FIDO UAF onboarding in the Sandbox and Production environments
Overview of the FIDO UAF architecture
A typical FIDO UAF FIDO UAF aims to substitute password authentication. It provides passwordless and multi-factor authentication with compliant authenticators. deployment for the Sandbox and Production environments involves the following parties:
- Client infrastructure. This includes the FIDO The FIDO (Fast IDentity Online) Alliance is an organization whose main goal is to reduce the user’s reliance on passwords. It proposes several frameworks that enable passwordless authentication. user device with the FIDO UAF client integrated in the mobile application. By default, OneSpan supports the FIDO UAF authenticators which are part of the FIDO Alliance Metadata Service version 3.0.
- . The back-end server of the mobile application acts as the . Via a secure connection (TLS certificates), the mobile application delegates FIDO Server responsibilities to the OneSpan Trusted Identity platform API.
- OneSpan Trusted Identity platform API. This REST API exposes the FIDO UAF Server functionality via dedicated FIDO endpoints that are available in OneSpan Cloud Authentication.
For more information about FIDO concepts, refer to the specifications and technical glossary provided by the FIDO Alliance.
Before you start the onboarding process with OneSpan, ensure that you completed the following steps:
- A mobile application with FIDO UAF client capabilities has been configured.
- Your OneSpan Trusted Identity platform API service. has been adjusted to be able to connect to the
Configuration of FIDO UAF in the Sandbox and Production environments
To enable the integration of FIDO UAF-based functionalities with OneSpan Cloud Authentication for the Sandbox and Production environments, the following information must be provided to configure the FIDO UAF Server correctly:
- Tenant name
- AppID of your mobile application
- Trusted facets An (application) facet is how an application is implemented on various platforms. For example, the application MyBank may have an Android app, an iOS app, and a Web app. These are all facets of the MyBank application. list
- (If required) Metadata statements
To enable FIDO UAF for the Sandbox and Production environments, submit a service request on the Product Support page by clicking the corresponding button.
Ensure that you already have created a tenant. To enable FIDO UAF, provide the tenant name to OneSpan support—our support staff will activate FIDO UAF for you.
When you set up FIDO UAF, you must configure the AppID The AppID is a URL provided as part of the protocol message, sent by the server, which indicates the scope of the newly generated keys, which is basically a URL, to allow scoping the registered keys to different platform applications. From this AppID, a list of trusted facets is retrieved. This list of trusted facets is defined and stored in OneSpan Cloud Authentication during the configuration of the Relying Party A web site or other entity that uses a FIDO protocol to directly authenticate users (i.e., performs peer-entity authentication). Note that if FIDO is composed with federated identity management protocols (e.g. SAML, OpenID Connect etc.), the identity provider will also be playing the role of a FIDO Relying Party..
On the client side, the FIDO Client ensures that only the trusted facets are allowed to work with the registered keys for performing the FIDO ceremonies.
As the mobile application is not connected directly to the OneSpan Trusted Identity platform API, the must expose the AppID that is used to retrieve the trusted facets list to the FIDO client. Internally, the obtains the trusted facets from the OneSpan Trusted Identity platform API app facets endpoint:
Trusted facets list: retrieval process
Sequence of the trusted facets list retrieval
- The mobile application, which inlcudes the FIDO Client, retrieves the AppId: https://yourwebapp.example.com/AppId.
- The OneSpan Trusted Identity platform API app facets endpoint: , as the back end of the mobile application, obtains the trusted facets from the
- The API returns the list of facets to the .
- The returns the list to the mobile application.
- The FIDO Client included in the mobile application verifies that the facet is included in the list of trusted facets.
Trusted facets list
The trusted facets returned by the OneSpan Trusted Identity platform API app facets endpoint, GET /fido-uaf-app-facets, is used for the configuration of the FIDO UAF Server Relying Party.
For Android devices, the facet ID must be a URI derived from the Base64 encoding SHA-1 hash of the APK signing certificate [APK-Signing]: android:apk-key-hash:base64_encoded_sha1_hash-of-apk-signing-cert.
Android facet ID example:
For iOS devices, the facet ID must be the Bundle ID [BundleID] URI of the application: ios:bundle-id:ios-bundle-id-of-app.
iOS facet ID example:
The FIDO UAF Server works out-of-the-box with a list of supported FIDO UAF authenticators which are part of the FIDO Alliance Metadata Service version 3.0.
If you intend to use an authenticator that is not included in the FIDO Alliance Metadata Service, ensure that you provide the relevant metadata statements to OneSpan in the v3 format.
For more information about FIDO UAF authenticators supported by the FIDO Alliance Metadata Service, see FIDO UAF-supported authenticators.
With this, FIDO UAF is enabled and you are ready to use the supported FIDO UAF operations. For more information on these operations, see the following articles: