Question about passkey fido ctap protocol

I've watched a video about Meet passkeys and I have a question. After key agreement have happened, the two devices connect to a relay server picked by the phone. I understand that the key agreement local part uses Bluetooth. After then, the FIDO CTAP operation does not use Bluetooth? Does it uses Transmission Control Protocol? What happens if I turn off Bluetooth, after the key agreement is finished? Can you explain in more detail how FIDO CTAP operates and how client and authenticator exchange information after two devices connect to a relay server?

Up vote post of kmit16 Down vote post of kmit16
1.1k views
Posted by
kmit16
Reply
Add a Comment

Replies

Meet passkeys involve a two-step process: key agreement and FIDO CTAP operations. Let's break down the process and address your questions.

Key agreement: This step uses Bluetooth Low Energy (BLE) to establish a shared secret between the two devices (phone and authenticator). During this step, the devices perform a secure key exchange, allowing them to derive a shared secret that will be used for encrypted communication. FIDO CTAP operations: After the key agreement is completed, the two devices connect to a relay server, which acts as a bridge for their communication. At this point, the FIDO Client-to-Authenticator Protocol (CTAP) comes into play. CTAP defines how the client and authenticator communicate to perform authentication operations like creating and using credentials. CTAP supports multiple transports for communication, such as USB, NFC, and BLE. However, since you mentioned that the devices connect to a relay server, it is likely that the CTAP communication is using Transmission Control Protocol (TCP) over the internet rather than Bluetooth.

If you turn off Bluetooth after the key agreement is finished, the communication between the two devices might still work as long as the devices have established a connection to the relay server via another transport like TCP. However, it's essential to ensure that the devices are connected to the internet via Wi-Fi or mobile data.

Once the devices are connected to the relay server, CTAP messages are exchanged between the client and authenticator. These messages include requests for creating credentials, signing, and various other operations. The relay server facilitates the exchange of these messages without being able to decrypt the content, as the communication is encrypted using the shared secret established during the key agreement process.

In summary, after the key agreement is completed using Bluetooth, the devices connect to a relay server, and FIDO CTAP operations are performed. The communication between the devices is encrypted and typically uses TCP over the internet. Turning off Bluetooth after the key agreement should not affect the CTAP communication as long as the devices are connected to the internet.

Posted by
iAmBowser
Up vote reply of iAmBowser Down vote reply of iAmBowser

  • Thanks. I'm from Korea and I want to test passkeys that use FIDO CTAP. Can you tell websites that support passkey registration using QR scan?

    kmit16

  • It's an OS and browser feature, not a website feature. In a modern browser, any site that supports passkeys gets the "QR scan" feature for free. There's no additional work for the website to do.

    garrett-davidson
Add a Comment