--- title: Google Smart Lock for All date: 2018-09-05T13:14:13+00:00 modified: 2018-09-05T13:14:13+00:00 image:: https://kaspars.net/wp-content/uploads/2018/09/u2f-smart-lock-app.png permalink: https://kaspars.net/blog/u2f-google-smart-lock post_type: post author: name: Kaspars avatar: https://reverse.kaspars.net/gravatar/avatar/92bfcd3a8c3a21a033a6484d32c25a40b113ec6891f674336081513d5c98ef76?s=96&d=mm&r=g category: - Cryptography - WordPress --- # Google Smart Lock for All [Google Smart Lock](https://support.google.com/accounts/answer/6103523) is an app [for iOS](https://itunes.apple.com/us/app/google-smart-lock/id1152066360) and Android devices that can talk to U2F security keys over bluetooth and NFC. Wouldn’t it be great to use it with the [WordPress Two Factor plugin](https://wordpress.org/plugins/two-factor/)? Turns out the app registers a custom `u2f-google` URL protocol with the iOS which can be used by any other app (including the Safari browser) to open the app with the necessary payload for the U2F authentication, which has the following format: ``` u2f-google://auth?data=PAYLOAD&returnUrl=RETURNURL ``` where `PAYLOAD` is a JSON string (urlencoded twice) with the following schema: ``` { "type": "u2f_sign_request", "appId": "https://www.gstatic.com/securitykey/origins.json", "challenge": "CHALLENGEFROMTHEAPP", "registeredKeys": [{ "version": "U2F_V2", "keyHandle": "UNIQUEKEYHANDLE", "transports": ["usb"] }, { "version": "U2F_V2", "keyHandle": "UNIQUEKEYHANDLE", "transports": ["ble", "usb", "nfc"] }], "timeoutSeconds": 180, "requestId": 123456789, "displayIdentifier": "NAME@EXAMPLE.COM" } ``` where `CHALLENGEFROMTHEAPP` is a cryptographic challenge generated by the U2F client (the WordPress plugin) and `registeredKeys` is a list of all the registered U2F devices with the U2F client (which must include the U2F key to be used over bluetooth). The app now [sends this data to the U2F key](https://fidoalliance.org/specs/u2f-specs-1.0-bt-nfc-id-amendment/fido-u2f-raw-message-formats.html) via bluetooth which responds with a message that gets added to the `RETURNURL` as a URL hash `RETURNURL#chaldt=PAYLOAD` where `PAYLOAD` is again double-urlencoded and has the following format: ``` { "type": "u2f_sign_response", "requestId": 123456789, "responseData": { "clientData": "CLIENTDATA", "signatureData": "SIGNATUREDATA", "keyHandle": "KEYHANDLE" } } ``` where `responseData` contains the [`SignResponse` object as defined by the FIDO U2F JavaScript API](https://fidoalliance.org/specs/fido-u2f-v1.0-nfc-bt-amendment-20150514/fido-u2f-javascript-api.html#idl-def-SignResponse). This data can now be used by the client to verify the signature and complete the authentication. ## The Hack To make the Google Smart Lock app work with the Two Factor plugin, we should adjust the `u2f-google` link payload with our own data and set the correct `returnUrl`. Unfortunately, the Smart Lock app ignores all requests where the `returnUrl` doesn’t start with `https://accounts.google.com/signin` which is a real shame because it would allow any site to offer U2F authentication without creating a custom middleware app for talking to U2F keys over bluetooth or NFC.