• Iteration 45, Iteration 46, Iteration 47, Iteration 48, Iteration 49, Iteration 50, AppSec Iteration 51, AppSec Iteration 52, AppSec Iteration 53, AppSec Iteration 54, AppSec Iteration 55, AppSec Iteration 56
    • Deployment


      Confluence page


      Why does this feature exist?

      Because FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.

      Who needed it?

      End users who need stronger authentication protection and service owners who need to protect service users.

      What problem does it solve?

      This security model eliminates the risks of phishing, all forms of password theft and replay attacks.

      How can it be used by the user or developer?

      An end user uses his/her authenticator(ie. a hardware key, fingerprint or etc) to authenticate.

      How does it make life easier?

      Instead of memorizing and typing a long strong of password, users can unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO security keys. Consumers can select the device that best fits their needs.


      What does this feature do? For example, does it let you add/change/delete anything?

      This feature allows instance admin to configure FIDO2 per instance.

      Can a developer modify or customize any of these features?



      List the steps a user needs to perform in order to use this feature.

      In order to enable FIDO2 for an instance:

      1. Instance admin needs to go to instance settings --> multi-factor-authentication
      2. First enable Email OTP
      3. Then go to Fast Identity Online 2 configuration page
      4. Configuration "Relying Party Name": instance admin can choose whatever name for this field.
      5. Configuration "Allowed Credentials Per User": instance admin can set the number of maximum number of authenticators a user can register.
      6. Configuration "Relying Party ID": see configuration description
      7. Configuration "Origins": see configuration description
      8. Configuration "Allow Origin Port": See configuration description
      9. Configuration "Allow Origin sub domain": See configuration description


      Key related classes/methods and modules, configuration interfaces; any specific implementation details that helps understanding how it works, provides hints for debugging and fixing.

      • Web module: mult-factor-authentication-fido2-web
      • Service module: multi-factor-authentication-fido2-credential-service
      • Registration and verification class: FIDO2BrowserSetupMFAChecker
      • Single credential removing class: RemoveMFAFIDO2CredentialEntryMVCActionCommand
      • Wiring class between yubico webauthn lib and portal code class: MFAFIDO2CredentialRepository
      • Configuration interface: MFAFIDO2Configuration
      • If any bugs come up in registration, then look for includeSetup() and setup() methods
      • If any exception relates to origins, ports, domain, then look for if admin configuration is properly setup.


        Issue Links



              arthur.chen Arthur Chen
              nora.szel Nóra Szél
              Zsigmond Rab Zsigmond Rab
              0 Vote for this issue
              1 Start watching this issue




                  Version Package