Yubikey - U2F server vs FIDO2 server
Jack
Emil Lundberg
Hi,
Yes, it will probably be both more work and more difficult to deploy U2F first and migrate to WebAuthn later. WebAuthn is also already better supported by more browsers than U2F ever was - including native support in mobile operating systems for using the same credentials in mobile apps.
Yes, there would be a lot of changes to the U2F server to support WebAuthn. WebAuthn has a much wider scope than U2F does - including more parameters, more key formats and more signature formats. Most of the expanded cryptography and verification logic can be abstracted by libraries, but the application still needs to be aware of and support the wider API surface.
I recommend skipping U2F entirely and starting out with WebAuthn.
Your users will have a better experience, you will spend less
effort, and you won't need to add complexity to migrate later.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/dccb7e6e-1665-489a-8e1a-2bd05726c2ae%40fidoalliance.org.
Arshad Noor
I would concur with Emil, Jack.
But, why would you want to waste time writing your own FIDO2 server? There is a FIDO Certified, open-source implementation - now with high-availability built-in in Github that supports both FIDO2 and U2F Authenticators today; check it out: https://github.com/strongkey/fido2
Arshad Noor
StrongKey
Ackermann Yuriy
- Anders Åberg: .NET library for FIDO2 - A working implementation library + demo for fido2 and WebAuthn using .NET
- WebAuthn4J Project: WebAuthn4J - A portable Java library for WebAuthn server side verification
- DUO: WebAuthn Go library - WebAuthn library written in Go.
- DUO: A WebAuthn Python module - PyWebAuthn is a Python module which can be used to handle WebAuthn registration and assertion.
- Yubico: Java WebAuthn Server - Server-side Web Authentication library for Java.
- Adam Powers: FIDO2 lib
- Nov Matake: Ruby WebAuthn Lib - W3C Web Authentication API (a.k.a. WebAuthN / FIDO 2.0) RP library in Ruby
- Yubico: python-fido2 - FIDO2 Client and Server lib
- cedarcode: WebAuthn Ruby - Ruby implementation of a WebAuthn Relying Party
- Tangui: Wax - Elixir implementation of WebAuthn
- Suby Raman: redux-webauthn - Redux middleware for registering and authenticating users with the Web Authentication API (FIDO2).
- Firstyear: WebAuthn-RS - An implementation of webauthn components for Rustlang servers
- Koesie10: WebAuthn - Go/JS WebAuthn Library for easy Server/Client integation
- SharpLab: Spring-Security-WebAuthn - Unofficial WebAuthn module for the Spring Security project
- Spomky-Labs: WebAuthn Framework - This framework contains PHP libraries and Symfony bundle to allow developpers to integrate FIDO2 authentication mechanism into their web applications.
- Wallix: @webauthn/server - A NodeJS library containing easy-to-use helpers to integrate FIDO2. Works in pair with @webauthn/client.
- Strong Key: FIDO2 Server - Open-source FIDO server, featuring the FIDO2 standard. https://encryptedweb.org
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/9dfb7f74-c140-b340-03c8-598245bac37b%40strongkey.com.
John Bradley
Yes start with WebAuthn. That will work just fine with older U2F keys. Dont do a U2F server and migrate if you are just starting.
John B.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CALRyZMo1r-U5qm8YSGUiAD3wGt0i8gLv-fSbP1RHqq%3DQ-GVzyg%40mail.gmail.com.
Jack
To unsubscribe from this group and stop receiving emails from it, send an email to fido...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/9dfb7f74-c140-b340-03c8-598245bac37b%40strongkey.com.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido...@fidoalliance.org.
Arshad Noor
Yuriy,
Can you distinguish between "FIDO Conformant" and "FIDO
Certified", please? I have come across the expression "FIDO
Conformant", let alone where the word conformant was capitalized
to imply some standard.
If someone from the FIDO Alliance's certification team is on this forum, can they also add some clarity to this? I only see "FIDO Certified" on the official pages of the FIDO Alliance: https://fidoalliance.org/certification/
Thank you.
Arshad Noor
StrongKey
Arshad Noor
I meant to say that I have NOT come across the term "FIDO Conformant"....
Arshad
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/f2644091-ea34-76bf-28bb-d6bc23cf97d6%40strongkey.com.
Ackermann Yuriy
- What is
FIDO CERTIFIED?
FIDO CERTIFIED means that implementation has passed FIDO conformance tools, passed interoperability even, and has achieved official FIDO Alliance certification.
- What is
FIDO COMPLIANT?
FIDO COMPLIANT means that implementation has passed FIDO conformance tools.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/de267946-841c-88ae-7a18-0b280b8c1625%40strongkey.com.
Arshad Noor
When you say "FIDO conformance tools" are these official "FIDO Alliance conformance tools"?
So, "FIDO Conformant" implies that it addresses protocol-level requirements (per FIDO Alliance? Or is it self-asserted?), but there are no guarantees of interoperability?
Is "FIDO Conformant" a FIDO Alliance program and something supported by the FIDO Alliance?
Are you (still) working at FIDO Alliance? I'm a little confused by your e-mail address since it no longer says @fidoalliance.org, so I'm unsure if you're speaking for the FIDO Alliance or for yourself?
Thanks.
Arshad Noor
StrongKey
Ackermann Yuriy
Ackermann Yuriy
Jack
On Wednesday, September 25, 2019 at 2:38:46 AM UTC-5, Emil Lundberg wrote:
Hi,
Yes, it will probably be both more work and more difficult to deploy U2F first and migrate to WebAuthn later. WebAuthn is also already better supported by more browsers than U2F ever was - including native support in mobile operating systems for using the same credentials in mobile apps.
Yes, there would be a lot of changes to the U2F server to support WebAuthn. WebAuthn has a much wider scope than U2F does - including more parameters, more key formats and more signature formats. Most of the expanded cryptography and verification logic can be abstracted by libraries, but the application still needs to be aware of and support the wider API surface.
I recommend skipping U2F entirely and starting out with WebAuthn. Your users will have a better experience, you will spend less effort, and you won't need to add complexity to migrate later.
On 2019-09-25 05:49, Jack wrote:
--We are implementing U2F using Yubikey device. We might want to support WebAuthn in future.
Is it better to implement WebAuthn server now, since it is backward compatible with U2F?
I see that the basic protocol is same for both U2F and WebAuthn. If we implement U2F server now, will there be lot of changes on the U2F server to support WebAuthn?
Thanks in advance.
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido...@fidoalliance.org.
Arshad Noor
The FIDO2 protocol (of which WebAuthn is a sub-protocol) is backwardly compatible with U2F, Jack. By using a FIDO2 server that handles both U2F and FIDO2 registrations/authentications, you can transparently support both protocols/Authenticators in the same web-application.
If you have both, a native U2F and a FIDO2 Authenticator, take them for a spin on https://fido2.strongkey.com. You'll see both of them successfully register and authenticate on that site. If interested, the "Proof of Concept" application you tested is available here: https://github.com/StrongKey/fido2/tree/master/sampleapps/java/poc.
Arshad Noor
StrongKey
Jack
Ze Ee
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/ea6bf7b1-1529-17ad-3c38-37526eb8226e%40strongkey.com.