Type: Technical Documentation
Affects Version/s: 7.4.X, Master
Fix Version/s: None
Component/s: Application Security > Multi-Factor Authentication
Sprint:Iteration 45, Iteration 46, Iteration 47, Iteration 48, Iteration 49, Iteration 50, AppSec Iteration 51, AppSec Iteration 52, AppSec Iteration 53, AppSec Iteration 54, AppSec Iteration 55, AppSec Iteration 56
Type of Documentation:Deployment
Because FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.
End users who need stronger authentication protection and service owners who need to protect service users.
This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
An end user uses his/her authenticator(ie. a hardware key, fingerprint or etc) to authenticate.
Instead of memorizing and typing a long strong of password, users can unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO security keys. Consumers can select the device that best fits their needs.
This feature allows instance admin to configure FIDO2 per instance.
In order to enable FIDO2 for an instance:
- Instance admin needs to go to instance settings --> multi-factor-authentication
- First enable Email OTP
- Then go to Fast Identity Online 2 configuration page
- Configuration "Relying Party Name": instance admin can choose whatever name for this field.
- Configuration "Allowed Credentials Per User": instance admin can set the number of maximum number of authenticators a user can register.
- Configuration "Relying Party ID": see configuration description
- Configuration "Origins": see configuration description
- Configuration "Allow Origin Port": See configuration description
- Configuration "Allow Origin sub domain": See configuration description
Key related classes/methods and modules, configuration interfaces; any specific implementation details that helps understanding how it works, provides hints for debugging and fixing.
- Web module: mult-factor-authentication-fido2-web
- Service module: multi-factor-authentication-fido2-credential-service
- Registration and verification class: FIDO2BrowserSetupMFAChecker
- Single credential removing class: RemoveMFAFIDO2CredentialEntryMVCActionCommand
- Wiring class between yubico webauthn lib and portal code class: MFAFIDO2CredentialRepository
- Configuration interface: MFAFIDO2Configuration
- If any bugs come up in registration, then look for includeSetup() and setup() methods
- If any exception relates to origins, ports, domain, then look for if admin configuration is properly setup.