[Doc] How to configure a FIDO2 authenticator verifier, as an Instance Administrator

Confluence page

https://liferay.atlassian.net/wiki/spaces/ENGAPPSECURITY/pages/1481736738/Doc+Documentation+of+the+Story+As+an+Instance+Administrator+I+want+to+configure+a+FIDO2+based+hardware+key+verifier

Background

Why does this feature exist?

Because FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.

Who needed it?

End users who need stronger authentication protection and service owners who need to protect service users.

What problem does it solve?

This security model eliminates the risks of phishing, all forms of password theft and replay attacks.

How can it be used by the user or developer?

An end user uses his/her authenticator(ie. a hardware key, fingerprint or etc) to authenticate.

How does it make life easier?

Instead of memorizing and typing a long strong of password, users can unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO security keys. Consumers can select the device that best fits their needs.
 

Features

What does this feature do? For example, does it let you add/change/delete anything?

This feature allows instance admin to configure FIDO2 per instance.

Can a developer modify or customize any of these features?

No. 

Steps

List the steps a user needs to perform in order to use this feature.

In order to enable FIDO2 for an instance:

1. Instance admin needs to go to instance settings --> multi-factor-authentication
2. First enable Email OTP
3. Then go to Fast Identity Online 2 configuration page
4. Configuration "Relying Party Name": instance admin can choose whatever name for this field.
5. Configuration "Allowed Credentials Per User": instance admin can set the number of maximum number of authenticators a user can register.
6. Configuration "Relying Party ID": see configuration description
7. Configuration "Origins": see configuration description
8. Configuration "Allow Origin Port": See configuration description
9. Configuration "Allow Origin sub domain": See configuration description

Code

Key related classes/methods and modules, configuration interfaces; any specific implementation details that helps understanding how it works, provides hints for debugging and fixing.

• Web module: mult-factor-authentication-fido2-web
• Service module: multi-factor-authentication-fido2-credential-service
• Registration and verification class: FIDO2BrowserSetupMFAChecker
• Single credential removing class: RemoveMFAFIDO2CredentialEntryMVCActionCommand
• Wiring class between yubico webauthn lib and portal code class: MFAFIDO2CredentialRepository
• Configuration interface: MFAFIDO2Configuration
• If any bugs come up in registration, then look for includeSetup() and setup() methods
• If any exception relates to origins, ports, domain, then look for if admin configuration is properly setup.