ASM regarding FIDO UAF & FIDO2

[david_bca]

Hi all,

I am developing a wearable UAF-authenticator, i.e. "First Factor Roaming Authenticator" (according to FIDO Authenticator commands specification).

I am puzzled about the connection with the browser application:

Between the authenticator and the browser app the spec defines 2 modules: ASM and FIDO Client.

I am wondering if it worth implementing these parts for UAF. I know that U2F is kind of popular and you can find U2F Client JavaScript API and generic modules to spear you the effort.

It was my understanding that the ASM is tightly coupled to the Authenticator: it knows how the authenticator can connect (USB, BLE, etc) and how to communicate with it. Roughly, It translates UAFTLV into JSON.
Therefore it should be located on the Host (PC, Phone etc...) as a Middleware: a DLL for windows, a .so for linux, etc...

Otherwise, if it is embedded in the Authenticator it could not abstract the communication part to the FIDO Client.

At least it was what I assumed regarding the examples provided in Authenticator-Specific Module API.

-> Am I correct about the ASM location and format ?

Then I guessed that FIDO Client should be some kind of Browser plugin (for Chrome, Firefox, Edge,...) that would exchange JSON commands with the ASM.

In that case, it means that if a user wants to use my authenticator, it has 2 pre-requisites:

1. Install the FIDO Client browser-extension (or enable built-in features in browsers that implement it ?)
2. Install the ASM Plateform-specific library
   
3. Today, there is no "generic" ASM that would be integrated in a browser (chrome ?) and could directly address an authenticator (even if it strictly follows the command/response formats)
   

-> Are my assumptions right ?

I also found out about FIDO2 project, which is on-going. Firstly I thought that it would allow to get rid of the listed constraints, meaning:

1. The WebAuthn would be supported by browsers natively so that you do not need a browser extension
   The link points to a google presentation about WebAuthn. Google announces that future releases will handle BLE & NFC communication
2. The CTAP would allow the browser to communicate directly to the authenticator (what about the ASM then ? Would it be integrated in the Authenticator to talk in JSON or does the CTAP will also talk in UAFTLV ?)

However it seems wrong because regarding the ASM API spec, there is the following CTAP2 paragraph 6:

ASMs can (optionally) provide a FIDO CTAP 2 interface in order to allow the authenticator being used as external authenticator from a FIDO2 or Web Authentication enabled platform supporting the CTAP 2 protocol [FIDOCTAP].

In this case the CTAP2 enabled ASM provides the CTAP2 interface upstream through one or more of the transport protocols defined in [FIDOCTAP] (e.g. USB, NFC, BLE). Note that the CTAP2 interface is the connection to the FIDO Client / FIDO enabled platform.

So we still need an ASM here, and I fail to understand the benefits of FIDO2 over FIDO UAF/U2F.

-> End user still need to install a 3rd-party element and cannot use the authenticator "directly" with a browser, right ?

Thanks

[david_bca]

Just adding this link that partially answer some of my questions: https://github.com/w3c/webauthn/issues/928