• Iteration 45, Iteration 46, Iteration 47, Iteration 48, Iteration 49, Iteration 50, AppSec Iteration 51, AppSec Iteration 52, AppSec Iteration 53
    • User


      Confluence page


      Why does this feature exist?

      Because FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments.

      Who needed it?

      End users who need stronger authentication protection.

      What problem does it solve?

      This security model eliminates the risks of phishing, all forms of password theft and replay attacks.

      How can it be used by the user or developer?

      An end user uses his/her authenticator(ie. a hardware key, fingerprint or etc) to authenticate.

      How does it make life easier?

      Instead of memorizing and typing a long strong of password, users can unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO security keys. Consumers can select the device that best fits their needs.


      What does this feature do? For example, does it let you add/change/delete anything?

      This feature allows users to setup their preferred authenticators for later identity authentication.

      Can a developer modify or customize any of these features?


      Testing Notes

      If you don't have hardware key to test this function but you can utilize fingerprint reader that works for testing this also. If you don't have that possibility either, you can use this browser plugin:

      For using the plugin, you have to enable the virtual authenticator in the browser's DevTools. According to our experiences, when you test registering multiple keys, you may need to remove the previously generated key before you register the next one in the row.


      List the steps a user needs to perform in order to use this feature.

      Once instance admin has enabled FIDO2:

      1. user can go to user settings --> multi-factor authentication -> Fast Identity Online 2
      2. click register an authenticator button, then confirm in their authenticator(for example, a USB hardware key).
      3. Depending on the number of maximum number of authenticators configured by the admin, a user may register more than one.
      4. After this, this user can use this authenticator for login.


      Key related classes/methods and modules, configuration interfaces; any specific implementation details that helps understanding how it works, provides hints for debugging and fixing.

      •  Web module: mult-factor-authentication-fido2-web
      • Service module: multi-factor-authentication-fido2-credential-service
      • Registration and verification class: FIDO2BrowserSetupMFAChecker
      • Single credential removing class: RemoveMFAFIDO2CredentialEntryMVCActionCommand
      • Wiring class between yubico webauthn lib and portal code class: MFAFIDO2CredentialRepository
      • Configuration interface: MFAFIDO2Configuration
      • If any bugs come up in registration, then look for includeSetup() and setup() methods
      • If any exception relates to origins, ports, domain, then look for if admin configuration is properly setup.


        Issue Links



              arthur.chen Arthur Chen
              nora.szel Nóra Szél
              Zsigmond Rab Zsigmond Rab
              0 Vote for this issue
              1 Start watching this issue




                  Version Package
                  7.3.6 CE GA7