The document outlines the FIDO2 and WebAuthn standards for strong authentication, detailing the two main specifications: CTAP2, which facilitates communication between client devices and authenticators, and WebAuthn, which serves as the web API for authentication. It also highlights the roles of various entities such as relying parties, clients, platform and roaming authenticators, and interoperability with previous standards like U2F and CTAP1. Furthermore, it discusses Microsoft's implementation and plans for WebAuthn in their services and products.

1. All Rights Reserved | FIDO Alliance | Copyright 20181
FIDO2
&
Microsoft
Anthony Nadalin
Microsoft

2. The Big Picture
STANDARDS, INTERACTIONS, INTEROPERABILITY
All Rights Reserved | FIDO Alliance | Copyright 20182

3. All Rights Reserved | FIDO Alliance | Copyright 20183
STANDARDS
▸ To understand how FIDO2 works there are 2 specifications that define
an abstraction layer that create the ecosystem for strong
authentication:
▸ Platform - Client to Authenticator Protocol (CTAP2)
▸ Specification lives at FIDO Alliance – status proposed standard
▸ Wire formats, data structures
▸ Web – Web Authentication API (WebAuthn)
▸ Specification lives at W3C – status proposed recommendation
▸ Javascript API, wire formats, data structures

4. All Rights Reserved | FIDO Alliance | Copyright 20184
THE CAST OF CHARACTERS
▸ Relying Parties and Clients
▸ Relying Parties are web or native applications that consume strong
authentication
▸ Native Application running on client device can also act as
Webuthn client to make direct WebAuthn calls.
▸ Web Application is the entity that consumes the authentication
cannot directly interact with WebAuthn API and must “broker”
through the browser
▸ Client Devices
▸ Client device is the hardware used for strong authentication
▸ Laptops, phones, dongles, etc.

5. All Rights Reserved | FIDO Alliance | Copyright 20185
THE CAST OF CHARACTERS
▸ Platform Authenticators
▸ Usually resident on a client device and can’t be accessed via cross-
platform transport protocols like HID, NFC or BLE
▸ Built-in Laptops, fingerprint readers, facial recognition, etc.
▸ Roaming Authenticators
▸ Can connect to multiple client devices and interation must be
negotiated over a supported transport layer
▸ USB Security Keys, BLE enabled smartphone applications, or
NFC proximity cards
▸ Can support CTAP1, CTAP2 or both protocols
▸ List of certified authenticators see
https://fidoalliance.org/certification/fido-certified-
products/

6. All Rights Reserved | FIDO Alliance | Copyright 20186
FIDO CERTIFIED AUTHENTICATORS

7. All Rights Reserved | FIDO Alliance | Copyright 20187
THE CAST OF CHARACTERS
▸ CTAP2 Platform
▸ The part of the client device that negotiates with the Authenticator
▸ Responsible for origin of request and calling CTAP2/CBOR APIs

8. All Rights Reserved | FIDO Alliance | Copyright 20188

9. All Rights Reserved | FIDO Alliance | Copyright 20189
INTERACTIONS
▸ Many to Many
▸ Many relying parties and clients can interact with many
authenticators on a single client device
▸ Users can install many browsers that support WebAuthn
▸ Chrome, Edge, Firefox
▸ Safari see https://bugs.webkit.org/show_bug.cgi?id=181943
▸ Have access to many authenticators

10. All Rights Reserved | FIDO Alliance | Copyright 201810
SAFARI ANNOUNCES FIDO TESTING

11. All Rights Reserved | FIDO Alliance | Copyright 201811
INTEROPERABILITY
▸ Before WebAuthn and CTAP2 there was U2F and CTAP1
▸ WebAuthn and CTAP2 were designed to be interoperable with CTAP1
Authenticators and U2F.
▸ Authenticators may support
▸ Keys for multiple accounts can be stored per relying party
▸ Client PIN
▸ Transactional Approval
▸ HMAC Secret (enables offline scenarios)

12. All Rights Reserved | FIDO Alliance | Copyright 201812
SO WHAT HAVE WE ACCOMPLISHED SO FAR
▸ Converged CTAP and WebAuthn
▸ Platforms have implemented: Windows, Mozilla, Chrome, Android
▸ Implementations of CTAP External authenticators exist
▸ Conducted several successful interop tests
▸ Q1 2019, critical use cases can be deployed ‘in the wild’ by any RP

13. All Rights Reserved | FIDO Alliance | Copyright 201813
ENABLED USECASES
▸ 2nd factor authentication: User has a password, but it's not enough to
sign in
▸ Standardized in FIDO and W3C
▸ Implemented by 3 browsers on Windows, Linux, ChromeOS, OS X,
Android, iOS*
▸ Had several successful interops
▸ 1st factor authentication: User has no password
▸ Standardized in FIDO and W3C
▸ Implemented* by 2 browsers on Windows

14. All Rights Reserved | FIDO Alliance | Copyright 201814
▸ Need to install custom app/binary for biometrics management
▸ → API to add/remove fingerprint etc. to authenticator
▸ No way to manage resident credentials
▸ → API to display, delete credentials on authenticator
▸ Enterprise features
▸ Forwarding FIDO authenticators (through RDP, VNC, SSH, etc)
▸ Using them for SSH access
▸ Individual attestation in enterprise contexts
▸ Minor tweaks
▸ Authenticators supplying their supported transports
POSSIBLE FUTURES

15. Microsoft
FIDO2 IMPLEMENTATION
All Rights Reserved | FIDO Alliance | Copyright 201815

16. All Rights Reserved | FIDO Alliance | Copyright 201816
▸ 4 Years in the making
▸ Introduced idea ofFIDO2 to FIDO Alliance in 2014
▸ Refined, improved, enhanced
▸ Windows 10 October Release
▸ Updated to use WebAuthn Candidate Release
▸ Updates to use CTAP2 Proposed Standard
IMPLEMENTATION

17. All Rights Reserved | FIDO Alliance | Copyright 201817
▸ Microsoft’s WebAuthn Relying Party
▸ Logon services for xBox, Skype, Outlook and many other services
▸ Authenticators MUST have the following capabilities:
▸ Keys must be stored locally on the authenticator, not on a server
in the cloud
▸ Offline scenarios must work (HMAC-secret)
▸ Users must be able to put keys for multiple user accounts on
same authenticator
▸ Authenticators must be capable of unlocking a TPM with a client-
PIN
▸ Microsoft Account will not accept CTAP1 (U2F)
MICROSOFT ACCOUNT

18. All Rights Reserved | FIDO Alliance | Copyright 201818
▸ Microsoft’s WebAuthn Client
▸ Edge can handle the User Interface for WebAuthn and CTAP2
▸ Support AppID for interacting with CTAP1 and CTAP2 Authenticators
▸ Supports creation and usage of U2F and FIDO2 Authentication
▸ Does NOT support CTAP1 protocol
▸ Relying Parties MUST use WebAuthn
▸ Edge on Android does NOT support WebAuthn as of now
▸ See https://docs.microsoft.com/en-us/microsoft-edge/dev-
guide/windows-integration/web-authentication
MICROSOFT EDGE

19. All Rights Reserved | FIDO Alliance | Copyright 201819
DEVELOPER GUIDE

20. All Rights Reserved | FIDO Alliance | Copyright 201820
▸ Microsoft’s WebAuthn Platform
▸ Win32 Platform WebAuthn APIs that enable clients to interact with
Windows Hello
WINDOWS 10

21. All Rights Reserved | FIDO Alliance | Copyright 201821