FIDO2 Server
173 views
Skip to first unread message
Niraj Sorathiya
May 23, 2021, 11:42:10 AM5/23/21
to fido...@fidoalliance.org
Hello Team,
--
If we deploy a FIDO2 server then is it necessary to have server side libraries or vice versa to use FIDO2 ?
I am confused if a FIDO2 server is necessary to use FIDO2 in any web application.
Thanks
Best Regards,
Niraj
Philipp Junghannß
May 23, 2021, 11:59:37 AM5/23/21
to Niraj Sorathiya, FIDO Dev (fido-dev)
well your server has to in some sort support FIDO2. either by using a separate FIDO2 server, or by just embedding a FIDO2 lib into your application.
For example, so far I ran pretty well with this lib, which not only supports FIDO2 as in devices with CTAP2 support, but also U2F as well as several types of platform authenticators.
Sure, it's not FIDO2 certified but I don't think a single person just making a Library for this can afford these things.
Regards
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFT0Dp0QxLPAWbRRWWOpMWskeGxeTi%3DOfqMnRMO0v0cPUtOwQw%40mail.gmail.com.
Ackermann Yuriy
May 23, 2021, 3:47:05 PM5/23/21
to Niraj Sorathiya, fido...@fidoalliance.org
Hey Niraj.
Yes, you do need FIDO server. It does not have to be “server” per say a separate instance. Your server just needs an ability to process FIDO responses and generate requests as specified by the FIDO2 specs aka act like a FIDO2 server. So you can easily just use any FIDO2 library and integrate it.
If you are looking for FIDO2 servers, you can use any of the FIDO conformant or certified open source servers.
If you are looking to build one feel free to read my article on verifying responses
https://link.medium.com/2hIWpQX7ugb and take a look at my introduction to WebAuthn API
https://medium.com/@herrjemand/introduction-to-webauthn-api-5fd1fb46c285, or resources from other people
Regards. Yuriy
--
You received this message because you are subscribed to the Google Groups "FIDO Dev (fido-dev)" group.
To unsubscribe from this group and stop receiving emails from it, send an email to fido-dev+u...@fidoalliance.org.
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFT0Dp0QxLPAWbRRWWOpMWskeGxeTi%3DOfqMnRMO0v0cPUtOwQw%40mail.gmail.com.
Yuriy Ackermann
FIDO, Identity, Standardsskype: ackermann.yuriy
github: @herrjemand
twitter: @herrjemand
medium: @herrjemand
Vincent Bezzina
May 23, 2021, 4:35:46 PM5/23/21
to Ackermann Yuriy, Niraj Sorathiya, fido...@fidoalliance.org
Yes we are pretty much done creating our own server.
Read all your excellent articles regarding the different attestation methods and we support everything there.
Only one failure with the TPM signature verification. The MEAT data we still need to automate, but we did get the Root PEM using the aaguid and then matched the chain, so we can do that. Just need to automate the retrieval of the PEMs.
I will look at all the links you provided above also. What I am hoping to get to at this stage is a system against which we can test our Server. Reading my way down https://fidoalliance.org/specs/fido-v2.0-rd-20180702/fido-server-v2.0-rd-20180702.html. There is a system right ? Not a misunderstanding. A Self certification system for Server ?
Regards and thanks for your feedback.
Vincent
To view this discussion on the web visit https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CALRyZMq3MCcJaGQd8c076Yi%3DA8PoFZ%2BS6K1K9w-zckTLB6_i0A%40mail.gmail.com.
Arshad Noor
May 23, 2021, 7:43:45 PM5/23/21
to Niraj Sorathiya, fido...@fidoalliance.org
It all depends on what you're doing with FIDO2 and what your goals are
for the solution once you have it working, Niraj.
If you're experimenting with FIDO for a proof-of-concept to increase
your understanding of how it works, you can pretty much use anything
that supports the types of authenticators you're planning to test; most
libraries will support most Security Keys and platform authenticators to
give you a flavor for what the UX will be when applications are FIDO
enabled.
If you're planning to build an infrastructure to support a production
system, that requires one or more of the following capabilities, you
probably want to consider a standalone server:
- Built-in high-availability and disaster recovery;
- Support for multiple attestation types: Basic, Apple, Android Key, etc.;
- Ability to abstract security policy management outside applications;
- Integrated SSO to avoid using yet another tool/protocol outside the
FIDO server to reduce application complexity;
- Mobile library with support for "Transaction Confirmation" to comply
with regulations such as PSD2 for strong customer authentication (SCA);
- Developer tools for large-scale performance testing without the need
for humans at each client station;
- FIDO Certification to provide an assurance of commitment and
conformance to standards.
If you're looking for something with all these capabilities, check out:
https://sourceforge.net/projects/strongkeyfido/ or
https://github.com/StrongKey/fido2
Hope that helps.
Arshad Noor
StrongKey
for the solution once you have it working, Niraj.
If you're experimenting with FIDO for a proof-of-concept to increase
your understanding of how it works, you can pretty much use anything
that supports the types of authenticators you're planning to test; most
libraries will support most Security Keys and platform authenticators to
give you a flavor for what the UX will be when applications are FIDO
enabled.
If you're planning to build an infrastructure to support a production
system, that requires one or more of the following capabilities, you
probably want to consider a standalone server:
- Built-in high-availability and disaster recovery;
- Support for multiple attestation types: Basic, Apple, Android Key, etc.;
- Ability to abstract security policy management outside applications;
- Integrated SSO to avoid using yet another tool/protocol outside the
FIDO server to reduce application complexity;
- Mobile library with support for "Transaction Confirmation" to comply
with regulations such as PSD2 for strong customer authentication (SCA);
- Developer tools for large-scale performance testing without the need
for humans at each client station;
- FIDO Certification to provide an assurance of commitment and
conformance to standards.
If you're looking for something with all these capabilities, check out:
https://sourceforge.net/projects/strongkeyfido/ or
https://github.com/StrongKey/fido2
Hope that helps.
Arshad Noor
StrongKey
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFT0Dp0QxLPAWbRRWWOpMWskeGxeTi%3DOfqMnRMO0v0cPUtOwQw%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFT0Dp0QxLPAWbRRWWOpMWskeGxeTi%3DOfqMnRMO0v0cPUtOwQw%40mail.gmail.com?utm_medium=email&utm_source=footer>.
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFT0Dp0QxLPAWbRRWWOpMWskeGxeTi%3DOfqMnRMO0v0cPUtOwQw%40mail.gmail.com
Niraj Sorathiya
May 23, 2021, 8:00:37 PM5/23/21
to Philipp Junghannß, FIDO Dev (fido-dev)
Hi Philipp,
Thank you for your reply.
Which FIDO2 library did you use ?
Consider a web application which is using the django framework. So, in this case if I want to avoid a separate FIDO2 server then, Is it possible to just use the FIDO2 python library and implement authentication ?
Also, if I use a separate FIDO2 server then, Is it possible to avoid python server side libraries ? Here, I am trying to understand if the FIDO2 server can be a universal solution to all web frameworks or if it is necessary to have framework or programming language specific server libraries.
Regards,
Niraj
Best Regards,
Niraj
Niraj Sorathiya
May 23, 2021, 8:16:02 PM5/23/21
to Arshad Noor, fido...@fidoalliance.org
Hi Arshad,
Thank you for your detailed explanation.
I have also read about a FIDO2 certified server. So, Is it necessary to deploy the FIDO2 server using information provided in the link below in order to be certified by FIDO ? Like, Does FIDO have any preference for it ?
Regards,
Niraj
Best Regards,
Niraj
Philipp Junghannß
May 23, 2021, 8:16:49 PM5/23/21
to Niraj Sorathiya, FIDO Dev (fido-dev)
oops forgot to copy the link lol.
for django I have honestly no idea but after a quick search this one seems a decent addon for it.
if you use a seperate FIDO2 server, you obviously need to look how it wants to communicate, and need to implement that which could be seen as a mini lib but most should be just passing on the FIDO request and dealing with its result, not sure if the external communication of FIDO2 servers are standardized, but if you have one FIDO2 server it certainly can help as it can have one cohesive database you you don't need to worry about possibly different internals of the libraries regarding storage and whatever, you just need to implement the aforementioned, which is likely a ton easier than developing stuff for all the libraries, or shimming stuff to get the libs to play nice with each other.
Arshad Noor
May 23, 2021, 10:57:56 PM5/23/21
to Niraj Sorathiya, fido...@fidoalliance.org
You do not need to be certified by FIDO Alliance to just use a FIDO2
server - you only get FIDO Certified if you *choose* to build your own
FIDO2 server from scratch. If all you're planning to do is use FIDO2 to
register and authenticate users, and authorize transactions with FIDO2
digital signatures for something like PSD2, then you just need to use
the server I pointed you to to address your business requirements.
Arshad
> https://github.com/StrongKey/fido2 <https://github.com/StrongKey/fido2>
> > <mailto:fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>>.
server - you only get FIDO Certified if you *choose* to build your own
FIDO2 server from scratch. If all you're planning to do is use FIDO2 to
register and authenticate users, and authorize transactions with FIDO2
digital signatures for something like PSD2, then you just need to use
the server I pointed you to to address your business requirements.
Arshad
>
> Hope that helps.
>
> Arshad Noor
> StrongKey
>
>
> On 5/23/21 8:41 AM, Niraj Sorathiya wrote:
> > Hello Team,
> >
> > If we deploy a FIDO2 server then is it necessary to have server side
> > libraries or vice versa to use FIDO2 ?
> >
> > I am confused if a FIDO2 server is necessary to use FIDO2 in any web
> > application.
> >
> > Thanks
> >
> >
> >
> > --
> >
> >
> > Best Regards,
> > Niraj
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "FIDO Dev (fido-dev)" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>
> Hope that helps.
>
> Arshad Noor
> StrongKey
>
>
> On 5/23/21 8:41 AM, Niraj Sorathiya wrote:
> > Hello Team,
> >
> > If we deploy a FIDO2 server then is it necessary to have server side
> > libraries or vice versa to use FIDO2 ?
> >
> > I am confused if a FIDO2 server is necessary to use FIDO2 in any web
> > application.
> >
> > Thanks
> >
> >
> >
> > --
> >
> >
> > Best Regards,
> > Niraj
> >
> > --
> > You received this message because you are subscribed to the Google
> > Groups "FIDO Dev (fido-dev)" group.
> > To unsubscribe from this group and stop receiving emails from it,
> send
> > an email to fido-dev+u...@fidoalliance.org
> > <mailto:fido-dev+u...@fidoalliance.org
> <mailto:fido-dev%2Bunsu...@fidoalliance.org>>.
> > To view this discussion on the web visit
> >
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFT0Dp0QxLPAWbRRWWOpMWskeGxeTi%3DOfqMnRMO0v0cPUtOwQw%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFT0Dp0QxLPAWbRRWWOpMWskeGxeTi%3DOfqMnRMO0v0cPUtOwQw%40mail.gmail.com>
>
> >
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFT0Dp0QxLPAWbRRWWOpMWskeGxeTi%3DOfqMnRMO0v0cPUtOwQw%40mail.gmail.com?utm_medium=email&utm_source=footer
> >
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFT0Dp0QxLPAWbRRWWOpMWskeGxeTi%3DOfqMnRMO0v0cPUtOwQw%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFT0Dp0QxLPAWbRRWWOpMWskeGxeTi%3DOfqMnRMO0v0cPUtOwQw%40mail.gmail.com>
>
> >
Arshad Noor
May 23, 2021, 11:09:42 PM5/23/21
to fido...@fidoalliance.org, Niraj Sorathiya
To address this specific question, the FIDO2 server I referenced in my
earlier response does NOT require any client-side libraries, Niraj - it
only presents webservices - SOAP and REST. Technically, ANY programming
web programming environment that can consume webservices can integrate
the SKFS within hours as it is univeral to all web frameworks.
You can get a sense for the REST webservices here:
https://strongkey.github.io/fido2/ - although what shows up here is an
older release of the FIDO2 server; the newer release has 2 additional
webservices: *preauthorize* and *authorize* - used for transaction
confirmation capabilities that you can test with the sample apps with
the 4.4.x release.
Arshad
On 5/23/21 5:00 PM, Niraj Sorathiya wrote:
>
> Also, if I use a separate FIDO2 server then,*Is it possible to avoid
> python server side libraries ?* Here, I am trying to understand if the
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFT0Dp2BxSs33Hzs59P3oiktcnOKrLioGUpxULn%2B4wPKPui-Yg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
earlier response does NOT require any client-side libraries, Niraj - it
only presents webservices - SOAP and REST. Technically, ANY programming
web programming environment that can consume webservices can integrate
the SKFS within hours as it is univeral to all web frameworks.
You can get a sense for the REST webservices here:
https://strongkey.github.io/fido2/ - although what shows up here is an
older release of the FIDO2 server; the newer release has 2 additional
webservices: *preauthorize* and *authorize* - used for transaction
confirmation capabilities that you can test with the sample apps with
the 4.4.x release.
Arshad
On 5/23/21 5:00 PM, Niraj Sorathiya wrote:
>
> Also, if I use a separate FIDO2 server then,*Is it possible to avoid
> python server side libraries ?* Here, I am trying to understand if the
> FIDO2 server can be a universal solution to all web frameworks or if it
> is necessary to have framework or programming language specific server
> libraries.
>
>
> is necessary to have framework or programming language specific server
> libraries.
>
>
> --
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> <mailto:fido-dev+u...@fidoalliance.org>.
> You received this message because you are subscribed to the Google
> Groups "FIDO Dev (fido-dev)" group.
> To unsubscribe from this group and stop receiving emails from it, send
> an email to fido-dev+u...@fidoalliance.org
> To view this discussion on the web visit
> https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFT0Dp2BxSs33Hzs59P3oiktcnOKrLioGUpxULn%2B4wPKPui-Yg%40mail.gmail.com
> <https://groups.google.com/a/fidoalliance.org/d/msgid/fido-dev/CAFT0Dp2BxSs33Hzs59P3oiktcnOKrLioGUpxULn%2B4wPKPui-Yg%40mail.gmail.com?utm_medium=email&utm_source=footer>.
Reply all
Reply to author
Forward
0 new messages