Implementing FIDO2.
87 views
Skip to first unread message
fatima kabouri
Sep 6, 2022, 9:34:21 AM9/6/22
to FIDO Dev (fido-dev)
Good afternoon,
I am currently doing a documentation about FIDO2 protocol for my intership project. The objective is to study how can implement FIDO2 authentication as a solutin for strong authentication. some questions have come to my mind.
1- can we implement FIDO2 authentication for native mobile application ?
2- Does Creating an authenticator application enable the user to manage its secrets keys ? 3- those keys are they stored in user's device?
4- can we store these keys in the cloud ? if the user has installed the authenticator app in another device and success in authentication does he get his keys ?
Ackermann Yuriy
Sep 6, 2022, 9:51:04 AM9/6/22
to fatima kabouri, FIDO Dev (fido-dev)
1. Yes, and there are some that are already implemented open source. https://github.com/herrjemand/awesome-webauthn#software-authenticators. But FIDO does not certify mobile implementations.
2. If you add functionality to do so, then sure?
3. You can always store in a secure enclave, and/or android hardware backed keystore.
3. You can always store in a secure enclave, and/or android hardware backed keystore.
4. Not advised, and you won't be able to certify it, but yes, if you implement some kind of syncing then sure. But it does have a drastic effect on user security, and if your internship requires implementing FIDO2 authenticator, then you are most likely already looking at the higher assurance, so that won't be beneficial for you. If the question is how to login user on another device, then you have OIDC/Push/Backend authentication.
Thanks.
Yuriy
Yuriy Ackermann
FIDO, Identity, Standardsskype: ackermann.yuriy
github: @herrjemand
twitter: @herrjemand
medium: @herrjemand
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/241c499c-18e6-4615-843d-e28bfaaacca7n%40fidoalliance.org.
Philipp Junghannß
Sep 6, 2022, 9:57:25 AM9/6/22
to Ackermann Yuriy, fatima kabouri, FIDO Dev (fido-dev)
isn't storing the keys in the cloud literally what the big shots are doing with "Passkeys" now?
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CALRyZMomC6kOahiCUiocRgGQ%2BSdNTxaLZdj2FtD%3D1AErxRZ9XQ%40mail.gmail.com.
Arshad Noor
Sep 6, 2022, 11:01:20 AM9/6/22
to fatima kabouri, FIDO Dev (fido-dev)
Hi Fatima,
Please see answers below.
Good luck with your documentation.
Arshad Noor
StrongKey
On 9/6/22 6:34 AM, fatima kabouri wrote:
> Good afternoon,
>
> I am currently doing a documentation about FIDO2 protocol for my
> intership project. The objective is to study how can implement FIDO2
> authentication as a solutin for strong authentication. some questions
> have come to my mind.
> 1- can we implement FIDO2 authentication for native mobile application ?
Yes, you can. You can find our open-source library for Android at:
https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl
While we do not have a full-scale library like Android's currently for
iOS, it is part of our roadmap for 2023. You can, however, find a sample
app demonstrating native iOS app doing FIDO at:
https://github.com/StrongKey/fido2/tree/master/sampleapps/swift/StrongKeyFIDODemo
> 2- Does Creating an authenticator application enable the user to manage
> its secrets keys ?
Yes, it does.
3- those keys are they stored in user's device?
Yes, the are.
> 4- can we store these keys in the cloud ? if the user has installed the
> authenticator app in another device and success in authentication does
> he get his keys ?
As Philipp has already pointed out, that is what three members of the
FIDO Alliance are attempting to do with "passkeys" - whether they use an
"authenticator app" or not is yet to be seen.
However, since FIDO is a security protocol, you need to pay close
attention to the security implications of managing cryptographic keys in
the cloud. I would encourage you to review these 2 LinkedIn postings of
mine and follow the news stories I've referenced to understand the
implications. While convenience is nice, IMO it is even more important
to be secure:
https://www.linkedin.com/posts/arshadnoor_theres-a-big-problem-with-apple-and-google-activity-6936014910808096769--8zB?utm_source=share&utm_medium=member_desktop
https://www.linkedin.com/posts/arshadnoor_okta-hack-allows-users-to-be-impersonated-activity-6971072957238427649-IaMb?utm_source=share&utm_medium=member_desktop
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
Please see answers below.
Good luck with your documentation.
Arshad Noor
StrongKey
On 9/6/22 6:34 AM, fatima kabouri wrote:
> Good afternoon,
>
> I am currently doing a documentation about FIDO2 protocol for my
> intership project. The objective is to study how can implement FIDO2
> authentication as a solutin for strong authentication. some questions
> have come to my mind.
> 1- can we implement FIDO2 authentication for native mobile application ?
https://github.com/StrongKey/fido2/tree/master/sampleapps/java/sacl
While we do not have a full-scale library like Android's currently for
iOS, it is part of our roadmap for 2023. You can, however, find a sample
app demonstrating native iOS app doing FIDO at:
https://github.com/StrongKey/fido2/tree/master/sampleapps/swift/StrongKeyFIDODemo
> 2- Does Creating an authenticator application enable the user to manage
> its secrets keys ?
3- those keys are they stored in user's device?
> 4- can we store these keys in the cloud ? if the user has installed the
> authenticator app in another device and success in authentication does
> he get his keys ?
FIDO Alliance are attempting to do with "passkeys" - whether they use an
"authenticator app" or not is yet to be seen.
However, since FIDO is a security protocol, you need to pay close
attention to the security implications of managing cryptographic keys in
the cloud. I would encourage you to review these 2 LinkedIn postings of
mine and follow the news stories I've referenced to understand the
implications. While convenience is nice, IMO it is even more important
to be secure:
https://www.linkedin.com/posts/arshadnoor_theres-a-big-problem-with-apple-and-google-activity-6936014910808096769--8zB?utm_source=share&utm_medium=member_desktop
https://www.linkedin.com/posts/arshadnoor_okta-hack-allows-users-to-be-impersonated-activity-6971072957238427649-IaMb?utm_source=share&utm_medium=member_desktop
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/241c499c-18e6-4615-843d-e28bfaaacca7n%40fidoalliance.org
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/241c499c-18e6-4615-843d-e28bfaaacca7n%40fidoalliance.org?utm_medium=email&utm_source=footer>.
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/241c499c-18e6-4615-843d-e28bfaaacca7n%40fidoalliance.org
Rick
Sep 6, 2022, 4:31:37 PM9/6/22
to FIDO Dev (fido-dev), My1, fatimak...@gmail.com, FIDO Dev (fido-dev), Ackermann Yuriy
We won't know until we can see for ourselves but the concern is valid. It's a truth that cryptographic authenticator secrets remain so only so long as they stay in the security element of the device. Once transported off device they are no longer a secret.
Reply all
Reply to author
Forward
0 new messages