Management of FIDO authenticators
Intelligent Adaptive Authentication offers consolidated authenticator management for FIDO2 and FIDO UAF as well as specific authenticator management for FIDO UAF only.
Consolidated authenticator management for FIDO2 and FIDO UAF
With a dedicated API to query FIDO-based authenticators, Intelligent Adaptive Authentication offers consolidated authenticator management for both FIDO2 and FIDO UAF-based authenticators. This helps both administrators and end users to find and distinguish specific authenticators.
To find out which authenticators are used, you can query Intelligent Adaptive Authentication for a specific user as well as for all users and list their authenticators. Also, end users can list their authenticators to know which authenticators they have registered. To enable this type of authenticator management, Intelligent Adaptive Authentication uses the following parameters created during the registration of a FIDO-based authenticator:
-
Registration ID
Intelligent Adaptive Authentication generates a specific ID for each registration.
-
Customized registration name of the user
During the registration process of a FIDO authenticator, users can provide a customized registration name (registration alias). If not provided, Intelligent Adaptive Authentication uses the description of the relevant metadata and creates this customized name.
- Registration time
-
Registration type
This can by FIDO2 or UAF11, as applicable.
- AAID Authenticator Attestation ID. A unique identifier assigned to a model, class, or batch of FIDO authenticators that all share the same characteristics, and which a Relying Party can use to look up an Attestation Public Key and Authenticator Metadata for the device. (returned for FIDO UAF only).
- KeyID Registration key identifier. This is an opaque identifier for a key registered by an authenticator with a FIDO Server, for first-factor authenticators. It is used together with an AAID to identify a particular authenticator that holds the necessary key. Thus key identifiers must be unique within the scope of an AAID. With the AAID and the key ID, an authenticator registration is uniquely identified for a relying party. (returned for FIDO UAF only)
Any one or a combination of several of these parameters can be used to list, update, deregister, and delete specific authenticators for one or more specified users.
This feature is also available in the FIDO2 Bank Demo Web App to demonstrate the authenticator management for FIDO2 authenticators. For more information, see FIDO2 Bank Demo Web App.
Find registrations
This option allows end users to know which authenticators are registered for them and administrators to know which authenticators are used in Intelligent Adaptive Authentication. Find FIDO authenticator registrations:
- for a specific user
- for a registration type
- for a specific user and a certain registration type
- for all users and a certain registration type
To find FIDO authenticator registrations
-
Issue a get fido registrations request with the GET /fido-registrations endpoint.
-
Query parameters:
-
userID@domain
Unique identifier for the user, formatted as userID@domain.
If userID@domain is not provided, all registrations for all users will be returned.
-
registrationType
If registrationType is not provided, FIDO2 and UAF registrations will be returned.
-
-
Response body:
-
userID@domain
Unique identifier for the user, formatted as userID@domain.
- registrationID
- registrationAlias
- registrationType
- registrationTime
- AAID Authenticator Attestation ID. A unique identifier assigned to a model, class, or batch of FIDO authenticators that all share the same characteristics, and which a Relying Party can use to look up an Attestation Public Key and Authenticator Metadata for the device. (FIDO UAF registrations only)
- KeyID Registration key identifier. This is an opaque identifier for a key registered by an authenticator with a FIDO Server, for first-factor authenticators. It is used together with an AAID to identify a particular authenticator that holds the necessary key. Thus key identifiers must be unique within the scope of an AAID. With the AAID and the key ID, an authenticator registration is uniquely identified for a relying party. (FIDO UAF registrations only)
-
-
Update user registration name
You can update the customized registration name of the user that was generated during the registration of the FIDO authenticator. When you issue a GET fido registrations request, you will receive the registration ID in the response. You can use this registration ID to update the registration name.
To change the customized registration name with the registration ID
-
Issue an update fido registrations request with the PATCH /fido-registrations/{registrationID} endpoint.
-
Path parameter:
-
registrationID
This is the unique identifier of the registration to be updated.
-
-
Payload:
-
registrationAlias
This is the registration name.
-
-
Response body:
- userID@domain
- registrationID
- registrationAlias
- registrationType
- registrationTime
- AAID Authenticator Attestation ID. A unique identifier assigned to a model, class, or batch of FIDO authenticators that all share the same characteristics, and which a Relying Party can use to look up an Attestation Public Key and Authenticator Metadata for the device. (FIDO UAF registrations only)
- KeyID Registration key identifier. This is an opaque identifier for a key registered by an authenticator with a FIDO Server, for first-factor authenticators. It is used together with an AAID to identify a particular authenticator that holds the necessary key. Thus key identifiers must be unique within the scope of an AAID. With the AAID and the key ID, an authenticator registration is uniquely identified for a relying party. (FIDO UAF registrations only)
-
Delete registrations
With this, administrators can deregister and/or delete specific authenticators for one or more specified users.When you issue a GET fido registrations request, you will receive the registration ID in the response. You can use this registration ID to delete the registration.
To delete a FIDO authenticator registration
-
Issue a delete fido registrations request with the DELETE /fido-registrations/{registrationID} endpoint.
-
Path parameter:
-
registrationID
This is the unique identifier of the registration to be deleted.
-
-
FIDO UAF-only authenticator management
Intelligent Adaptive Authentication offers the option to specifically deregister and delete FIDO authenticators that have been registered using the FIDO UAF protocol.
Deregistration of a FIDO UAF authenticator
Prerequisites for removing a previously registered FIDO-based authenticator
The following prerequisites must be met before the deregistration process can be started:
- The user must be authenticated against Intelligent Adaptive Authentication and logged in with the app.
Deregister a FIDO UAF authenticator
Sequence of the deregistration of a FIDO UAF authenticator
- The app sends a request to the web server. This request is forwarded to the OneSpan Trusted Identity platform API via the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint.
- The OneSpan Trusted Identity platform API sends the request to the FIDO Server.
- The FIDO Server removes the authenticator and sends a deregistration response to the OneSpan Trusted Identity platform API.
- The OneSpan Trusted Identity platform API forwards this response to the web server.
- The web server forwards the deregistration request to the authenticator. The authenticator then cleans up its internal storage accordingly.
If all authenticators that belong to a FIDO user have been deregistered, the FIDO user is automatically deleted.
To remove a previously registered FIDO-based authenticator
- Issue a deregister fido uaf authenticator request with the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint.
- Payload:
- aaid
- Response body:
- deregistrationRequest
- uafStatusCode
For a full list of UAF status codes, refer to the FIDO alliance documentation.
- Payload:
Deregistration of individual keys from an authenticator
Instead of completely deregistering an authenticator, individual keys can be removed from the authenticator and FIDO Server. The FIDO protocols use public-key cryptography techniques to provide stronger authentication. During registration, a new key pair is created that is unique to the user, authenticator, and to the AppId. The private key is retained within the authenticator, while the public key is stored on the FIDO Server.
It is only possible to remove individual keys from an authenticator if they have been registered using the UAF protocol.
Prerequisites for the removal of individual keys on a previously registered FIDO-based authenticator
- The user must be authenticated against OneSpan Cloud Authentication and logged in with the app.
Removal of individual keys from a previously registered FIDO-based authenticator
Sequence of the removal of individual keys on a previously registered FIDO-based authenticator
- The app sends a request to the web server. This request is forwarded to the OneSpan Trusted Identity platform API via the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint.
- The OneSpan Trusted Identity platform API sends the request to the FIDO Server.
- The FIDO Server removes the keys and sends a deregistration response to the OneSpan Trusted Identity platform API.
- The OneSpan Trusted Identity platform API forwards this response to the web server.
- The web server forwards the deregistration request to the authenticator. The authenticator then cleans up its internal storage accordingly.
To remove individual keys on a previously registered FIDO-based authenticator
-
Issue a deregister fido uaf keys request with the POST /users/{userID@domain}/deregister-fido-uaf-keys endpoint.
-
Payload:
- aaid
- keyID
-
Response body:
- deregistrationRequest
-