Skip to content

FIDO

links: SPA TOC - Identification Authentication - Index

FIDO

FIDO Goals

  • Getting rid of passwords
  • Using asymmetric crypto
  • Having different authentication facets
  • Decoupling authenticator and authentication protocol
  • Supporting different kinds of authenticators

Challenge Response

By using asymmetric crypto we can authenticate users with a challenge. The relying party (server) send a challenge initially to register. This challenge is signed by the clients private key and the client sends back their public key + signed challenge. From now on the relying party can send challenges and the client can sign them with the privat key. If the signature matches with the public key on the server the client is logged in.

U2F - Universal Second Factor

U2F is a standard for two-factor authentication (2FA). It allows users to augment traditional login methods with a physical device, like a USB security key, which provides an additional layer of security. U2F devices communicate with the host using standard protocols such as USB, NFC, or Bluetooth. The U2F standard is based on public-key cryptography – during registration, the device creates a new key pair, and the public key is registered with the online service. During authentication, the service verifies the signature generated by the device. U2F was developed by the FIDO (Fast IDentity Online) Alliance.

Attestation

In the context of cybersecurity, attestation refers to the process where a device or a system demonstrates (or attests to) its identity and integrity. This often involves proving that it is running trusted software and hasn't been tampered with. It's a key component in trusted computing environments.

Or in other words with an example:

Attestation is used to credibly demonstrate the origin or type of authenticator and validate the integrity of the information it produces. The Android KeyStore can attest keys by using a Google root certificate (which never leaves the TEE). By doing that and providing the X509 certificate chain to the relying party it can be sure that the key is stored on hardware. (The RP needs to configure the public Google root keys for that of course) This is similar for Android Protected Confirmation where we can attest that a specific message was shown on a Trusted User Interface.

FIDO2

  • WebAuthn
    • Web Authentication is the protocol that is used for the mentioned challenge-response mechanism between
    • Backwards compatible with legacy FIDO Universal 2nd Factor (U2F)
  • Client to Authenticator Protocol (CTAP)
    • This protocol is used to securely pass the WebAuthn request from the client (e.g. Browser) to the authenticator (e.g. Yubikey) and the other way around
    • Supports USB, NFC, Bluetooth
    • Using Bluetooth you can use your Smartphone to store the private keys on it's secure hardware.

yubikey.png

WebAuthn Registration Flow

webauthn.png

RP Info: Relying Party Info (e.g. domain name, etc.)

Attestation: Cryptographic statement that verifies a key pair was generated by a legitimate device (often includes certificates)

WebAuthn Authentication Flow

webauthn2.png

User verification: PIN, fingerprint, hw key (yubikey)

RP ID: Relying Party Identifier

links: SPA TOC - Identification Authentication - Index