FIDO-based authentication
OneSpan Cloud Authentication allows you to integrate FIDO The FIDO (Fast IDentity Online) Alliance is an organization whose main goal is to reduce the user’s reliance on passwords. It proposes several frameworks that enable passwordless authentication.-based authentication in your solution. It supports the following FIDO protocols:
- FIDO UAF FIDO UAF aims to substitute password authentication. It provides passwordless and multi-factor authentication with compliant authenticators. (Universal Authentication Framework)
FIDO UAF
OneSpan Cloud Authentication (OCA) provides the functionality of a FIDO UAF Server as a service. It is exposed via a set of APIs that enables the relying parties to provide secure passwordless registration, authentication, and transaction signing capabilities.
FIDO UAF infrastructure — overview
OneSpan Cloud Authentication handles the following processes for the server-side implementation of the FIDO UAF protocol:
- Communication of the FIDO UAF protocol messages to a FIDO user device (usually a mobile app).
- Validation of the FIDO UAF authenticator attestations to ensure only trusted authenticators are registered for use (see FIDO Metadata Service).
- Validation of the FIDO UAF authenticator attestations to ensure the characteristics of the authenticators are within the boundaries of the defined FIDO UAF policy. (see FIDO UAF policy).
- Outline the scope of the generated credentials via the AppID URL (see AppID).
- Link the registered FIDO UAF authenticator to a TID user account.
- Evaluation of the user authentication and transaction confirmation responses to determine their validity.
AppID
During the FIDO UAF registration, a private/public key pair is generated on the authenticator side. The public key is passed from the client and stored on the FIDO UAF Server. As part of this process, each key is associated with an AppID The AppID is a URL provided as part of the protocol message, sent by the server, which indicates the scope of the newly generated keys. On the client side, a FIDO Client dereferences the AppID URL and process it by extracting the list of trusted facets, such as the mobile apps that are allowed to use the newly generated keys.
FIDO UAF policy
The UAF policies define the characteristics of authenticators used for UAF operations (registration and authentication). These policies are defined per relying party, and contain the following two fields:
-
accepted, type sequencesequence<MatchCriteria>
The accepted field is a list of sets of match criteria.
A valid policy must have at least one set of authenticators on the list of accepted match criteria.
-
disallowed, type sequenceMatchCriteria
The disallowed field describes authenticators which are excluded from the operation, even if it overlaps with any authenticator on the accepted list (i.e. mandatory fields for both elements are equal).
FIDO2
OneSpan Cloud Authentication provides the functionality of a FIDO2 Server as a service. It is exposed via a set of APIs that allow the relying parties to provide secure passwordless registration and authentication capabilites. This is accomplished either through the use of authenticators that implement the Client-to-Authenticator Protocol (CTAP) and platforms, or browsers that implement the W3C WebAuthn specification.
FIDO2 infrastructure — overview
OneSpan Cloud Authentication (OCA) handles the following processes for the server-side implementation of the W3c WebAuthn Specification:
- Validation of the FIDO2 authenticator attestations to ensure only trusted authenticators are registered for use (see FIDO Metadata Service).
- Outline the scope of the generated credentials.
- Link the registered FIDO2 authenticator to a user account.
- Evaluation of the user authentication responses (assertions) to determine their validity.
FIDO Metadata Service
OneSpan Cloud Authentication validates the FIDO authenticator attestation against the FIDO Metadata Service, which provides a trusted source of information about the FIDO authenticator. OneSpan Cloud Authentication manages the metadata that it receives from the FIDO Alliance Metadata Service in its own metadata service. This is kept up-to-date to ensure it has the latest information about the new authenticators.
For more information about FIDO Alliance Metadata Service, refer to the FIDO Alliance documentation.
Next steps
For more information about how to configure the FIDO feature in OneSpan Cloud Authentication, refer to the following articles:
- For the FIDO UAF protocol, see FIDO UAF onboarding in the Sandbox and Production environments.
- For the FIDO2 protocol, see FIDO2 in the Sandbox environment and FIDO2 in the Production environment.
For information about the integration of FIDO-based authentication, see Integration of user login with FIDO-based authentication.