[wip]

Author: gaultier

docs/kratos/passwordless/08_deviceauthn.mdx

@@ -16,7 +16,7 @@ Currently, this authentication strategy can only be used as a second factor. It
 
 ## Short summary
 
-- This is implemented with the strategy `DeviceAuthn`, in spirit similar to `WebAuthn`
+- This is implemented in the OEL version with the strategy `DeviceAuthn`, in spirit similar to `WebAuthn`
 - The settings flow is used to manage keys (create, delete)
 - The login flow is used to step-up the AAL to AAL2, or in the future AAL3
 - Using the admin API, it is possible to delete all keys for a device on behalf of the user in case of theft or loss
@@ -35,7 +35,107 @@ Currently, this authentication strategy can only be used as a second factor. It
 - TEE: Trusted Execution Environment
 - CA: Certificate Authority
 
-## Enrollment
+## Guides
+
+### How to implement Device Binding in your Android application
+
+We recommend using the Ory Java SDK to communicate with Kratos, although this is not required. Code snippets here use this SDK, and are written in Kotlin.
+
+Since Device Binding only is supported on native devices (not in the browser), all corresponding API calls should be done using the endpoints for native apps, to avoid having to pass cookies around manually.
+
+1. Ensure that the `DeviceAuthn` strategy is enabled in the Kratos configuration. This strategy implements the settings and login flow. This is done so:
+    ```yaml
+    selfservice:
+      methods:
+        deviceauthn:
+          enabled: true
+    ```
+1. Implement a runtime check for the Android version. If is lower than 24, Device Binding may not be used, and a fallback should be found, for example using passkeys.
+1. Device Binding is (currently) only a second factor, the UI should only show existing Device Binding keys and related buttons (e.g. to add a key) if the user is currently logged in. This can be confirmed with a `whoami` call.
+1. Create a [settings flow for native apps](https://www.ory.com/docs/reference/api#tag/frontend/operation/updateSettingsFlow). The response contains the list of existing Device Binding keys.
+1. To delete an existing key, [complete the settings flow](https://www.ory.com/docs/reference/api#tag/frontend/operation/updateSettingsFlow) like this:
+   ```kotlin
+   val clientKeyIdToDelete = "..."
+
+   val apiClient = Configuration.getDefaultApiClient()
+   val apiInstance = FrontendApi(apiClien)
+   val body = UpdateSettingsFlowBody()
+   val method = UpdateSettingsFlowWithDeviceAuthnMethod()
+   method.method = "deviceauthn"
+   method.delete = UpdateSettingsFlowWithDeviceAuthnMethodDelete()
+   method.delete!!.clientKeyId = clientKeyIdToDelete
+   body.actualInstance = method
+   val updatedFlow = apiInstance.updateSettingsFlow(settingsFlow?.id, body, sessionToken, "")
+   ```
+   Once the key has been deleted server-side, it is fine (although not required) to also delete it on the device using the KeyStore API.
+1. To add a new key, [complete the settings flow](https://www.ory.com/docs/reference/api#tag/frontend/operation/updateSettingsFlow) like this:
+   ```kotlin
+   val apiClient = Configuration.getDefaultApiClient()
+   val withStrongbox = false // Better: Detect the presence of StrongBox at runtime.
+
+   val keyAlias = UUID.randomUUID().toString()
+   val nonce = extractNonceFromUiNodes(settingsFlow?.ui?.nodes ?: emptyList())
+   if (nonce == null) {
+       throw Exception("No nonce found in UI. Is DeviceAuthn enabled server-side?")
+   }
+   val keyCertChain = Api.create().createKeyPair(keyAlias, nonce, withStrongbox)
+   val apiInstance = FrontendApi(apiClient)
+   val body = UpdateSettingsFlowBody()
+   val method = UpdateSettingsFlowWithDeviceAuthnMethod()
+   method.method = "deviceauthn"
+   method.add = UpdateSettingsFlowWithDeviceAuthnMethodAdd()
+   method.add!!.deviceName = "My work phone"
+   method.add!!.clientKeyId = keyAlias
+   method.add!!.certificateChainAndroid = keyCertChain.map { it.encoded }.toList()
+   body.actualInstance = method
+   val updatedFlow = apiInstance.updateSettingsFlow(settingsFlow?.id, body, sessionToken, "")
+   ```
+   Once a key is created, the KeyStore APIs can be used to list all keys, query a key using its id, etc. However we recommend that the application keeps track of what keys were created to know which ones can be used on the device, compared to which keys belong to the same identity but reside on other devices.
+   Note that there is a maximum number of keys that can be created for an identity, and there is no point to create multiple keys for the same user on the same device, even though the server allows it.
+1. To use a key to step-up the AAL, [complete the settings flow](https://www.ory.com/docs/reference/api#tag/frontend/operation/updateSettingsFlow) like this:
+   ```kotlin
+   val clientKeyId = "..."
+   val nonce = extractNonceFromUiNodes(flow?.ui?.nodes ?: emptyList())
+   if (nonce == null) {
+       throw Exception("No nonce found in UI")
+   }
+
+   val updateMethod = UpdateLoginFlowWithDeviceAuthnMethod()
+   updateMethod.clientKeyId = clientKeyId
+   updateMethod.method = "deviceauthn"
+   updateMethod.signature = Api.create().launchBiometricSigner(
+       context as FragmentActivity,
+       clientKeyId,
+       nonce,
+       "Confirm",
+       "Cancel"
+   )
+
+   val updateBody = UpdateLoginFlowBody()
+   updateBody.actualInstance = updateMethod
+
+   val apiClient = Configuration.getDefaultApiClient()
+
+   withContext(Dispatchers.IO) {
+       val apiInstance = FrontendApi(apiClient)
+       val res = apiInstance.updateLoginFlow(
+           /* flow = */ flow.id,
+           /* updateLoginFlowBody = */ updateBody,
+           /* xSessionToken = */ sessionToken,
+           /* cookie = */ ""
+       )
+   }
+   ```
+
+When running Kratos in development mode, some server-side checks are relaxed, which allows for using the Android emulator to create and use keys. The Android emulator create keys in software.
+
+When running Kratos in production mode, only hardware-resident keys are accepted, and thus the Android emulator cannot be used to create or use keys.
+
+
+
+## Reference
+
+### Enrollment
 
 1. The `DeviceAuthn` strategy is enabled in the Kratos configuration. This strategy implements the settings and login flow. This is done so:
     ```yaml
@@ -63,35 +163,35 @@ Currently, this authentication strategy can only be used as a second factor. It
 
 At this point the key is enrolled for the identity.
 
-## Proof of device enrollment
+### Proof of device enrollment
 
 1. When the user creates the login flow with the DeviceAuthn strategy, the client receives a server challenge.
 2. Using the private key in the hardware of the device, the client signs the server challenge using ECDSA. The signature is only emitted after a biometric/PIN prompt has been passed. The client then sends the signature to the server using the login flow update endpoint.
 4. The server:
-    2. Checks that the signature is valid using the recorded public key in the database
-    3. Checks that no CA in the certificate chain (when the device has been enrolled) has been revoked
-    9. Erases the challenge value in the database to prevent re-use.
-    6. Replies with 200 with a fresh session token and a higher AAL e.g. AAL2 or AAL3
+    1. Checks that the signature is valid using the recorded public key in the database
+    1. Checks that no CA in the certificate chain (when the device has been enrolled) has been revoked
+    1. Erases the challenge value in the database to prevent re-use.
+    1. Replies with 200 with a fresh session token and a higher AAL e.g. AAL2 or AAL3
 
-## Key Revocation
+### Key Revocation
 
 - The user can revoke a key themselves (e.g. because the device is stolen, lost, broken, etc) using the settings flow.
   This action can be done from any device (e.g. from the browser), as it is the case for other methods e.g. WebAuthn.
 - An admin using the admin API can revoke all keys on a device on behalf of the user. This is useful when the user only owns one device which is the one that should be revoked (e.g. one mobile phone) and which has been lost/stolen
 
 Revocation is done by removing the key from the database.
 
-## Device list
+### Device list
 
 The settings flow contains all keys for the identity. This is used to present the list of keys (including device name) in the UI.
 
-## Key lifecycle on the device
+### Key lifecycle on the device
 
 - Creation: When the device enrollment process is started for the user
 - Deletion:
     - When the app is uninstalled or when the phone is reset, the mobile OSes automatically remove all keys for the app. This means that if the device was enrolled, the public key subsists server-side but the private key does not exist anymore, so no one can sign any challenge for this public key. This database entry is thus useless, but poses no security risks.
 
-## Cryptography
+### Cryptography
 
 The security of this design relies on a chain of trust anchored in hardware and standard cryptographic primitives.
 
@@ -101,7 +201,7 @@ The security of this design relies on a chain of trust anchored in hardware and
 - **Certificate Chains**: **X.509 certificates** are used to establish the chain of trust. The device's attestation is signed by a key that is, in turn, certified by a platform authority (Apple or Google), ensuring the attestation's authenticity.
 - **No configurability**: Intentionally, for simplicity, performance, auditability, and to avoid downgrade attacks, all cryptographic primitives are fixed.
 
-## Attack Surface and Mitigations
+### Attack Surface and Mitigations
 
 
 
@@ -159,15 +259,15 @@ The security of this design relies on a chain of trust anchored in hardware and
     - **Mitigation**:
         - **Challenge bound to the identity id**: The challenge is bound to the identity in the database (stored in the same row). Since the identity is detected from the session token, an attacker cannot tamper with the identity id (unless they steal the session token, at which point they *are* the user, from the server perspective).
 
-## Comparison with WebAuthn and Passkeys
+### Comparison with WebAuthn and Passkeys
 
 It is useful to compare this custom implementation with the FIDO WebAuthn standard and the user-facing concept of Passkeys. While they share core cryptographic principles, their goals and scope are fundamentally different.
 
-### Similarities
+#### Similarities
 
 - **Core Cryptography**: Both approaches are built on public-key cryptography (typically ECDSA), and use a challenge-response protocol
 
-### Key Differences
+#### Key Differences
 
 - **Standard vs. Proprietary**
     - **WebAuthn/Passkeys**: An open, interoperable standard from the W3C and FIDO Alliance, designed to work across different websites, apps, browsers, and operating systems.
@@ -179,7 +279,7 @@ It is useful to compare this custom implementation with the FIDO WebAuthn standa
     - **WebAuthn/Passkeys**: Attestation is an **optional** feature. While a server can request it to verify the properties of an authenticator, many services skip it in favor of a simpler user experience. The focus is on proving possession of the key, not on scrutinizing the device itself.
     - **This Design**: Attestation is **mandatory and central** to the entire security model. The main purpose of the enrollment ceremony is for the server to validate the device's hardware and software integrity.
 
-## References
+### Reference documentation
 
 - Android: [https://developer.android.com/privacy-and-security/security-key-attestation](https://developer.android.com/privacy-and-security/security-key-attestation)
 - iOS: [https://developer.apple.com/documentation/devicecheck/validating-apps-that-connect-to-your-server](https://developer.apple.com/documentation/devicecheck/validating-apps-that-connect-to-your-server) and [https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity](https://developer.apple.com/documentation/devicecheck/establishing-your-app-s-integrity)