How to Get WebAuthn to Work with a Roaming Authenticator?

Question

The W3C recently approved Web Authentication: An API for accessing Public Key Credentials, commonly referred to as WebAuthn.

In section 6.2.1 the recommendation states, "For example, a platform authenticator integrated into a mobile device could make itself available as a roaming authenticator via Bluetooth. In this case the client would recognize it only as a roaming authenticator, and not as a platform authenticator."

Are there any code examples available anywhere for creating a WebAuthn roaming authenticator on a mobile device and making it available by Bluetooth Low Energy?

The article, The ultimate account security is now in your pocket, promised that your Android phone could be used as a roaming authenticator to sign into your Google account (just your Google account; a modest but good start).

I was able to associate my new Pixel 3A phone as a security key to my Google account:

When I go to authenticate I get the following screen on my web authentication page in the Chrome browser:

however, nothing happens on my phone. The process just times out.

Has anyone gotten even this basic example to work?

Yes, Bluetooth is turned on in both my workstation (running the latest version of Windows 10) and my Pixel 3A (running Android Pie); I can pair the devices.

Answer 1

OK. The good news is that after a complete uninstall of Chrome and then a fresh reinstall, the WebAuthn process for Google accounts now works with my new Pixel 3A phone. https://blog.google/technology/safety-security/your-android-phone-is-a-security-key/

I had used a Yubico security key previously. I suspect there was an association to that key that was married to my Google account.

The major issue still remains: The lack of a clear reference implementation implementation for roaming authenticators. https://github.com/w3c/webauthn/issues/1221