FIDO2 in the Sandbox environment

FIDO2 is a standard for strong authentication in the web. It is comprised of the WebAuthnClosed Web Authentication (WebAuthn) is a web-based API that enables FIDO-based authentication for online services on supported browsers and platforms. specification and the corresponding Client-to-Authenticator Protocol (CTAP)Closed The Client-to-Authenticator Protocol (CTAP) enables an external authenticator to work with browsers that support WebAuthn. Additionally, it serves as an authenticator to desktop applications and web services.. It allows users to authenticate to online services with their devices and/or authenticators without the need to enter a password. It can be accomplished both on their desktop and mobile environments. For more information on WebAuthn and CTAP, refer to the FIDO Alliance documentation.

In the Sandbox environment you can simulate and test the capabilities of the FIDO2 ceremonies with the help of the FIDO2 Sample Relying Party web application.

Overview of the Sandbox environment

OneSpan prepares a FIDO2 deployment specifically for your tenant in the Sandbox environment. The deployment involves the following parties:

  • Client infrastructure. This includes the platform and cross-platform authenticators, as well as the web browser (with WebAuthN support). By default, OneSpan supports the FIDO2 authenticators which are part of the FIDO Alliance Metadata Service version 3.0.
  • Relying Party Service. The web server application which provides the registration and authentication features. Its back end communicates via a secure connection (TLS certificates) with the OneSpan Trusted Identity platform API.

    In the Sandbox environment, the FIDO2 Sample Relying Party web application serves to demonstrate the end-to-end capabilities of the FIDO2 ceremonies: registration and authentication. On the client side, the FIDO2 Sample Relying Party web application demonstrates the interaction between the web browser and the available FIDO2 authenticators. On the back-end side, the FIDO2 Sample Relying Party web application forwards the data structures, which were processed by the authenticator, to the OneSpan Trusted Identity platform. These data structures are then further processed and validated by the FIDO2 Server.

    Once FIDO2 has been enabled, you will be able to access the FIDO2 Sample Relying Party web application via https://yourtenant.sdb.tid.onespan.cloud/v1/fido-sample-relying-party.

    For more information about the FIDO2 Sample Relying Party web application, see FIDO2 Sample Relying Party web application.

  • OneSpan Trusted Identity platform API. This REST API exposes the FIDO2 Server functionality via dedicated FIDO endpoints that are available in Intelligent Adaptive Authentication.

For more information about FIDO concepts, refer to the specifications and technical glossary provided by the FIDO Alliance.

Configure FIDO2 in the Sandbox environment

To enable the integration of FIDO2-based functionalities with Intelligent Adaptive Authentication for the Sandbox environment, the following information must be provided to properly configure FIDO2:

  • Tenant name
  • (If required) Metadata statements

To enable FIDO2 for the Sandbox environment, submit a service request on the Product Support page by clicking the corresponding button.

Tenant name

Ensure that you already have created a tenant. To enable FIDO2, provide the tenant name to OneSpan support—our support staff will activate FIDO2 for you.

Metadata statements

The FIDO2 Server works out-of-the-box with a list of supported FIDO2 authenticators which are part of the FIDO Alliance Metadata Service version 3.0.

If you intend to use authenticators that are not included in the FIDO Alliance Metadata Service, ensure that you provide the relevant metadata statements to OneSpan in the v3 format.

For more information about FIDO2 authenticators supported by the FIDO Alliance Metadata Service, see FIDO2-supported authenticators.