Migration of UAF to FIDO2
84 views
Skip to first unread message
Nicholas Irving
Sep 6, 2023, 4:38:03 PM9/6/23
to fido...@fidoalliance.org
Morning
We have a user base of established UAF authenticators and looking to seamlessly migrate them to use FIDO2. Is this possible?
Ideally we don't want to register them again and heard UAF 1.2 is compatible but have been unsuccessful in finding a guide on how to migrate.
Regards
Nicholas Irving
Shane Weeden
Sep 6, 2023, 5:56:50 PM9/6/23
to Nicholas Irving, fido...@fidoalliance.org
To the best of my knowledge, there is no conceptual thing as migrating registrations from UAF to FIDO2, nor with such a thing be particularly valuable. What would you be trying to achieve in terms of functional value by doing such a thing?
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAMqs2CaDzBvjoUx%3DkOX8r%3DVdVRcbfhFDt6wMDikaBXmp6rgBOg%40mail.gmail.com.
Nicholas Irving
Sep 6, 2023, 6:05:51 PM9/6/23
to Shane Weeden, fido...@fidoalliance.org
Hi Shane
Thanks for the information, appreciated.
What I want to do is my I've from UAF to FIDO2 on mobile devices so that the end user does not get prompted to configure a new authenticator i.e touch / face biometrics. I was hoping there would be a way to migrate the collection of public keys we have stored to be used with a FIDO2 challenge response.
Does that make sense?
Regards
Nicholas Irving
John Bradley
Sep 6, 2023, 6:16:34 PM9/6/23
to Nicholas Irving, Shane Weeden, fido...@fidoalliance.org
If all the private keys are in your app you could have it use the same keys to sign Fido2 responses. However that largely defeats any reason for migrating as they would still only be usable in the app.
There was a migration from U2F to Fido 2 but there is no simple way to migrate UAF credentials into a platform provider.
I guess if you are really ambitious you could become a plugable platform passkey provider on iOS and Android and migrate your credentials over somehow, but you would need to do the same thing on your backend.
Simplest thing is to get them to re register.
John B.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAMqs2Cb%2BAoD24CUfXYM0oNHa9dY2MtAOf%2BiZQNYZTy_FRG_kmA%40mail.gmail.com.
Nicholas Irving
Sep 6, 2023, 6:29:58 PM9/6/23
to John Bradley, Shane Weeden, fido...@fidoalliance.org
Thanks John,
Passkey is not an option for us at the moment due to reasons beyond my pay grade so that is currently not a concern, however you make a good point on the re-register front as at least we will have an option to move forward to when we can use passkeys.
Will play around with this and see what I can do.
Once again thanks for John and Shane for your help.
Regards
Nicholas Irving
Arshad Noor
Sep 6, 2023, 7:06:46 PM9/6/23
to fido...@fidoalliance.org, nir...@darkedges.com
Nicholas,
I have no idea whose UAF server you used. But, if it is a commercial
one, have you contacted the manufacturer to see whether they have built
a Universal Server that supports all FIDO protocols? Or, at least a
FIDO2 server? If they do, they may have a migration path for you. If you
built your own UAF client and server, you have the ability to build a
FIDO2 client and server.
Alternatively, you could leverage an open-source FIDO2 Server
(https://sourceforge.net/projects/strongkeyfido) and an Android Client
Library within that distribution that supports FIDO2; there is a sample
app there demonstrating its use.
With the current UAF client library and the FIDO2 client library, you
could build a migration app that:
1) Authenticates the user using UAF against your current UAF server; and
2) Registering a new FIDO2 credential using the FIDO2 server, while
carrying forward current user data without the need to ask them for the
data all over again.
However, it will require at least one authentication prompt from the UAF
side, and one registration prompt from the FIDO2 side - its unavoidable.
But, that's about the most painless you can make it to transition them.
Also, FYI the FIDO2 server on SourceForge does not support "passkeys" in
any flavor; it is straight up FIDO2/WebAuthn-L2 with Android Key
Attestation - it bypasses Google Play APIs and goes to Android directly.
Hope that helps.
Arshad Noor
StrongKey
I have no idea whose UAF server you used. But, if it is a commercial
one, have you contacted the manufacturer to see whether they have built
a Universal Server that supports all FIDO protocols? Or, at least a
FIDO2 server? If they do, they may have a migration path for you. If you
built your own UAF client and server, you have the ability to build a
FIDO2 client and server.
Alternatively, you could leverage an open-source FIDO2 Server
(https://sourceforge.net/projects/strongkeyfido) and an Android Client
Library within that distribution that supports FIDO2; there is a sample
app there demonstrating its use.
With the current UAF client library and the FIDO2 client library, you
could build a migration app that:
1) Authenticates the user using UAF against your current UAF server; and
2) Registering a new FIDO2 credential using the FIDO2 server, while
carrying forward current user data without the need to ask them for the
data all over again.
However, it will require at least one authentication prompt from the UAF
side, and one registration prompt from the FIDO2 side - its unavoidable.
But, that's about the most painless you can make it to transition them.
Also, FYI the FIDO2 server on SourceForge does not support "passkeys" in
any flavor; it is straight up FIDO2/WebAuthn-L2 with Android Key
Attestation - it bypasses Google Play APIs and goes to Android directly.
Hope that helps.
Arshad Noor
StrongKey
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAMqs2CaDzBvjoUx%3DkOX8r%3DVdVRcbfhFDt6wMDikaBXmp6rgBOg%40mail.gmail.com <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAMqs2CaDzBvjoUx%3DkOX8r%3DVdVRcbfhFDt6wMDikaBXmp6rgBOg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages