1

CTAP2 allows apps on mobile phones to act as roaming authenticators. An app may implement the protocol over one or more of the supported transports.

However, there are use cases where the web or native app being accessed would be run on the same mobile device as the roaming authenticator. Can this use case be supported by CTAP2?

PS: Why is there no ctap or ctap2 tag? I used 'fido' as a proxy.

Frank
  • 903
  • 7
  • 14

1 Answers1

1

However, there are use cases where the web or native app being accessed would be run on the same mobile device as the roaming authenticator. Can this use case be supported by CTAP2?

CTAP defines a protocol that is used between devices. For apps to provide credentials on the same device, the OS of that device would need to support them plugging into the standard APIs.

We (Google) said yesterday, “Please stay tuned for more updates from us in the next year as we introduce changes to Android, enabling third party credential managers to support passkeys for their users.” But I believe that's the most that any of the platforms have said on this point so far.

agl
  • 1,129
  • 5
  • 6
  • I am interested in driving forward changes that allow apps that manage EC keypairs to act as authenticators. – Frank Oct 13 '22 at 21:00
  • By the way, I do not see anything explicit in ctap spec that supports the assertion that ctap2 is for *between devices* . The implicit indicators look more like oversights or that someone forgot a "loopback" transport – Frank Oct 13 '22 at 21:12
  • It's not impossible for a platform to use CTAP internally, if it wishes. But none do to my knowledge. – agl Oct 17 '22 at 20:55