FIDO-based authentication

OneSpan Cloud Authentication allows you to integrate FIDOClosed The FIDO (Fast IDentity Online) Alliance is an organization whose main goal is to reduce the user’s reliance on passwords. It proposes several frameworks that enable passwordless authentication.-based authentication in your solution, and it supports the following FIDO protocols:

For information about the integration of FIDO-based authentication, see Integrating end-user login with FIDO-based authentication.

FIDO UAF

The user needs to register the UAF authenticator on their device with the FIDO Server for a given application. After registration, the user authenticates with the registered authenticator. The UAF protocol also provides a transaction confirmation mechanism, if the authenticator is capable to display transaction confirmations, and offers support for prompting the user to confirm a specific transaction.

If a user wants to delete their AppID, the previously registered UAF authenticator can also be deregistered.

AppID

The AppID is the middleman in the communication between the web server and the OneSpan Trusted Identity platform services. When a user registers their authenticator it creates a new private key, and the public key is sent to the relying party. As part of this process, each key is associated with an AppID. The AppID is a URL and part of the protocol message that is sent by the server. It indicates the target for this credential and holds information about the relying party (e.g. policies) for a given tenant.

Each tenant can have multiple relying parties. These are identified by the AppID.

FIDO Metadata Service

The FIDO Metadata Service manages authenticator metadata from the FIDO alliance. The collected data are used during FIDO UAF ceremonies (registration, authentication) to verify the authenticator capabilities.

End users cannot access this service because it contains metadata that is generated by the FIDO alliance.

UAF policies

The UAF policies define the characteristics of authenticators used for UAF operations (registration and authentication). These policies are defined per relying party, and contain the following two fields:

  • accepted, type sequencesequence<MatchCriteria>

    The accepted field is a list of sets of match criteria.

    A valid policy must have at least one set of authenticators on the list of accepted match criteria.

  • disallowed, type sequenceMatchCriteria

    The disallowed field describes authenticators which are excluded from the operation even if it overlaps with any authenticator on the accepted list (i.e. mandatory fields for both elements are equal).

FIDO2

A FIDO2 web server can be an Android application, a desktop application, or a web browser, which can communicate with authenticators to perform FIDO2 operations – registration of an authenticator and authentication. All major web browsers support the web server API (WebAuthn API) by exposing native functions for performing necessary operations.

A FIDO2-based application can also interact with authenticators supporting other FIDO protocols by using the Client-to-Authenticator Protocol (CTAP).

RelyingPartyID

The RelyingPartyID is the WebAuthn relying party that is used for the communication between the web server and the OneSpan Trusted Identity platform services. When an authenticator is registered to a Relying Party, the registration is only valid for authentication to that relying party. The RelyingPartyID service is responsible for holding information about relying parties for a given tenant.

Each tenant can have multiple relying parties. These are identified by the RelyingPartyID.

FIDO Metadata Service

The FIDO Metadata Service manages authenticator metadata from the FIDO alliance. It serves as a trust anchor during FIDO2 ceremonies to verify the capabilities of an authenticator.

FIDO2 extension handling

OneSpan Cloud Authentication supports a set of WebAuthn extensions for FIDO2-based authentication. If you want to use any of these extensions, you need to enable them in the relevant relying party entry in the FIDO2 configuration service. For more information about extension handling, refer to the FIDO Alliance documentation.