ESP32 WebAuthN Authenticator

ESP32 based implementation of FIDO2 WebAuthN Authenticator

Public Chat
Similar projects worth following
I am going to build an WebAuthN authenticator device using ESP32 module.

Earlier this year the new standard of secure passwordless authentication was submitted to W3C. Major browser are already in the process of implementing this standard so we can expect that this kind of authentication will be available to the end users very soon. Meanwhile I was playing with the ESP32 development board which features Bluetooth Low Energy connectivity. I think it will be extremely interesting to build personal authenticator device.

  • 1 × ESP32 development board

  • Next boring update

    Andrey Ovcharov3 days ago 0 comments

    During last two weeks I continued to work on ESP32 part of this project. I needed to figure out how notification system works internally (could not make it work properly) and has to check the source code of the Arduino BLE library. In fact it's a very thin wrapper around functions provided by ESP IDF framework and I have tried to run some examples from there. Worked really good and I have rewritten the whole project without Arduino framework. The footprint of the application became 30% smaller with the same functionality.

    So, at the moment ESP32 advertises itself as FIDO2 device, handles BLE connection and receives commands from the browser. I was able to process GetInfo command and respond with device's capabilities.

    Next step would be to process MakeCredential command and create new credential for the user. It's more complex and I assume it'll take few weeks to complete. 

  • (Bi)Weekly Update

    Andrey Ovcharov08/05/2019 at 09:49 0 comments

    Last (and previous) weekends I've spend on real implementation of FIDO2 WebAuthN protocol. In reality the problem is more deep and difficult than I was thinking before, so I have re-implemented the GATT server on Android to have higher level language and libraries and better debugging capabilities.

    At the moment I have fully working "Make Credential" workflow with proper certificate generation and response signing. 

    Meanwhile I have found two interesting glitches in google's implementation of FIDO2.

    First one is more likely not accurate protocol definition. In the authenticatorMakeCredential section in response definition we have parameters authData  and fmt with respective map indexes (0x01) and (0x02). In reality Chrome requires response with these parameters swapped - fmt parameter should have index 0x01 and authData paramter should have index 0x02. Hopefully the documentation and implementation will be more consistent in the future.

    Second glitch is related to the user's interface and you clearly can see it in the video. When communication with Authenticator is about to start Chrome displays dialog window asking which authenticator device should be used. But in the background the communication with paired device is already performed. So, the user interface is totally misleading. The user has no clue they already have to open the Authenticator device and perform all necessary steps with it.  But this is question to the Chrome dev team how to improve the interface.

  • Weekly update

    Andrey Ovcharov07/22/2019 at 08:27 0 comments

    Last weekend I could play a bit more with the ESP32 board to implement BLE transport for FIDO2 WebAuthN protocol. The great  BLE library helped me a lot. Now my developer board advertises itself as Authenticator and provides four required endpoint to communicate. Google Chrome is able to detect the device and tries to connect to it. However, the endpoints just do nothing at the moment and authentication fails with error.

    As well I have discovered a great chip for Secure Authentication - ATECC508A. From the datasheet details looks like it could provide all the necessary security procedures and store 16 user keys.

    I'm thinking if 16 keys is enough or not. From my perspective it's quite a decent amount - user can use secure authenticator device to login to major and most important accounts like Google or Github and use them as OAuth provider later. If not - ESP32 board has 4Mb flash memory onboard which can be used to store more keys but not as secure.

  • Starting the project

    Andrey Ovcharov07/18/2019 at 10:01 0 comments

    I am working with web authentication at work and recently I have started to play with ESP32 development board. The device has Bluetooth Low Energy (BLE) feature which is supported by FIDO2 WebAuthN specification as communication protocol. Now I'm curious if one can build secure web authentication device.

    FIDO2 Web Authentication specification is available here.

    From my understanding I need to implement two information profiles - 'Device Information' and 'FIDO2'. The great tutorial how to implement BLE server can be found here. Following this tutorial I could make ESP32 visible through Bluetooth connection and expose device information.

    The next steps should be FIDO2 implementation.

View all 4 project logs

Enjoy this project?



Similar Projects

Does this project spark your interest?

Become a member to follow this project and never miss any updates