Management of FIDO authenticators

Intelligent Adaptive Authentication offers consolidated authenticator management for FIDO2 and FIDO UAF as well as specific authenticator management for FIDO UAF only.

Consolidated authenticator management for FIDO2 and FIDO UAF

With a dedicated API to query FIDO-based authenticators, Intelligent Adaptive Authentication offers consolidated authenticator management for both FIDO2 and FIDO UAF-based authenticators. This helps both administrators and end users to find and distinguish specific authenticators.

To find out which authenticators are used, you can query Intelligent Adaptive Authentication for a specific user as well as for all users and list their authenticators. Also, end users can list their authenticators to know which authenticators they have registered. To enable this type of authenticator management, Intelligent Adaptive Authentication uses the following parameters created during the registration of a FIDO-based authenticator:

Any one or a combination of several of these parameters can be used to list, update, deregister, and delete specific authenticators for one or more specified users.

This feature is also available in the FIDO2 Bank Demo Web App to demonstrate the authenticator management for FIDO2 authenticators. For more information, see FIDO2 Bank Demo Web App.

Find registrations

This option allows end users to know which authenticators are registered for them and administrators to know which authenticators are used in Intelligent Adaptive Authentication. Find FIDO authenticator registrations:

  • for a specific user
  • for a registration type
  • for a specific user and a certain registration type
  • for all users and a certain registration type

To find FIDO authenticator registrations

Update user registration name

You can update the customized registration name of the user that was generated during the registration of the FIDO authenticator. When you issue a GET fido registrations request, you will receive the registration ID in the response. You can use this registration ID to update the registration name.

To change the customized registration name with the registration ID

Delete registrations

With this, administrators can deregister and/or delete specific authenticators for one or more specified users.When you issue a GET fido registrations request, you will receive the registration ID in the response. You can use this registration ID to delete the registration.

To delete a FIDO authenticator registration

FIDO UAF-only authenticator management

Intelligent Adaptive Authentication offers the option to specifically deregister and delete FIDO authenticators that have been registered using the FIDO UAF protocol.

Deregistration of a FIDO UAF authenticator

Prerequisites for removing a previously registered FIDO-based authenticator

The following prerequisites must be met before the deregistration process can be started:

  • The user must be authenticated against Intelligent Adaptive Authentication and logged in with the app.

Deregister a FIDO UAF authenticator

Sequence of the deregistration of a FIDO UAF authenticator

  1. The app sends a request to the web server. This request is forwarded to the OneSpan Trusted Identity platform API via the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint.
  2. The OneSpan Trusted Identity platform API sends the request to the FIDO Server.
  3. The FIDO Server removes the authenticator and sends a deregistration response to the OneSpan Trusted Identity platform API.
  4. The OneSpan Trusted Identity platform API forwards this response to the web server.
  5. The web server forwards the deregistration request to the authenticator. The authenticator then cleans up its internal storage accordingly.

If all authenticators that belong to a FIDO user have been deregistered, the FIDO user is automatically deleted.

To remove a previously registered FIDO-based authenticator

Deregistration of individual keys from an authenticator

Instead of completely deregistering an authenticator, individual keys can be removed from the authenticator and FIDO Server. The FIDO protocols use public-key cryptography techniques to provide stronger authentication. During registration, a new key pair is created that is unique to the user, authenticator, and to the AppId. The private key is retained within the authenticator, while the public key is stored on the FIDO Server.

It is only possible to remove individual keys from an authenticator if they have been registered using the UAF protocol.

Prerequisites for the removal of individual keys on a previously registered FIDO-based authenticator

  • The user must be authenticated against OneSpan Cloud Authentication and logged in with the app.

Removal of individual keys from a previously registered FIDO-based authenticator

Sequence of the removal of individual keys on a previously registered FIDO-based authenticator

  1. The app sends a request to the web server. This request is forwarded to the OneSpan Trusted Identity platform API via the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint.
  2. The OneSpan Trusted Identity platform API sends the request to the FIDO Server.
  3. The FIDO Server removes the keys and sends a deregistration response to the OneSpan Trusted Identity platform API.
  4. The OneSpan Trusted Identity platform API forwards this response to the web server.
  5. The web server forwards the deregistration request to the authenticator. The authenticator then cleans up its internal storage accordingly.

To remove individual keys on a previously registered FIDO-based authenticator