Webauthn via NFC/Bluetooth on PC

so I got a fun little new Toy (pics later, it's after 21:00 when writing this and I am LAZY), the Feitian Multipass (K13), which - dont worry - will get its place in the shootout soon enough, but as the Professors in Pokémon always tend to say "Now it's not the time to do that", as I have something of an a bit higher prio to get around.

As the heading already says, I got Webauthn Working on PC via both Bluetooth and NFC, but there are some things to keep in mind so I am writing about these.

First up, as far as I am aware browsers themselves can only deal with Webauthn via USB for now so browser choice doesn't matter as long as they can webauthn in the first place.

Secondly, as Browsers are not capable of running Webauthn currently, something else has to do it. similar as it is on Android, the OS has to step in, so we are pulling out the infamous candidate I always love to hate, Windows 10. Specifically, version 1903 or higher as that was when this mess was introduced (may work in 1809 with Edge as around at that time Edge itself gained Webauthn capabilities, but dunno right now).

3) for NFC, you obviously need an NFC reader and some drivers. Running NFC on PC was kinda an afterthought as I didnt remember that I have an NFC reader until after I got my fun little Toy. To be Precise I used a ReinerSCT cyberJack RFID Basis, while I am aware that it says RFID, the 2 are kinda similar and often enough used interchangably and the device was literally made for German e‑identity cards, which also work over phone NFC so there definitely is overlap). also you might need extra drivers depending on your reader.

4) for Blutooth, I haven't seen anything special, so as long as the BT adapter is recognized and you can pair your fido device it should work, so maybe you need drivers, I didnt really. Do note that at least 2 Bluetooth enabled Fido2 devices I am aware of (Multipass and Idem Card) have (according to their dodumentation) individualized PINs which are printed onto the device, which are needed for pairing to make sure a random script kiddie isnt getting ideas.

The Procedures are kinda simple. If you have a BT Fido device paired up, the windows will change the prompt from inserting the Device into USB to turning on the Bluetooth device or inserting into USB, which literally means what it says, you turn the device on by pushing the button, and boom you're in, no cables no nothing.

If you have an NFC reader set up instead it will ask to tap your device [on the reader, in case it isnt obvious already], or connect to USB, so far so stupid, you slap the thing onto your reader and you might be in, in case there are issues it will ask you to tap again (potentially to verify user presence), if the device is already resting on the NFC pad before auth it will just ask you to tap it (as user presence is generally needed in webauthn scenarios), so that's an extra thing to do, lol.

I haven't yet got to try what windows does if both NFC and BT are available in addition to USB which always exists, as the closest thing I have to a personal machine with Windows 10 is about 1000km road away in form of a remote PC) and the Licensing model of VirtualHere plain SUX (locked to a single device and transfers are generally not something you can expect), so I can only transfer one device at a time. maybe I can get hand of a w10 device to try at work or whatever.

but I am positively surprised that the NFC reader from around December 2010 (the state threw a lot of money to get cheap readers for the new ID card around and I liked the tech idea already back then and got one in a PC magazine, so for about 4 or 5€ including a ton of fun content instead of like 30€ for basically just the reader) still works and can be used for more than its intended purpose, no idea how cheap or expensive "generic" NFC readers are, but I think it was worth it.

so that was me again, hope you check back when I write again, by everyone!

Leave a Reply

Your email address will not be published. Required fields are marked *

This site uses Akismet to reduce spam. Learn how your comment data is processed.