W3C - Web Authentication API by Korea ETRI (Electronics and Telecommunication Research Institute) - Presented at FIDO Technical Seminar on July 16th, 2018

1. All Rights Reserved | FIDO Alliance | Copyright 20181
FKWG
FIDO Technical Seminar
W3C - Web Authentication API
ETRI
김석현
2018. 07. 16

2. All Rights Reserved | FIDO Alliance | Copyright 2018222222
Overview
● Web Authentication API(FIDO2) usage scenarios
● Web Authentication API Configuration, Characteristics and Attestation
● FIDO2 registration, authentication flow and Extensions
Relying PartyUser Agent
RP Client RP Server
FIDO Server
Web Authentication API
(JavaScript API)
CTAP
Platform
Authenticator
Browser
Platform
Cross-Platform
Authenticator

3. All Rights Reserved | FIDO Alliance | Copyright 20183
AGENDA
1. Use Cases
2. Web Authentication API

4. All Rights Reserved | FIDO Alliance | Copyright 20184
Use Cases
1. Platform Authenticator
2. Cross-Platform Authenticator

5. All Rights Reserved | FIDO Alliance | Copyright 2018555555
Use Cases – Platform Authenticator
● User experience (Authentication - Any credential)
https://example.com https://example.com
Please complete
the authentication.
Sign in
https://example.com https://example.com
Alice,
authentication complete.
Welcome to
example.com
Sign in as
Alice
Bob
● FIDO2 Service Requirements
○ Web pages (using web authentication API)
○ FIDO2 Server

6. All Rights Reserved | FIDO Alliance | Copyright 2018666666
Use Cases – Cross-Platform Authenticator
● User experience (Authentication - Any credential)
https://example.com https://example.com
Please complete
this action on your
phone.Sign in with your phone
https://example.com
Alice,
authentication complete.
Welcome to
example.com
● FIDO2 Service Requirements
○ Web pages (using web authentication API)
○ FIDO2 Server
○ Device (supporting CTAP-FIDO2 Authenticator)
Sign in to
example.com
Sign in as
Alice
Bob
Authorization
gesture
CTAP

7. All Rights Reserved | FIDO Alliance | Copyright 20187
Web Authentication API
1. WebAuthn API
2. Attestations
3. Registration
4. Authentication
5. Extentions

8. All Rights Reserved | FIDO Alliance | Copyright 2018888888
WebAuthn API 1/3
● WebAuthn API
○ The API provides the ability to register with a public key credential scoped to the site
through a web browser and to authenticate using a registered credential.
○ (Registration) Navigator.credentials.create()
○ (Authentication) Navigator.credentials.get()
● PublicKeyCredential inherits from Credential
○ Credential is a W3C Credential Management API for all types of credentials
■ http://www.w3.org/TR/credential-management-1/
● Public key credentials, each scoped to a given Relying Party are created and
stored on an authenticator.
○ Each authenticator stores a credentials map, a map from (rpId, [userHandle]) to public
key credential.

9. All Rights Reserved | FIDO Alliance | Copyright 2018999999
WebAuthn API 2/3
● PublicKeyCredential Interface
[SecureContext, Exposed=Window]
Interface PublicKeyCredential : Credential
{
[SameObject] readonly attribute ArrayBuffer rawId;
[SameObject] readonly attribute AuthenticatorResponse response;
AuthenticationExtensionsClientOutputs getClientExtensionResults();
};
○ Id, type
■ This attribute is inherited from Credential.
○ rawId
■ This attribute returns the ArrayBuffer contained in the [[identifier]] internal slot.
○ Response
■ (registration) AuthenticatorAttestationResponse
■ (authentication) AuthenticatorAssertionResponse
○ getClientExtensionResults()
■ This operation returns the value of [[clientExtensionsResults]].

10. All Rights Reserved | FIDO Alliance | Copyright 2018101010101010
WebAuthn API 3/3
● Platform (browser or OS)
○ Contextual(channel) bindings of both the Relying Party and the client platform.
○ Configure the CollectedClientData.
dictionary CollectedClientData
{
required DOMString type;
required DOMString challenge;
required DOMString origin;
TokenBinding tokenBinding;
};
Browser
FIDO2 Server
Authenticator
clientDataHash Signature
(clientDataHash)
- clientDataJSON
- Signature
The clientDataHsh is the hash of the CollectedClientDataJSON using SHA-256.

11. All Rights Reserved | FIDO Alliance | Copyright 201811
Web Authentication API
1. WebAuthn API
2. Attestations
3. Registration
4. Authentication
5. Extentions

12. All Rights Reserved | FIDO Alliance | Copyright 2018121212121212
Attestation statement format
● Packed Attestation
○ WebAuthn optimized attestation statement format.
○ It is implementable by authenticators with limited sources (e.g., secure elements).
● TPM Attestation
○ This attestation statement format is generally used by authenticators that use a
Trusted Platform Module as their cryptographic engine.
● Android Key Attestation
○ When the authenticator in question is a platform-provided Authenticator on the
Android “N”or later platform, the attestation statement is based on the Android Key
attestation.
● Android SafetyNet Attestation
○ When the authenticator in question is a platform-provided Authenticator on certain
Android platforms, the attestation statement is based on the SafetyNet API.
● FIDO U2F Attestation
○ FIDO U2F authenticators using the formats defined in FIDO-U2F-Message-Formats
specification.
● None Attestation

13. All Rights Reserved | FIDO Alliance | Copyright 2018131313131313
Attestation Object
“authData”: … “fmt”:”packed” “attStmt”:…
RP ID Hash FLAGS COUNTER ATTESTED CRED. DATA EXTENSIONS
Authentication Data
AAGUID L CREDENTIAL ID CREDENTIAL PUBLIC KEY
“alg”:… “sig”:… “x5c”:…
Attestation Statement (packed)
if Basic or Attestation CA:
“alg”:… “sig”:… “ecdaaKeyId”:…if ECDAA
Attestation Object
● The basic requirement is that the authenticator can produce, for each credential
public key, an attestation statement verifiable by the Relying Party.

14. All Rights Reserved | FIDO Alliance | Copyright 2018141414141414
Attestation type
● Attestation type in metadata statement
○ Basic Attestation (Basic full)
○ Self Attestation (Surrogate)
○ Attestation CA (Privacy CA)
○ Elliptic Curve based Direct Anonymous Attestation (ECDAA)
● AttestationConveyancePreference handled by platform
○ none, indirect, direct

15. All Rights Reserved | FIDO Alliance | Copyright 2018151515151515
Attestation trustworthiness
Relying PartyUser Agent
FIDO ServerAuthenticator
Metadata Service
Authentication
by RP
PubKey
PriKey
Cert
PriKey
Attestation
Issue Attestation Certificate
Root CA
Root CA Certificate

16. All Rights Reserved | FIDO Alliance | Copyright 201816
Web Authentication API
1. WebAuthn API
2. Attestations
3. Registration
4. Authentication
5. Extentions

17. All Rights Reserved | FIDO Alliance | Copyright 2018171717171717
Registration
● JavaScript API
○ Navigator.credentials.create({PublicKeyCredentialCreationOptions})
dictionary PublicKeyCredentialCreationOptions
{
required PublicKeyCredentialRpEntity rp;
required PublicKeyCredentialUserEntity user;
required BufferSource challenge;
required sequence< PublicKeyCredentialParameters > pubKeyCredParams;
unsigned long timeout;
sequence< PublicKeyCredentialDescriptor > excludeCredentials = [];
AuthenticatorSelectionCriteria authenticatorSelection;
AttestationConveyancePreference attestation = “none”;
AuthenticationExtensionsClientInputs extensions;
};

18. All Rights Reserved | FIDO Alliance | Copyright 2018181818181818
Navigator.credential.create() 1/2
if (!window.PublicKeyCredential) { /* Platform not capable. Handle error. */ }
var publicKey = {
// The challenge must be produced by the server, see the Security Considerations
challenge: new Uint8Array([21,31,105 /* 29 more random bytes generated by the server */]),
// Relying Party:
rp: {
name: "ACME Corporation"
},
// User:
user: {
id: Uint8Array.from(window.atob("MIIBkzCCATigAwIBAjCCAZMwggE4oAMCAQIwggGTMII="), c=>c.charCodeAt(0)),
name: "alex.p.mueller@example.com",
displayName: "Alex P. Müller",
icon: "https://pics.example.com/00/p/aBjjjpqPb.png"
},

19. All Rights Reserved | FIDO Alliance | Copyright 2018191919191919
Navigator.credential.create() 2/2
// This Relying Party will accept either an ES256 or RS256 credential, but prefers an ES256 credential.
pubKeyCredParams: [
{
type: "public-key",
alg: -7 // "ES256" as registered in the IANA COSE Algorithms registry
},
{
type: "public-key",
alg: -257 // Value registered by this specification for "RS256"
}
],
timeout: 60000, // 1 minute
excludeCredentials: [], // No exclude list of PKCredDescriptors
extensions: {"loc": true} // Include location information in attestation
};
// Note: The following call will cause the authenticator to display UI.
navigator.credentials.create({ publicKey }).then(function (newCredentialInfo) {
// Send new credential info to server for verification and registration.
}).catch(function (err) {
// No acceptable authenticator or user refused consent. Handle appropriately.
});

20. All Rights Reserved | FIDO Alliance | Copyright 2018202020202020
Registration - Platform authenticator
if (!window.PublicKeyCredential) { /* Platform not capable of the API. Handle error. */ }
PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable()
.then(function (userIntent) {
// If the user has affirmed willingness to register with RP using an available platform authenticator
if (userIntent) {
var publicKeyOptions = { /* Public key credential creation options. */};
// Create and register credentials.
return navigator.credentials.create({ "publicKey": publicKeyOptions });
} else {
// Record that the user does not intend to use a platform authenticator
// and default the user to a password-based flow in the future.
}
}).then(function (newCredentialInfo) {
// Send new credential info to server for verification and registration.
}).catch( function(err) {
// Something went wrong. Handle appropriately.
});

21. All Rights Reserved | FIDO Alliance | Copyright 201821
Web Authentication API
1. WebAuthn API
2. Attestations
3. Registration
4. Authentication
5. Extentions

22. All Rights Reserved | FIDO Alliance | Copyright 2018222222222222
Authentication
● JavaScript API
○ Navigator.credentials.get({“publicKey”:PublicKeyCredentialRequestOptions})
dictionary PublicKeyCredentialRequestOptions
{
required BufferSource challenge;
unsigned long timeout;
USVString rpId;
sequence< PublicKeyCredentialDescriptor > allowCredentials = [];
UserVerificationRequirement userVerification = “preferred”;
AuthenticationExtensionsClientInputs extensions;
};

23. All Rights Reserved | FIDO Alliance | Copyright 2018232323232323
AuthenticatorAssertionResponse
● This response contains a cryptographic signature proving possession of the
credential private key, and optionally evidence of user consent to a specific
transaction.
[SecureContext, Exposed=Window]
Interface AuthenticatorAssertionResponse : AuthenticatorResponse
{
[SameObject] readonly attribute ArrayBuffer authenticatorData;
[SameObject] readonly attribute ArrayBuffer signature;
[SameObject] readonly attribute ArrayBuffer? userHandle;
};
[SecureContext, Exposed=Window]
Interface AuthenticatorResponse
{
[SameObject] readonly attribute ArrayBuffer clientDataJSON;
};

24. All Rights Reserved | FIDO Alliance | Copyright 2018242424242424
Navigator.credential.get() 1/3
if (!window.PublicKeyCredential) { /* Platform not capable. Handle error. */ }
var options = {
// The challenge must be produced by the server, see the Security Considerations
challenge: new Uint8Array([4,101,15 /* 29 more random bytes generated by the server */]),
timeout: 60000, // 1 minute
allowCredentials: [{ type: "public-key" }]
};
navigator.credentials.get({ "publicKey": options })
.then(function (assertion) {
// Send assertion to server for verification
}).catch(function (err) {
// No acceptable credential or user refused consent. Handle appropriately.
});
● Any Credential

25. All Rights Reserved | FIDO Alliance | Copyright 2018252525252525
Navigator.credential.get() 2/3
● Credential Hint
if (!window.PublicKeyCredential) { /* Platform not capable. Handle error. */ }
var encoder = new TextEncoder();
var acceptableCredential1 = {
type: "public-key",
id: encoder.encode("!!!!!!!hi there!!!!!!!n")
};
var acceptableCredential2 = {
type: "public-key",
id: encoder.encode("roses are red, violets are bluen")
};

26. All Rights Reserved | FIDO Alliance | Copyright 2018262626262626
Navigator.credential.get() 3/3
● Credential Hint
if (!window.PublicKeyCredential) { /* Platform not capable. Handle error. */ }
var options = {
// The challenge must be produced by the server, see the Security Considerations
challenge: new Uint8Array([8,18,33 /* 29 more random bytes generated by the server */]),
timeout: 60000, // 1 minute
allowCredentials: [acceptableCredential1, acceptableCredential2],
extensions: { 'txAuthSimple': "Wave your hands in the air like you just don’t care" }
};
navigator.credentials.get({ "publicKey": options })
.then(function (assertion) {
// Send assertion to server for verification
}).catch(function (err) {
// No acceptable credential or user refused consent. Handle appropriately.
});

27. All Rights Reserved | FIDO Alliance | Copyright 201827
Web Authentication API
1. WebAuthn API
2. Attestations
3. Registration
4. Authentication
5. Extentions

28. All Rights Reserved | FIDO Alliance | Copyright 2018282828282828
Extensions
● The mechanism for generating public key credentials and Authentication assertions.
● Defined Extensions. The browser has the option to implement an extension or not since this
is a client extension.
○ FIDO AppID (appId)
■ This allows Relying Parties that have previously registered a credential using the legacy FIDO JavaScript
APIs to request an assertion.
○ Simple Transaction Authorization (txAuthSimple)
○ Generic Transaction Authorization (txAuthGeneric)
○ Authenticator Selection (authnSel)
■ Relying Parties that wish to tightly control the experience around credential creation.
○ Supported Extensions (exts)
○ User Verification Index (uvi)
■ This allows the detection and prevention of "friendly fraud".
○ Location (loc)
○ User Verification Method (uvm)
■ for a multi-factor authentication (userVerification, keyProtection, matcherProtection)
○ Biometric Authenticator Performance Bounds (biometricPerfBounds)

29. All Rights Reserved | FIDO Alliance | Copyright 2018292929292929
감사합니다.