FIDO Client - FIDO Authenticator API on iOS
Anna Ch
Hi,
Does the FIDO standard specify a communication interface between a stand-alone FIDO Client app and stand-alone FIDO Authenticator app on iOS?
The FIDO Application API specification section 7 specifies a custom URL API, by which a Relying Party application can invoke a FIDO UAF Client. But, is there a similar custom URL API that exists, by which FIDO Client can invoke a FIDO Authenticator on iOS?
If not, what’s the recommendation for the FIDO Client-FIDO Authenticator API on iOS, if a FIDO Client has to communicate with multiple FIDO authenticators from different vendors?
Thanks,
Anna
Jeff Cesnik
Hi Anna,
To answer your first question…
The only communications interface specified within FIDO for iOS is the x-callback-url mechanism (aka custom URL API) intended to invoke the installed FIDO UAF client.
To answer your second question…
Using the x-callback-url mechanism, the FIDO UAF Client can be invoked by any calling app (the RP could be a browser, or it could be a custom app – it doesn’t matter, as long as you follow the protocol).
To answer your third question…
The FIDO specifications assume that you have exactly one FIDO UAF client installed. Unfortunately due to the limitations of iOS custom URL’s, there is no way (within the confines of the FIDO specifications at least) to call one of several arbitrary FIDO UAF clients that are all installed and registered with the same custom URL endpoint (which is what the RP app uses for FIDO UAF Client discovery). I think the last installed client wins – but don’t quote me on that. Further, it is also not possible to “turn off” an application-registered custom URL at runtime (we tried that approach with our own offerings in an effort to build a better-behaving UAF client, but it doesn’t work).
Unless the FIDO UAF client vendor also registers a distinct custom URL handler (outside the spec), there is no way to target a specific UAF client on iOS. Clearly that is a problem area in the specifications, which will hopefully be addressed in the future.
Hope that helps.
Jeff Cesnik
(former) Founder, Lightfactor
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/79dd1e96-7ce9-4f81-898c-c6106624ced4%40fidoalliance.org.
Anna Ch
Hi Jeff,
Thank you for your inputs. Using the custom-URL API, agreed, the Relying Party app can communicate with exactly one FIDO client, as per the specifications. But, is there any way, the FIDO client can communicate with different UAF ASM/Authenticators (from different vendors)? In Android, the FIDO Client is able to discover different ASMs on the device, not sure whether a similar feature exists on iOS.
If not, how can a Relying Party app implement multi-factor authentication on iOS, assuming that the authenticators are from different vendors? One key feature of the FIDO Client, is to enforce an authenticator policy specified by the server, and it seems like this feature cannot be really applied on iOS due to the lack of discovery of the UAF authenticators.
Thanks,
Anna
Anna Ch
Hi Jeff,
Thank you for your inputs. Using the custom-URL API, agreed, the Relying Party app can communicate with exactly one FIDO client, as per the specifications. But, is there any way, the FIDO client can communicate with different UAF ASM/Authenticators (from different vendors)? In Android, the FIDO Client is able to discover different ASMs on the device, not sure whether a similar feature exists on iOS.
If not, how can a Relying Party app implement multi-factor authentication on iOS, assuming that the authenticators are from different vendors? One key feature of the FIDO Client, is to enforce an authenticator policy specified by the server, and it seems like this feature cannot be really applied on iOS due to the lack of discovery of the UAF authenticators.
Thanks,
Anna
Jeff Cesnik
Anna,
Speaking strictly from the point of view of the specifications, it’s not currently possible to have a separate ASM that is discoverable on iOS (unlike Android). FIDO on iOS assumes a monolithic UAF Client/ASM combination implementation - it’s not possible for an RP to support multiple FIDO UAF ASM/Authenticator vendors simultaneously on iOS (unless your installed FIDO UAF client happens to support multiple ASMs/Authenticators under the hood).
There are no good answers for iOS I’m afraid.
-Jeff Cesnik
(former) Founder, Lightfactor
From: fido...@fidoalliance.org [mailto:fido...@fidoalliance.org] On Behalf Of Anna Ch
Sent: Tuesday, January 10, 2017 1:28 PM
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d4e620ff-ef72-4b30-ae50-89c588c80836%40fidoalliance.org.
Suresh Thiruppathi
Anna,
Speaking strictly from the point of view of the specifications, it’s not currently possible to have a separate ASM that is discoverable on iOS (unlike Android). FIDO on iOS assumes a monolithic UAF Client/ASM combination implementation - it’s not possible for an RP to support multiple FIDO UAF ASM/Authenticator vendors simultaneously on iOS (unless your installed FIDO UAF client happens to support multiple ASMs/Authenticators under the hood).
There are no good answers for iOS I’m afraid.
-Jeff Cesnik
(former) Founder, Lightfactor
From: fido...@fidoalliance.org [mailto:fido-dev@fidoalliance.org] On Behalf Of Anna Ch
Sent: Tuesday, January 10, 2017 1:28 PM
To: FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: [FIDO-DEV] Re: FIDO Client - FIDO Authenticator API on iOS
Hi Jeff,
Thank you for your inputs. Using the custom-URL API, agreed, the Relying Party app can communicate with exactly one FIDO client, as per the specifications. But, is there any way, the FIDO client can communicate with different UAF ASM/Authenticators (from different vendors)? In Android, the FIDO Client is able to discover different ASMs on the device, not sure whether a similar feature exists on iOS.
If not, how can a Relying Party app implement multi-factor authentication on iOS, assuming that the authenticators are from different vendors? One key feature of the FIDO Client, is to enforce an authenticator policy specified by the server, and it seems like this feature cannot be really applied on iOS due to the lack of discovery of the UAF authenticators.
Thanks,
Anna
On Tuesday, January 10, 2017 at 10:58:51 AM UTC-5, Anna Ch wrote:Hi,
Does the FIDO standard specify a communication interface between a stand-alone FIDO Client app and stand-alone FIDO Authenticator app on iOS?
The FIDO Application API specification section 7 specifies a custom URL API, by which a Relying Party application can invoke a FIDO UAF Client. But, is there a similar custom URL API that exists, by which FIDO Client can invoke a FIDO Authenticator on iOS?
If not, what’s the recommendation for the FIDO Client-FIDO Authenticator API on iOS, if a FIDO Client has to communicate with multiple FIDO authenticators from different vendors?
Thanks,
Anna
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d4e620ff-ef72-4b30-ae50-89c588c80836%40fidoalliance.org.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/01ac01d26b70%24e5317aa0%24af946fe0%24%40lightfactor.co.
Jeff Cesnik
Hi Suresh,
In order to test and debug your SDK, you’ll need to build a full-on UAF client (that consumes your SDK) to test against the FIDO conformance app.
I don’t think there is a certification category for just an SDK or ASM on iOS because it would have to be integrated into a separate app to be useful – but you can go through testing and interop without pursuing certification.
And yes, the UAF conformance app acts as an RP.
-Jeff Cesnik
(former) Founder, Lightfactor
From: Suresh Thiruppathi [mailto:suresh.th...@imaginea.com]
Sent: Wednesday, January 11, 2017 12:14 AM
To: Jeff Cesnik <jce...@lightfactor.co>
Cc: Anna Ch <apurna....@gmail.com>; FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: Re: [FIDO-DEV] Re: FIDO Client - FIDO Authenticator API on iOS
Hi Jeff,
As we are trying to implement the FIDO Client combo(Client+ASM+TouchID as Authenticator)as an SDK, what would be the recommended way of communication between RP App and FIDO Client?
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d4e620ff-ef72-4b30-ae50-89c588c80836%40fidoalliance.org.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
Suresh Thiruppathi
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d4e620ff-ef72-4b30-ae50-89c588c80836%40fidoalliance.org.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
Jeff Cesnik
Hi Suresh,
You’ll need to reach out to FIDO directly for “official” certification answers – that’s not something I can answer reliably.
-Jeff Cesnik
(former) Founder, Lightfactor
From: Suresh Thiruppathi [mailto:suresh.th...@imaginea.com]
Sent: Wednesday, January 11, 2017 9:13 AM
To: Jeff Cesnik <jce...@lightfactor.co>
Cc: Anna Ch <apurna....@gmail.com>; FIDO Dev (fido-dev) <fido...@fidoalliance.org>
Subject: Re: [FIDO-DEV] Re: FIDO Client - FIDO Authenticator API on iOS
Hi Jeff,
Thanks for clarifying doubts!
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d4e620ff-ef72-4b30-ae50-89c588c80836%40fidoalliance.org.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
Suresh Thiruppathi
Hi Suresh,
You’ll need to reach out to FIDO directly for “official” certification answers – that’s not something I can answer reliably.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/d4e620ff-ef72-4b30-ae50-89c588c80836%40fidoalliance.org.
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+unsubscribe@fidoalliance.org.
To post to this group, send email to fido...@fidoalliance.org.
Visit this group at https://groups.google.com/a/fidoalliance.org/group/fido-dev/.