This document summarizes a presentation given by Anthony Nadalin from Microsoft on FIDO2 and Microsoft implementations. It discusses the FIDO standards including CTAP2 and WebAuthn, and how Microsoft supports these standards in Windows 10, Microsoft Edge, and Microsoft Accounts. It provides an overview of authentication interactions and the different entities involved, such as relying parties, clients, authenticators, and platforms.
Model Call Girl in Jamuna Vihar Delhi reach out to us at 🔝9953056974🔝
FIDO2 and Microsoft
1. All Rights Reserved | FIDO Alliance | Copyright 20171
SEOUL SEMINAR:
FIDO2 & Microsoft
ANTHONY NADALIN
MICROSOFT
2. All Rights Reserved | FIDO Alliance | Copyright 20182
THE BIG PICTURE
Standards
Interactions
Interoperability
3. All Rights Reserved | FIDO Alliance | Copyright 20183
STANDARDS
To understand how FIDO2 works there are 2 specifications
that define an abstraction layer that create the ecosystem
for strong authentication:
▸ Platform - Client to Authenticator Protocol (CTAP2)
▸ Specification lives at FIDO Alliance – status proposed standard
▸ Wire formats, data structures
▸ Web – Web Authentication API (WebAuthn)
▸ Specification lives at W3C – status proposed recommendation
▸ Javascript API, wire formats, data structures
4. THE CAST OF CHARACTERS
All Rights Reserved | FIDO Alliance | Copyright 20184
▪Relying Parties and Clients
▪ Relying Parties are web or native applications that consume strong authentication
▪ Native Application running on client device can also act as Webuthn client to make
direct WebAuthn calls.
▪ Web Application the entity that consumes the authentication cannot directly interact
with WebAuthn API and must “broker” through the browser
▪Client Devices
▪ Client device is the hardware used for strong authentication
▪ Laptops, phones, dongles, etc.
5. All Rights Reserved | FIDO Alliance | Copyright 20185
THE CAST OF CHARACTERS
▪Platform Authenticators
▪ Usually resident on a client device and can’t be accessed via cross-platform
transport protocols like HID, NFC or BLE
▪ Built-in Laptops, fingerprint readers, facial recognition, etc.
▪ Roaming Authenticators
▪ Can connect to multiple client devices and integration must be negotiated over a
supported transport layer
▪ USB Security Keys, BLE enabled smartphone applications, or NFC proximity cards
▪ Can support CTAP1, CTAP2 or both protocols
▪ List of certified authenticators see https://fidoalliance.org/certification/fido-certified-
products/
6. All Rights Reserved | FIDO Alliance | Copyright 20186
FIDO CERTIFIED AUTHENTICATORS
8. All Rights Reserved | FIDO Alliance | Copyright 20188
INTERACTIONS
▪Many to Many
▪ Many relying parties and clients can interact with many authenticators on a single
client device
▪ Users can install many browsers that support WebAuthn
▪ Chrome, Edge, Firefox
▪ Safari see https://bugs.webkit.org/show_bug.cgi?id=181943
▪ Have access to many authenticators
9. INTEROPERABILITY
All Rights Reserved | FIDO Alliance | Copyright 20189
▪Before WebAuthn and CTAP2 there was U2F and CTAP1
▪WebAuthn and CTAP2 were designed to be interoperable
with CTAP1 Authenticators and U2F.
▪Authenticators may support
▪ Keys for multiple accounts can be stored per relying party
▪ Client PIN
▪ Transactional Approval
▪ HMAC Secret (enables offline scenarios)
10. All Rights Reserved | FIDO Alliance | Copyright 201810
SO WHAT WE HAVE ACCOMPLISHED SO FAR
▪Converged CTAP and WebAuthn
▪Platforms have implemented: Windows, Mozilla, Chrome, Android
▪Implementations of CTAP External authenticators exist
▪Conducted several successful interop tests
▪Q1 2019, critical use cases can be deployed ‘in the wild’ by any RP
11. All Rights Reserved | FIDO Alliance | Copyright 201811
ENABLED USE CASES
▪ 2nd factor authentication: User has a password, but it's not
enough to sign in
▪ Standardized in FIDO and W3C
▪ Implemented by 3 browsers on Windows, Linux, ChromeOS, OS X, Android, iOS*
▪ Had several successful interops
▪Reauth: User can use password, but FIDO is faster on this
device
▪ Standardized in FIDO and W3C
▪ Implemented by 2 browsers on Windows, OS X, Android
▪1st factor authentication: User has no password
▪ Standardized in FIDO and W3C
▪ Implemented* by 2 browsers on Windows
12. All Rights Reserved | FIDO Alliance | Copyright 201812
POSSIBLE FUTURES
▪Need to install custom app/binary for biometrics
management
▪ → API to add/remove fingerprint etc. to authenticator
▪No way to manage resident credentials
▪ → API to display, delete credentials on authenticator
▪Enterprise features
▪ Forwarding FIDO authenticators (through RDP, VNC, SSH, etc)
▪ Using them for SSH access ○ Individual attestation in enterprise contexts
▪Minor tweaks
▪ Authenticators supplying their supported transports
13. All Rights Reserved | FIDO Alliance | Copyright 201813
MICROSOFT
: FIDO2 IMPLEMENTATION
14. All Rights Reserved | FIDO Alliance | Copyright 201814
IMPLEMENTATION
▪4 Years in the making
▪ Introduced idea ofFIDO2 to FIDO Alliance in 2014
▪ Refined, improved, enhanced
▪Windows 10 October Release
▪ Updated to use WebAuthn Candidate Release
▪ Updates to use CTAP2 Proposed Standard
15. All Rights Reserved | FIDO Alliance | Copyright 201815
MICROSOFT ACCOUNT
▪Microsoft’s WebAuthn Relying Party
▪ Logon services for xBox, Skype, Outlook and many other services
▪ Authenticators MUST have the following capabilities:
▪ Keys must be stored locally on the authenticator, not on a server in the cloud
▪ Offline scenarios must work (HMAC-secret)
▪ Users must be able to put keys for multiple user accounts on same authenticator
▪ Authenticators must be capable of unlocking a TPM with a client-PIN
▪ Microsoft Account will not accept CTAP1 (U2F)
16. All Rights Reserved | FIDO Alliance | Copyright 201816
MICROSOFT EDGE
▪Microsoft’s WebAuthn Client
▪ Edge can handle the User Interface for WebAuthn and CTAP2
▪ Support AppID for interacting with CTAP1 and CTAP2 Authenticators
▪ Supports creation and usage of U2F and FIDO2 Authentication
▪ Does NOT support CTAP1 protocol
▪ Relying Parties MUST use WebAuthn
▪ Edge on Android does NOT support WebAuthn as of now
▪ See https://docs.microsoft.com/en-us/microsoft-edge/dev-guide/windows-
integration/web-authentication
18. All Rights Reserved | FIDO Alliance | Copyright 201818
WINDOWS 10
▪Microsoft’s WebAuthn Platform
▪ Win32 Platform WebAuthn APIs that enable clients to interact with Windows Hello