Menu
With all the recent buzz around the FIDO U2F specification, I would like to implement FIDO U2F test-wise on a testbed to be ready for the forthcoming roll out of the final specification.
So far, I have a FIDO U2F security key produced by Yubico and the FIDO U2F (Universal 2nd Factor) extension installed in Chrome. I have also managed to set up the security key to work with my Google log-in.
Now, I'm not sure how to make use of this stuff for my own site. I have looked through Google's Github page for the U2F project and I have checked their web app front-end. It looks really simple (JavaScript only). So is implementing second factor auth with FIDO as simple as implementing a few JavaScript calls? All that seems to be happening for the registration in the example is this:
var registerRequest = { appId: enrollData.appId, challenge: enrollData.challenge, version: enrollData.version }; u2f.register([registerRequest], [], function (result) { if (result.errorCode) { document.getElementById('status') .innerHTML = "Failed. Error code: " + result.errorCode; return; } document.location = "/enrollFinish" + "?browserData=" + result.clientData + "&enrollData=" + result.registrationData + "&challenge=" + enrollData.challenge + "&sessionId=" + enrollData.sessionId; }); But how can I use that for an implementation myself? Will I be able to use the callback from this method call for the user registration?
970
FIDO RegistrationUser is prompted to choose an available FIDO authenticator that matches the online service's acceptance policy. User unlocks the FIDO authenticator using a fingerprint reader, a button on a second–factor device, securely–entered PIN or other method.
Web Authentication (WebAuthn), a core component of FIDO Alliance's FIDO2 set of specifications, is a web-based API that allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms.
Insert your U2F security key into your computer's USB port and press the button on it when prompted. You'll be able to enter a name for the key afterwards. When you're done, click “Set Up Two-Factor Authentication” to require the security key to sign in.
What you are trying to do is implement a so called "relying party", meaning that your web service will rely on the identity assertion provided by the FIDO U2F token.
You will need to understand the U2F specifications to do that. Especially how the challenge-response paradigm is to be implemented and how app ids and facets work. This is described in the spec in detail.
You are right: The actual code necessary to work with FIDO U2F from the front end of you application is almost trivial (that is, if you use the "high-level" JavaScript API as opposed to the "low-level" MessagePort API). Your application will however need to work with the messages generated by the token and validate them. This is not trivial.
To illustrate how you could pursue implementing a relying party site, I will give a few code examples, taken from a Virtual FIDO U2F Token Extension that I have programmed lately for academic reasons. You can see the page for the full example code.
Before your users can use their FIDO U2F tokens to authenticate, they need to register it with you. In order to allow them to do so, you need to call window.u2f.register in their browser. To do that, you need to provide a few parameters (again; read the spec for details). Among them a challenge and the id of your app. For a web app, this id must be the web origin of the web page triggering the FIDO operation. Let's assume it is example.org:
window.u2f.register([ { version : "U2F_V2", challenge : "YXJlIHlvdSBib3JlZD8gOy0p", appId : "http://example.org", sessionId : "26" } ], [], function (data) { }); Once the user performs a "user presence test" (e.g. by touching the token), you will receive a response, which is a JSON object (see spec for more details)
dictionary RegisterResponse { DOMString registrationData; DOMString clientData; }; This data contains several elements that your application needs to work with.
I have prepared a rough implementation draft for the relying party server in Java that shows how to extract and validate this information lately.
Once the registration is complete and you have somehow stored the details of the generated key, you can sign requests.
As you said, this can be initiated short and sweet through the high-level JavaScript API:
window.u2f.sign([{ version : "U2F_V2", challenge : "c3RpbGwgYm9yZWQ/IQ", app_id : "http://example.org", sessionId : "42", keyHandle: "ZHVtbXlfa2V5X2hhbmRsZQ" }], function (data) { }); Here, you need to provide the key handle, you have obtained during registration. Once again, after the user performs a "user presence test" (e.g. by touching the token), you will receive a response, which is a JSON object (again, see spec for more details)
dictionary SignResponse { DOMString keyHandle; DOMString signatureData; DOMString clientData; }; You the need to validate the signature data contained herein.
Once you have performed these validations, you can consider the user authenticated. A brief example implementation of the server side code for that is also contained in my server example.
173
If you love us? You can donate to us via Paypal or buy me a coffee so we can maintain and grow! Thank you!
Donate Us With
