Hello, We're investigating the potential of using a mobile app as a FIDO authenticator, similar to the solutions provided by companies like Hypr and IDmelon, especially for offline authentication on iOS and Android devices. We're looking for some assistance in this area:
We would greatly appreciate any help or information on this matter!
Estonian Internet Foundation
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/SJ0PR00MB1141FCE0E0C34F23ABB9EAAA95B4A%40SJ0PR00MB1141.namprd00.prod.outlook.com.
Sergei,
I implemented FIDO2 authenticator app for Android and iOS some time ago. Much has changed since then so some of this may no longer be as relevant.
Documentation available from FIDO Alliance and W3C is excellent and if followed makes implementing the core FIDO2 functionality not too difficult.
But, areas where documentation is very poor to non-existent I found especially challenging:
Good luck,
Rick
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CACHSkNqGt533bY829fG8J0YdiFJHQ4dBczyc_%2BFW%3DOLtFtwAJA%40mail.gmail.com.
To answer your question requires an understanding of what you mean by “offline”. At minimum, use of FIDO2 requires a user, an authenticator, a relying party, and a user record. In theory these could all be one and the same but to what end? That said, then there need be some form of connection between user + authenticator to RP + user record.
As for you specific questions, answered out of order.
FIDO2 does not validate a users identity. It at best validates presence of a human and their use of a specific device.
FIDO2 typically does not require the internet to operate. Its operations occur between the authenticator device which the unknown human has and a FIDO Client device which the unknown human has access to.
The connection between these is expected to be either Bluetooth, USB, or NFC but in fact it could be any method of comms in roll-your-own scenarios.
The user record with which the FIDO2 device forms an affinity is, from the user + authenticator pov, in the either as is the relying party. They could be within immediate domain of FIDO Client.
Affinity of authenticator device to user record is formed by a registration ceremony that requires all principals. Once registered it is then possible to perform authentication ceremonies.
The ceremonies take place between the authenticator device and the FIDO Client and typically this occurs locally over the channels mentioned above. As such there is no internet involvement in either ceremony. But of course consideration for the relying party and user record need be made.
The public is made public as part of the registration process. It typically becomes part of the user record. Where, how, and how securely that record is stored is up to the relying party. I’m aware of no specific requirements nor need for them but of course the user record should be secure wherever it is.
Typically the public key travels from authenticator to user record once during the registration ceremony. From that point forward it is used in creation of challenge messages and in part for validating challenge message responses. These activities should be secure but are not otherwise defined.
You didn’t mention but I’ll toss it out that the critical components, private key and certificates, MUST be securely stored are on and within the immediate domain of the authenticator device. If/when those are compromised the user account is in jeopardy of becoming a DBIR statistic.
Rick
Not nitpicking but, there is nothing in the FIDO2 specifications that require user identity proofing over and beyond that of a gesture. Never has been and so far as I know, not in the works. I have a number of Titan and Yubi keys that work just fine and none save one incorporate identity proofing.
That said, indeed it’s a really, really good idea to do so and to do so such that identity proofing occurs as a part of and inseparable from the authentication ceremony. For example, the user gesture is not accepted until the user identity has been proofed. For several reasons, the FIDO2 cell phone app reliance on screen unlock is a really bad idea. There is no way an app can learn: is screen lock used?, what type is it?, when was it last used relative in time to the authentication ceremony? There is no assurance of its type or even of its use in some cases and neither OS provides access to the specifics of its use, type, active state, and so on.
Rick