1. All Rights Reserved | FIDO Alliance | Copyright 20181
Deploying FIDO
Authentication:
Technical Considerations
2. All Rights Reserved | FIDO Alliance | Copyright 20182
Authentication
Server
Device
User
https://paypal.com
3. All Rights Reserved | FIDO Alliance | Copyright 20183
FIDO BUILDING BLOCKS
RP
SERVER
RELYING PARTY
APPLICATION
SERVER
BROWSER
PLATFORM
AUTHENTICATOR
1. Server
accepts or rejects login
2. Authenticator
gets user permission;
creates registration / authn requests
3. Browser / Platform
provides API for accessing authnr
4. Relying Party Application (RP App)
mobile / web app that uses FIDO APIs for
authentication
5. RP server
web / REST server that uses FIDO server for
Authentication
1
4
3
2
5
4. All Rights Reserved | FIDO Alliance | Copyright 20174
Application Integration
5. All Rights Reserved | FIDO Alliance | Copyright 20185
Relying Party Application
Welcome Tour Feedback
Transfer Money
Home
Point of Sale
Register Login About
Profile
Statements Invoices Tools
6. All Rights Reserved | FIDO Alliance | Copyright 20186
Apps: Two Points of Integration
Register Login
7. All Rights Reserved | FIDO Alliance | Copyright 20187
Flavors of Register
First Factor (Passwordless) Second Factor (Token)
8. All Rights Reserved | FIDO Alliance | Copyright 20188
App Integration - Register
BROWSER
AUTHENTICATOR
Register (
Account,
RelyingPartyID
);Brett
https://paypal.com
RegisterResponse {
Credential,
Attestation
}; Public Key
Attestation
User
Verification
9. All Rights Reserved | FIDO Alliance | Copyright 20189
Flavors of Login
First Factor (Passwordless) Second Factor (Token)
10. All Rights Reserved | FIDO Alliance | Copyright 201810
App Integration - Log In
BROWSER
AUTHENTICATOR
Sign (
Challenge,
RelyingPartyID
);
SignResponse {
Signature
};
Brett
Challenge
Signature
https://paypal.com
User
Verification
12. All Rights Reserved | FIDO Alliance | Copyright 201812
Messages Sent to Server
RP
SERVER
RELYING PARTY
APPLICATION
SERVER
BROWSER
PLATFORM
AUTHENTICATOR
1. Relying Party Application
Takes message from API…
2. Message
…and sends message to…
3. Relying Party Server
…which processes the message
with help from…
4. FIDO Server
1
4
32
13. All Rights Reserved | FIDO Alliance | Copyright 201813
Server Registration
RegisterResponse {
Credential,
Attestation
};
Public Key
Attestation
User Data Store
Brett:
Public Key
Registered!
1.Create New User
2.Validate Attestation
(optional)
3.Store Public Key
14. All Rights Reserved | FIDO Alliance | Copyright 201814
Attestation, Metadata, MDS
• What is attestation?
Signed statement from authenticator that the
metadata is accurate
• What is metadata?
Information about an authenticator that helps
establish trust
• Who needs it?
Relying parties: decide what authenticators
they trust
Social Networks: maybe not so important…?
Financial Institutions: might be required by
regulators...?
MetaData
Service
(MDS)
15. All Rights Reserved | FIDO Alliance | Copyright 201815
Server Authentication
SignResponse {
Signature
};
Signature
User Data Store
1.Lookup User
2.Verify Challenge
3.Verify Signature
w/ Public Key
Brett:
Challenge
Public Key
Authenticated!
17. All Rights Reserved | FIDO Alliance | Copyright 201817
RELYING PARTY APPLICATION
Browser “Application”:
A normal website - HTML, CSS, JavaScript
18. All Rights Reserved | FIDO Alliance | Copyright 201818
FIDO2: WEBAUTHN
A new JavaScript API
that enables FIDO Authentication
in the browser
Supported In:
19. All Rights Reserved | FIDO Alliance | Copyright 2018
EXTERNAL
AUTHENTICATOR
19
FIDO2: CLIENT-TO-AUTHENTICATOR PROTOCOL (CTAP)
RELYING PARTY
APPLICATION
BROWSER
PLATFORM
INTERNAL
AUTHENTICATOR
CTAP
authenticatorMakeCredential()
authenticatorGetAssertion()
20. All Rights Reserved | FIDO Alliance | Copyright 201820
FIDO2: EXTENSIONS
• User Verification Caching (UVC)
(see previous slide)
• Location Extension
provides GPS position information as part of the authentication
• Transaction Authorization
prompts a user to approve a specific transaction amount (e.g. – transfer $100?)
• User Verification Method (UVM)
how many factors (have / know / are) were used in the authentication, and what kinds of factors (fingerprint,
voice, etc.)
• User Verification Index (UVI)
uniquely identifies which data record was used to identify a user (e.g. – which finger, for fingerprint biometrics)
• Authenticator Selection
allows a Relying Party to guide the selection of the authenticator that will be leveraged when creating the
credential
• FIDO AppID
allows Relying Parties who have previously registered a credential using the legacy FIDO JavaScript APIs to
request an assertion
21. All Rights Reserved | FIDO Alliance | Copyright 201721
A (Quick) Tour of APIs
22. All Rights Reserved | FIDO Alliance | Copyright 201822
U2F JavaScript API
https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html#high-level-
javascript-api
23. All Rights Reserved | FIDO Alliance | Copyright 201823
UAF Android APIs
https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-client-api-transport-v1.0-ps-
20141208.html#android-intent-api
24. All Rights Reserved | FIDO Alliance | Copyright 201824
UAF iOS API
https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-client-api-transport-v1.0-ps-20141208.html#ios-
custom-url-api
25. All Rights Reserved | FIDO Alliance | Copyright 201825
UAF Browser API
https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-client-api-transport-v1.0-ps-20141208.html#dom-api
26. All Rights Reserved | FIDO Alliance | Copyright 201826
UAF Operation Messages
https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-
uaf-protocol-v1.0-ps-20141208.html#authentication-request-
message
https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-prot
v1.0-ps-20141208.html#registration-request-message
27. All Rights Reserved | FIDO Alliance | Copyright 201827
UAF Server Processing
https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-
v1.0-ps-20141208.html#registration-processing-rules
https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol-
v1.0-ps-20141208.html#authentication-response-processing-rules-for-fido-
server
28. All Rights Reserved | FIDO Alliance | Copyright 201828
WebAuthn / FIDO 2.0 API
https://w3c.github.io/webauthn/#api
29. All Rights Reserved | FIDO Alliance | Copyright 201829
WebAuthn Server Processing
https://w3c.github.io/webauthn/#rp-operations
30. All Rights Reserved | FIDO Alliance | Copyright 201830
Thanks!
Adam Powers
Technical Director
adam@fidoalliance.org
All Rights Reserved | FIDO Alliance | Copyright 2017