One specification for roaming authenticators is supplied by the FIDO alliance, in the form of CTAP. Support to talk via CTAP to roaming authenticators is implemented by the client or platform - there are implementations shipping within Firefox, Chrome, as well as in the Android and Windows platforms.

The client interface provided by Web Authentication is meant to hide details of how an authenticator is communicated with - details on whether an authenticator is a roaming authenticator and what transports it supports are really provided for relying party user experience.

The comment made by dwaite above is not true: "Support to talk via CTAP to roaming authenticators is implemented by the client or platform - there are implementations shipping within Firefox, Chrome, as well as in the Android and Windows platforms."

"Chrome supports.. CTAP 1 authenticators over USB transport on desktop. Upcoming releases will add support for more transports such as BLE and NFC and the newer CTAP 2 wire protocol."
https://developers.google.com/web/updates/2018/05/webauthn

Also there is no CTAP apps listed in the FIDO "Reference Implementation Library".
https://fidoalliance.org/certification/functional-certification/reference-implementation-library/

Let me rephrase my question:

"As part of the standards process, W3C requires that groups demonstrate implementation experience." https://www.w3.org/participate/implementation

Where is the code implementation for roaming authenticators over BLE?

I really want to implement secure authentication using my Android mobile phone.

https://developers.google.com/web/updates/2018/05/webauthn

One year ago (when that blog post was written) Chrome only supported CTAP 1 (U2F USB Transport) authenticators. Today it supports significantly more.

Also there is no CTAP apps listed in the FIDO "Reference Implementation Library".
"As part of the standards process, W3C requires that groups demonstrate implementation experience."

It sounds like you are actually more concerned about lack of implementation experience for the FIDO specification, which is outside the W3C's influence.

Where is the code implementation for roaming authenticators over BLE?

I don't know of any public code to do so. There are for-sale security keys which support BLE with CTAP1, which should work with your Android phone. Chrome desktop support for BLE I believe is currently feature-flagged on Mac.

To date, the security keys for CTAP 2 have been mostly a mix of USB and NFC.

I really want to implement secure authentication using my Android mobile phone.

I'm not really sure what you want to implement. FWIW, if your implying that the working group was not correctly following W3C process was an attempt to get the location of some sort of BLE source code - I might suggest that taking a different, more diplomatic approach in the future may yield better results.

Having your phone act as a platform authenticator to itself is already an android platform feature. Having those credentials extend to being a BLE authenticator for other devices such as a desktop computer will almost certainly also be desired to tap into that platform-level feature. An app might be able to act as an authenticator, depending on platform restrictions and capabilities - but without platform integration, that authenticator would be a different authenticator than the one exposed to android chrome. You'd want to pair both with each website you visit.

Consuming third party BLE authenticators in an app may or may not be possible depending on the platform - the ability to communicate with such authenticators directly may be blocked at a platform level, due to the potential of a bad client to phish the user. In such a case, you'll need to see what the platform provides (as an analogous API to WebAuthn) to interface with authenticators.

I would prefer that my users not have to go out and buy a physical security key, which is by design insecure because it would most often just be left in a user's workstation (unless of course you also require usernames and passwords, which we were trying to avoid in the first place).

Almost everyone has a mobile phone with BLE. I think that WebAuthn would take off if there was a simple reference implementation that would allow a user's mobile phone to be a roaming authenticator. Why isn't there a reference implementation for something clearly stated in the W3C recommendation? Is it because the companies backing WebAuthn want to sell complex systems and consulting services?

Are there any code examples available anywhere for creating a WebAuthn roaming authenticator on a mobile device and making it available by Bluetooth Low Energy to a Web App running in Chrome?

I think what I am saying is that the WebAuthn working group was more concerned with selling security keys and creating complex systems than with creating a simple and elegant solution to the authentication problem. I hope that you can prove me wrong.

You might be interested in https://krypt.co/ - it's free and open source, although it implements the U2F protocol which is not meant for passwordless login. I'm not sure if they have plans to upgrade to WebAuthn/CTAP2.

Google also recently demonstrated the 'caBLE' (cloud-assisted Bluetooth Low Energy) transport. It currently only works on Google's properties and requires Chrome, but according to this article work is underway to standardize it and make it available to everyone. It works very well in my experience, and I also believe it's the most promising way to accelerate adoption.

Thx Bart.

The article you recommended is based on a Google Blog post: The ultimate account security is now in your pocket; this blog posting promised that your Android phone could be used as a roaming authenticator to sign into your Google account (just your Google account; a modest but good start).

Unfortunately, it does not work:
https://stackoverflow.com/questions/56247848/how-to-get-webauthn-to-work-with-a-roaming-authenticator

It works for me 🤷🏻‍♂️ I'll leave a reply on your SO post since an individual problem with an implementation seems out of scope for a W3C standards discussion forum.

I deleted my security key and tried to reattach it. That process seemed to work (no errors).

However, now when I try to sign in I get the following message:

I think there must be some sort of association on the server side that is problematic. The first statement in the Network traffic from the Chrome Dev Tools is a challenge sent to https://accounts.google.com

The main issue is not this specific example. The main issue is the lack of a clear reference implementation implementation for roaming authenticators.

I think the proponents of WebAuthn have done a disservice to the development community AND they failed to follow W3C protocols. I think WebAuthn would take off if there was a simple reference implementation that would allow a user's mobile phone to be a roaming authenticator.

P.S. If anyone from Google is reading this post, I am happy to go over to the Google offices here in Austin and help troubleshoot this issue.

OK. The good news is that after a complete uninstall of Chrome and then a fresh reinstall, the WebAuthn process for Google accounts now works with my new Pixel 3A phone.
https://blog.google/technology/safety-security/your-android-phone-is-a-security-key/

I had used a Yubico security key previously. I suspect there was an association to that key that was married to my Google account.

The major issue still remains: The lack of a clear reference implementation implementation for roaming authenticators.

This W3C group doesn't provide reference implementations—we're just writing the spec. Since this isn't actionable for the spec, we're closing this issue otherwise it comes up at every call.