Deploying FIDO Authentication: Technical Considerations
•
3 recomendaciones•1,322 vistas
This presentation looks at the technical considerations for deploying FIDO Authentication, including application and server integration, FIDO2, APIs.
Recomendados
Más contenido relacionado
La actualidad más candente
La actualidad más candente (20)
Similar a Deploying FIDO Authentication: Technical Considerations
Similar a Deploying FIDO Authentication: Technical Considerations (20)
Más de FIDO Alliance
Más de FIDO Alliance (20)
Último
Último (20)
Deploying FIDO Authentication: Technical Considerations
- 1. All Rights Reserved | FIDO Alliance | Copyright 20181 Deploying FIDO Authentication: Technical Considerations
- 2. All Rights Reserved | FIDO Alliance | Copyright 20182 Authentication Server Device User https://paypal.com
- 3. All Rights Reserved | FIDO Alliance | Copyright 20183 FIDO BUILDING BLOCKS RP SERVER RELYING PARTY APPLICATION SERVER BROWSER PLATFORM AUTHENTICATOR 1. Server accepts or rejects login 2. Authenticator gets user permission; creates registration / authn requests 3. Browser / Platform provides API for accessing authnr 4. Relying Party Application (RP App) mobile / web app that uses FIDO APIs for authentication 5. RP server web / REST server that uses FIDO server for Authentication 1 4 3 2 5
- 4. All Rights Reserved | FIDO Alliance | Copyright 20174 Application Integration
- 5. All Rights Reserved | FIDO Alliance | Copyright 20185 Relying Party Application Welcome Tour Feedback Transfer Money Home Point of Sale Register Login About Profile Statements Invoices Tools
- 6. All Rights Reserved | FIDO Alliance | Copyright 20186 Apps: Two Points of Integration Register Login
- 7. All Rights Reserved | FIDO Alliance | Copyright 20187 Flavors of Register First Factor (Passwordless) Second Factor (Token)
- 8. All Rights Reserved | FIDO Alliance | Copyright 20188 App Integration - Register BROWSER AUTHENTICATOR Register ( Account, RelyingPartyID );Brett https://paypal.com RegisterResponse { Credential, Attestation }; Public Key Attestation User Verification
- 9. All Rights Reserved | FIDO Alliance | Copyright 20189 Flavors of Login First Factor (Passwordless) Second Factor (Token)
- 10. All Rights Reserved | FIDO Alliance | Copyright 201810 App Integration - Log In BROWSER AUTHENTICATOR Sign ( Challenge, RelyingPartyID ); SignResponse { Signature }; Brett Challenge Signature https://paypal.com User Verification
- 11. All Rights Reserved | FIDO Alliance | Copyright 201711 Server Integration
- 12. All Rights Reserved | FIDO Alliance | Copyright 201812 Messages Sent to Server RP SERVER RELYING PARTY APPLICATION SERVER BROWSER PLATFORM AUTHENTICATOR 1. Relying Party Application Takes message from API… 2. Message …and sends message to… 3. Relying Party Server …which processes the message with help from… 4. FIDO Server 1 4 32
- 13. All Rights Reserved | FIDO Alliance | Copyright 201813 Server Registration RegisterResponse { Credential, Attestation }; Public Key Attestation User Data Store Brett: Public Key Registered! 1.Create New User 2.Validate Attestation (optional) 3.Store Public Key
- 14. All Rights Reserved | FIDO Alliance | Copyright 201814 Attestation, Metadata, MDS • What is attestation? Signed statement from authenticator that the metadata is accurate • What is metadata? Information about an authenticator that helps establish trust • Who needs it? Relying parties: decide what authenticators they trust Social Networks: maybe not so important…? Financial Institutions: might be required by regulators...? MetaData Service (MDS)
- 15. All Rights Reserved | FIDO Alliance | Copyright 201815 Server Authentication SignResponse { Signature }; Signature User Data Store 1.Lookup User 2.Verify Challenge 3.Verify Signature w/ Public Key Brett: Challenge Public Key Authenticated!
- 16. All Rights Reserved | FIDO Alliance | Copyright 201716 Introducing FIDO2
- 17. All Rights Reserved | FIDO Alliance | Copyright 201817 RELYING PARTY APPLICATION Browser “Application”: A normal website - HTML, CSS, JavaScript
- 18. All Rights Reserved | FIDO Alliance | Copyright 201818 FIDO2: WEBAUTHN A new JavaScript API that enables FIDO Authentication in the browser Supported In:
- 19. All Rights Reserved | FIDO Alliance | Copyright 2018 EXTERNAL AUTHENTICATOR 19 FIDO2: CLIENT-TO-AUTHENTICATOR PROTOCOL (CTAP) RELYING PARTY APPLICATION BROWSER PLATFORM INTERNAL AUTHENTICATOR CTAP authenticatorMakeCredential() authenticatorGetAssertion()
- 20. All Rights Reserved | FIDO Alliance | Copyright 201820 FIDO2: EXTENSIONS • User Verification Caching (UVC) (see previous slide) • Location Extension provides GPS position information as part of the authentication • Transaction Authorization prompts a user to approve a specific transaction amount (e.g. – transfer $100?) • User Verification Method (UVM) how many factors (have / know / are) were used in the authentication, and what kinds of factors (fingerprint, voice, etc.) • User Verification Index (UVI) uniquely identifies which data record was used to identify a user (e.g. – which finger, for fingerprint biometrics) • Authenticator Selection allows a Relying Party to guide the selection of the authenticator that will be leveraged when creating the credential • FIDO AppID allows Relying Parties who have previously registered a credential using the legacy FIDO JavaScript APIs to request an assertion
- 21. All Rights Reserved | FIDO Alliance | Copyright 201721 A (Quick) Tour of APIs
- 22. All Rights Reserved | FIDO Alliance | Copyright 201822 U2F JavaScript API https://fidoalliance.org/specs/fido-u2f-v1.1-id-20160915/fido-u2f-javascript-api-v1.1-id-20160915.html#high-level- javascript-api
- 23. All Rights Reserved | FIDO Alliance | Copyright 201823 UAF Android APIs https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-client-api-transport-v1.0-ps- 20141208.html#android-intent-api
- 24. All Rights Reserved | FIDO Alliance | Copyright 201824 UAF iOS API https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-client-api-transport-v1.0-ps-20141208.html#ios- custom-url-api
- 25. All Rights Reserved | FIDO Alliance | Copyright 201825 UAF Browser API https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-client-api-transport-v1.0-ps-20141208.html#dom-api
- 26. All Rights Reserved | FIDO Alliance | Copyright 201826 UAF Operation Messages https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido- uaf-protocol-v1.0-ps-20141208.html#authentication-request- message https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-prot v1.0-ps-20141208.html#registration-request-message
- 27. All Rights Reserved | FIDO Alliance | Copyright 201827 UAF Server Processing https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol- v1.0-ps-20141208.html#registration-processing-rules https://fidoalliance.org/specs/fido-uaf-v1.0-ps-20141208/fido-uaf-protocol- v1.0-ps-20141208.html#authentication-response-processing-rules-for-fido- server
- 28. All Rights Reserved | FIDO Alliance | Copyright 201828 WebAuthn / FIDO 2.0 API https://w3c.github.io/webauthn/#api
- 29. All Rights Reserved | FIDO Alliance | Copyright 201829 WebAuthn Server Processing https://w3c.github.io/webauthn/#rp-operations
- 30. All Rights Reserved | FIDO Alliance | Copyright 201830 Thanks! Adam Powers Technical Director adam@fidoalliance.org All Rights Reserved | FIDO Alliance | Copyright 2017