WebAuthn Kotlin is an open source toolkit for secure, password-less authentication in mobile apps. Developed in Kotlin, it integrates seamlessly with native Android apps and adheres to WebAuthn 2.0 standards, boosting security and user experience.

Designed to align with modern Android development, the SDK offers easy integration and customization. It equips developers with tools for advanced authentication, such as device credentials and biometrics, simplifying logins and enhancing security.

The PublicKeyCredential serves as the client within the authentication framework, interacting with the authenticator to carry out the authentication process and communicating with the relying party. It supports two primary operations for secure, password-less authentication:

• create(): Starts the process of generating new asymmetric key credentials via an authenticator.
• get(): Prompts the user to authenticate with a relying party using their existing credentials.

The PublicKeyCredential class is now designed for flexible use, allowing users to specify their desired authentication and attestation configurations directly.

To use PublicKeyCredential, you need to provide the following parameters when initializing the class:

• authenticationMethod: Define the method of authentication to use specific authenticator, such as biometric or device credential authenticator.
• attestationStatement: Specify the format for the attestation statement. This setup allows you to customize the credential management process according to your specific security requirements.

The RelyingParty establishes communication with your server to manage access to secure applications. In FIDO2, it generates and handles authentication requests, verifies responses from authenticators, and maintains user credentials, ensuring secure, password-less interactions between the client and server. Library users must implement the RelyingParty interface themselves.

The CredentialSourceStorage is an interface that defines the behavior of a database for handling a public key credential source and its signature counter.

• Android >= 9 (Pie) / API level >= 28

First, you need to create an implementation of the RelyingParty interface. This interface is crucial for handling communication with your server's FIDO2-compatible endpoints.

To help you get started with your implementation, we recommend checking out a sample application available on GitHub:

• webauthndemo-kotlin/RelyingParty

This sample provides a practical example of how to implement the RelyingParty interface in a real-world Android application. It will give you insights into integrating FIDO2 functionalities effectively with your server setup.

Next, you need to create an implementation of the CredentialSourceStorage interface to manage credential source and signature counter.

To help you get started with your implementation, we recommend checking out a sample application available on GitHub:

• webauthndemo-kotlin/CredentialSourceStorage

Once you have your relying party and credential storage implementation ready, you can initialize the public key credential.

val rp = YourRelyingParty()
val db = YourCredentialSourceStorage()

// You can use a biometric authenticator.
val publicKeyCredential = PublicKeyCredential(
    rpClient = rp,
    db = db,
    authenticationMethod = AuthenticationMethod.Biometric,
    attestationStatement = AttestationStatementFormat.NONE,
)

// ,or you can use a device credential.
val publicKeyCredential = DeviceCredential(
    rpClient = rp,
    db = db,
    authenticationMethod = AuthenticationMethod.DeviceCredential,
    attestationStatement = AttestationStatementFormat.NONE,
)

// You can use attestation using AttestationStatementFormat.ANDROID_KEY.
val publicKeyCredential = DeviceCredential(
    rpClient = rp,
    db = db,
    authenticationMethod = AuthenticationMethod.Biometric,
    attestationStatement = AttestationStatementFormat.ANDROID_KEY,
)

Here, activity refers to the instance of your current Activity from which you are initiating the authentication process. This allows the PublicKeyCredential to interact with the user interface for authentication.

Before using the create and get methods of publicKeyCredential, configure options and fido2PromptInfo according to your needs. These configurations will be used for both registration and authentication processes.

When you call the create method to register a new credential, or the get method to authenticate using an existing credential, the methods will return a Result<Unit> type:

Register a new credential using the create method:

val result: Result<Unit> = publicKeyCredential.create(
    activity = activity,
    options = registrationOptions,
    fido2PromptInfo = fido2PromptInfo,
)

Authenticate using an existing credential with the get method:

val result: Result<Unit> = publicKeyCredential.get(
    activity = activity,
    options = authenticationOptions,
    fido2PromptInfo = fido2PromptInfo,
)

Apache License 2.0. See LICENSE.

We are dedicated to making our work open-source to assist with your specific needs. We are eager to learn how this library is being utilized and the issues it resolves for you. To communicate, we recommend the following approach:

• For reporting bugs, proposing improvements, or asking questions about the library, please utilize the Issues section of our GitHub repository. Your feedback is invaluable in helping us address your concerns more effectively and enhances the community's experience.

Please avoid sharing any sensitive or confidential information in the issues. If there is a need to discuss sensitive matters, please indicate so in your issue, and we will arrange a more secure communication method.