Details

    • Sprint:
      Iteration 45, Iteration 46, Iteration 47, Iteration 48, Iteration 49, Iteration 50, AppSec Iteration 51, AppSec Iteration 52, AppSec Iteration 53, AppSec Iteration 54, AppSec Iteration 55, AppSec Iteration 56
    • Type of Documentation:
      Deployment

      Description

      Confluence page

      https://liferay.atlassian.net/wiki/spaces/ENGAPPSECURITY/pages/1481736738/Doc+Documentation+of+the+Story+As+an+Instance+Administrator+I+want+to+configure+a+FIDO2+based+hardware+key+verifier

      Background

      Why does this feature exist?

      Because FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.

      Who needed it?

      End users who need stronger authentication protection and service owners who need to protect service users.

      What problem does it solve?

      This security model eliminates the risks of phishing, all forms of password theft and replay attacks.

      How can it be used by the user or developer?

      An end user uses his/her authenticator(ie. a hardware key, fingerprint or etc) to authenticate.

      How does it make life easier?

      Instead of memorizing and typing a long strong of password, users can unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO security keys. Consumers can select the device that best fits their needs.
       

      Features

      What does this feature do? For example, does it let you add/change/delete anything?

      This feature allows instance admin to configure FIDO2 per instance.

      Can a developer modify or customize any of these features?

      No. 

      Steps

      List the steps a user needs to perform in order to use this feature.

      In order to enable FIDO2 for an instance:

      1. Instance admin needs to go to instance settings --> multi-factor-authentication
      2. First enable Email OTP
      3. Then go to Fast Identity Online 2 configuration page
      4. Configuration "Relying Party Name": instance admin can choose whatever name for this field.
      5. Configuration "Allowed Credentials Per User": instance admin can set the number of maximum number of authenticators a user can register.
      6. Configuration "Relying Party ID": see configuration description
      7. Configuration "Origins": see configuration description
      8. Configuration "Allow Origin Port": See configuration description
      9. Configuration "Allow Origin sub domain": See configuration description

      Code

      Key related classes/methods and modules, configuration interfaces; any specific implementation details that helps understanding how it works, provides hints for debugging and fixing.

      • Web module: mult-factor-authentication-fido2-web
      • Service module: multi-factor-authentication-fido2-credential-service
      • Registration and verification class: FIDO2BrowserSetupMFAChecker
      • Single credential removing class: RemoveMFAFIDO2CredentialEntryMVCActionCommand
      • Wiring class between yubico webauthn lib and portal code class: MFAFIDO2CredentialRepository
      • Configuration interface: MFAFIDO2Configuration
      • If any bugs come up in registration, then look for includeSetup() and setup() methods
      • If any exception relates to origins, ports, domain, then look for if admin configuration is properly setup.

        Attachments

          Issue Links

            Activity

              People

              Assignee:
              arthur.chen Arthur Chen
              Reporter:
              nora.szel Nóra Szél
              Recent user:
              Zsigmond Rab
              Participants of an Issue:
              Votes:
              0 Vote for this issue
              Watchers:
              1 Start watching this issue

                Dates

                Created:
                Updated:
                Resolved:

                  Packages

                  Version Package