Transaction signing/confirmation using FIDO2
385 views
Skip to first unread message
Thirumal Bandi
Jun 23, 2021, 10:49:01 PM6/23/21
to FIDO Dev (fido-dev)
Hello All,
I am looking at the possibility of replacing the transaction signing using OCRA with the transaction signing using FIDO. However, I do not see any provision in the FIDO2 specification.
Does anyone have any recommendation or pointers to on how we can achieve the transaction confirmation or signing using FIDO2?
Thanks
Thirumal Bandi
Arshad Noor
Jun 23, 2021, 11:10:22 PM6/23/21
to Thirumal Bandi, FIDO Dev (fido-dev)
Hi Thirumal,
While WebAuthn Level-1 had Transaction Authorization defined in its
spec, not a single browser implemented it. As a result, it has been
removed from WebAuthn Level-2; while it does not prevent a browser from
implementing the capability based on the Level-1 spec, its highly
unlikely anyone will.
Two developments that might be of interest:
1) There is experimental work going on in the W3C that is not currently
a standard yet,- it leverages FIDO credentials to implement this
capability:
https://www.w3.org/blog/wpwg/2021/03/26/secure-payment-confirmation-stripe-experiment-and-next-steps/
2) While not an implementation of the WebAuthn Level-1 specification,
StrongKey's open-source, FIDO Certified server added capability to
perform transaction authorization using FIDO2 credentials. To
demonstrate this, there is a native Android client library and a sample
app that showcases how it can be done:
https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl
At the moment, the StrongKey FIDO server will return results that map to
the FIDO Alliance-EMVCo defined elements for transmitting FIDO-signed
transactions over EMV 3DS messaging:
https://fidoalliance.org/technical-note-fido-authentication-and-emv-3-d-secure-using-fido-for-payment-authentication/
So, if you're looking to implement a rich client app on Android (9 or
greater), you have the ability to start experimenting right away.
If you're looking to do it on desktops, then you can keep up with what's
going on with SPC. While you can deploy FIDO today to register users and
authenticate them to your web-apps, you may have to wait to experiment
with transaction confirmation.
Hope that helps.
Arshad Noor
StrongKey
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org?utm_medium=email&utm_source=footer>.
While WebAuthn Level-1 had Transaction Authorization defined in its
spec, not a single browser implemented it. As a result, it has been
removed from WebAuthn Level-2; while it does not prevent a browser from
implementing the capability based on the Level-1 spec, its highly
unlikely anyone will.
Two developments that might be of interest:
1) There is experimental work going on in the W3C that is not currently
a standard yet,- it leverages FIDO credentials to implement this
capability:
https://www.w3.org/blog/wpwg/2021/03/26/secure-payment-confirmation-stripe-experiment-and-next-steps/
2) While not an implementation of the WebAuthn Level-1 specification,
StrongKey's open-source, FIDO Certified server added capability to
perform transaction authorization using FIDO2 credentials. To
demonstrate this, there is a native Android client library and a sample
app that showcases how it can be done:
https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl
At the moment, the StrongKey FIDO server will return results that map to
the FIDO Alliance-EMVCo defined elements for transmitting FIDO-signed
transactions over EMV 3DS messaging:
https://fidoalliance.org/technical-note-fido-authentication-and-emv-3-d-secure-using-fido-for-payment-authentication/
So, if you're looking to implement a rich client app on Android (9 or
greater), you have the ability to start experimenting right away.
If you're looking to do it on desktops, then you can keep up with what's
going on with SPC. While you can deploy FIDO today to register users and
authenticate them to your web-apps, you may have to wait to experiment
with transaction confirmation.
Hope that helps.
Arshad Noor
StrongKey
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org?utm_medium=email&utm_source=footer>.
Philipp Junghannß
Jun 24, 2021, 4:06:13 AM6/24/21
to Arshad Noor, Thirumal Bandi, FIDO Dev (fido-dev)
how are browsers supposed to do txauth the idea is that a authenticator with a secure display are supposed to do the txauth and tell me if I am wrong but iirc authenticator extensions are just to be passed through and don't really need explicit browser support, as the browser is not involved in processing.
The issue here is more that there are basically no FIDO2 devices with a screen (or at least almost none I am aware of). The Trezor T, as the only device I am aware that has both a screen and FIDO2, however being a 180€ Cryptocoin wallet, I wouldn't call it feasible to use it only for FIDO anyway) has no TxAuth support, Ledger which said they wanted TxAuth in their Wallets have pushed FIDO2 back for at least a year while I have see it at least, and still is U2F only. the other cryptocoin wallets with support for ANYTHING Fido really are generally only U2F.
Regards.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/14378d19-292e-2f22-ec9e-44d226b887f6%40strongkey.com.
Arshad Noor
Jun 24, 2021, 6:48:27 AM6/24/21
to Philipp Junghannß, Thirumal Bandi, FIDO Dev (fido-dev)
You are correct in your statement, Philipp: browsers are not involved in
the cryptographic processing of the transaction. But, assuming you're
not using an external authenticator with a secure display that supports
TxAuth, the issue is that the browser has to understand enough about
TxAuth to know that the transaction has to be displayed in a manner that
cannot be modified on the client side (other than to prompt the user to
accept/reject the transaction with the "FIDO credential gesture" (PIN,
Pattern, Biometric). And, this does require platform support.
Android and iOS have that support currently: BiometricPrompt on Android
and some equivalent on iOS (I'm not as knowledgeable on iOS as on
Android). Which is why we chose to implement TxAuth on Android and are
looking for an iOS developer currently. :-)
Arshad
On 6/24/21 1:06 AM, Philipp Junghannß wrote:
> how are browsers supposed to do txauth the idea is that a authenticator
> with a secure display are supposed to do the txauth and tell me if I am
> wrong but iirc authenticator extensions are just to be passed through
> and don't really need explicit browser support, as the browser is not
> involved in processing.
>
> The issue here is more that there are basically no FIDO2 devices with a
> screen (or at least almost none I am aware of). The Trezor T, as the
> only device I am aware that has both a screen and FIDO2, however being a
> 180€ Cryptocoin wallet, I wouldn't call it feasible to use it only for
> FIDO anyway) has no TxAuth support, Ledger which said they wanted TxAuth
> in their Wallets have pushed FIDO2 back for at least a year while I have
> see it at least, and still is U2F only. the other cryptocoin wallets
> with support for ANYTHING Fido really are generally only U2F.
>
> Regards.
>
> Am Do., 24. Juni 2021 um 05:10 Uhr schrieb Arshad Noor
> <arsha...@strongkey.com <mailto:arsha...@strongkey.com>>:
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>
> > <mailto:fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>>.
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/14378d19-292e-2f22-ec9e-44d226b887f6%40strongkey.com>.
>
the cryptographic processing of the transaction. But, assuming you're
not using an external authenticator with a secure display that supports
TxAuth, the issue is that the browser has to understand enough about
TxAuth to know that the transaction has to be displayed in a manner that
cannot be modified on the client side (other than to prompt the user to
accept/reject the transaction with the "FIDO credential gesture" (PIN,
Pattern, Biometric). And, this does require platform support.
Android and iOS have that support currently: BiometricPrompt on Android
and some equivalent on iOS (I'm not as knowledgeable on iOS as on
Android). Which is why we chose to implement TxAuth on Android and are
looking for an iOS developer currently. :-)
Arshad
On 6/24/21 1:06 AM, Philipp Junghannß wrote:
> how are browsers supposed to do txauth the idea is that a authenticator
> with a secure display are supposed to do the txauth and tell me if I am
> wrong but iirc authenticator extensions are just to be passed through
> and don't really need explicit browser support, as the browser is not
> involved in processing.
>
> The issue here is more that there are basically no FIDO2 devices with a
> screen (or at least almost none I am aware of). The Trezor T, as the
> only device I am aware that has both a screen and FIDO2, however being a
> 180€ Cryptocoin wallet, I wouldn't call it feasible to use it only for
> FIDO anyway) has no TxAuth support, Ledger which said they wanted TxAuth
> in their Wallets have pushed FIDO2 back for at least a year while I have
> see it at least, and still is U2F only. the other cryptocoin wallets
> with support for ANYTHING Fido really are generally only U2F.
>
> Regards.
>
> Am Do., 24. Juni 2021 um 05:10 Uhr schrieb Arshad Noor
> > <mailto:fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org>
>
> >
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org?utm_medium=email&utm_source=footer
> >
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org>
>
> >
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f85e93bd-4bb8-40f0-a9b8-58c88c7770b9n%40fidoalliance.org?utm_medium=email&utm_source=footer>>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>.
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it,
> send an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/14378d19-292e-2f22-ec9e-44d226b887f6%40strongkey.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/14378d19-292e-2f22-ec9e-44d226b887f6%40strongkey.com>.
>
Reply all
Reply to author
Forward
0 new messages