Airlock 2FA on GrapheneOS? #4
Comments
|
Hi jonathancross, The Airlock 2FA app is officially supported only for devices running iOS or Android operating systems, and for the last, having the google services up and running. Nevertheless, we are aware of reports from a few users that were able to install and use the app in some alternative setups like for instance devices running the e OS ((https://e.foundation). We haven't heard from any user running GrapheneOS but it should be similar in most aspects. In your case, we have understood that the app seems to run correctly, but the enrollment seems to fail. Such failure can have multiple causes:
Please note: the majority of the app's functionalities may work in such a setup, but some may not work. It may be that push notifications are not delivered since they rely on Google's Firebase messaging. You will still be able to authenticate by manually opening the app during authentication. I hope this helps. If not, can you provide us with more details as to what seems to be working and where the problems start? mike |
|
Thank you Mike!
Well, it doesn't even fail... the QR code scanning for enrollment loads the camera, shows me the target, but simply doesn't recognize the QR code my bank is displaying. No error is shown by the app at all, it just continues to act as though the QR code is not on screen yet. I've tried zooming (larger QR code), moving phone closer, farther holding still for 30+ seconds, etc. The built-in QR code scanner works fine and scans the QR code in < 1 sec. NOTE: This enrollment process works fine with Airlock 2FA running on an Android phone.
Okay, that is a very tight window. Okay, I checked and time is perfect. Still, I would expect an error message (eg "bad TOTP") if the time sync fails, correct?
The bank is working with Airlock 2FA exclusively. Enrollment and authentication are currently working perfectly from Android phones. After a few minutes, the bank website shows an error and says to try again, but I think it is just a normal timeout. Given that I can scan the QR code data (with the built-in app) -- Is it easy to decode this QR code value to something I can manually input into the app?
Yes, of course. I'm prepared to deal with these small pieces of missing functionality. Thanks! Edit: Updates made above after trying your suggestions. |
|
RE: Google's SafetyNet attestation service vs hardware attestation... Generally, Android apps work perfectly on Graphene, unless they assume access to a feature which the OS restricts for privacy / security reasons. Any suggestions where I might look?
|
|
Thanks for the additional information.
I would suggest that you investigate the security settings for the sensors. It may be, that the Airlock 2FA is not able to scan the QR Code because it is not allowed to use the camera. This would of course work in the native camera app. I hope this helps! |
|
The camera seems to be working fine, shows video in the app with overlay of the QR code "target", etc. RE: Sensors... No permissions are denied to the app. I don't think there is anything I can necessarily do, but are there particular other sensors that the app uses?
Any info you can provide about decoding the QR data for manual input? Thanks. |
|
Our app uses the underlying features of the operating system to scan and interpret QR codes. GrapheneOS provides this tiny bit of information on the camera:
Since you wrote earlier that the Airlock 2FA app seems to work with the "Google Play Services" installed, I think you already have this compatibility layer. So as a result, I would expect the app to work, even if Graphene OS is not on our list of supported operating systems. Unfortunately, the implementation of an enrollment service that does not require a camera, is still quite some time in the future. I am sorry that I was not able to be of more assistance to resolve this issue. Should you gain more insights into what is causing your problem (e.g. local logs from your operating system) or even better find a working solution, please let us know. regards, mike |
Yes, it is installed and setup. I also expected it to just work.
The app has a tab for "Manual Entry" of an "activation code"... Is this not a way to enroll without QR code? |
|
Yes, the app already supports this functionality but the server does not (yet) support it. As I wrote, this feature is on the roadmap, but it is still quite some time in the future. I cannot be more specific since the implementation of the feature is one thing but then there is also deployment into the production environment of your specific service provider. This takes at least several months up to several years. |
Hello @orltom,
I was not able to find a repo for the actual Airlock 2FA Android app, so please excuse me adding this here.
I am trying to use this app on GrapheneOS (a fork of AOSP).
The app seems to be working fine with Google Play Services installed, but simply doesn't recognize the account setup QR code.
Any tips / suggestions would be appreciated.
Thanks!
Cross posted: https://www.reddit.com/r/GrapheneOS/comments/wpqhkm/airlock_2fa_app_on_grapheneos/
The text was updated successfully, but these errors were encountered: