in.

Custom Tabs docs @ Android Developer

User Verification Behavior  

Users can configure a device PIN, pattern, and/or biometric (fingerprint or face) as their device screen lock. When a user interacts with a passkey on Android, one of these available screen unlock methods is used for user verification.

When biometrics are not configured or available, both passkey creation and authentication fall back to asking for the device PIN or pattern.

Chrome 120  

  • When biometrics are not configured on Android, or not available on the device:
    • The behavior with both userVerification='required' and userVerification='preferred' are the same: it asks for the device PIN or pattern for both passkey creation and authentication. Since they fail locally if user verification fails, the server can always expect the UV flag to be true.
    • Calling PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() returns true.
  • When a device PIN or pattern are not configured on Android:
    • The behavior with both userVerification='required' and userVerification='preferred' are the same:
      • It asks for an external security key on passkey creation. The UV flag the server receives depends on the result of user verification with the external security key.
      • It asks the user to set up a device PIN or pattern on passkey authentication. Since they fail locally before a PIN or a pattern is configured, the server does not receive a response.
    • Calling PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable() returns false.

Resources  

Docs  

Videos  

Sample Code