I am looking for the use case/scenario for setting up a smart phone as an authenticator using CTAP2 specifications.
I am looking for the use case in which a user setup the browser to interact with their smart phone the same way it would when using Yubikey or another similar security key. I have read all the documentations related to it but unfortunately what I always get an article using Yubikeys / other USB devices as the authenticator. I am looking forward for some interaction where mobile phone serves a roaming authenticator.
By having a look at the documentation and CTAP specification conceptually I know this can be done by having some connection between the phone and the host via:
After establishment of connection the mobile authenticator could then implement the CTAP2 protocol so that the browser considers it as roaming authenticator. I am also looking forward to see the authentication process using some BLE enabled device. I have already tried log-in using yubikey security key on website. But I want to achieve the same flow login-mechanism using Bluetooth enable Thetis BLE key or mobile itself.
Any insights would be very helpful. I am also looking forward for people working on this particular use case to have a mutual discussion.
First, you need to follow this spec to develop your roaming authenticator. FIDO2 standard is recommended if you start the development now. There are 2 modules which may take your time to research & develop your authenticator: BLE, FIDO Crypto logic. This is the hardest work because there is no kind open source published for reference, you must be totally working with spec.
Second, you can use one these clients to test your authenticator while developing:
Note: It's not convenient to do iOS authenticator now. Please check this issue to see why
Third, you may use FIDO Conformance Tools to validate your authenticator.
Finally, you may go get certified and register on MDS if need