Login
    Contenu x
    FIDO2 ceremonies
    • 16 Jan 2025
    • 1 Minute à lire
    • Sombre
      Lumière
    • PDF
    Contenu

    FIDO2 ceremonies

    • Mis à jour le 16 Jan 2025
    • 1 Minute à lire
    • Sombre
      Lumière
    • PDF
    The content is currently unavailable in French. You are viewing the default English version.
    Résumé de l’article

    FIDO2 provides the following ceremonies:

    • Registration
    • Authentication

    FIDO2 registration

    Figure: FIDO2 registration ceremony

    1. The client initiates the registration ceremony using the dedicated API endpoint of the relying party. Internally, the endpoint calls the Registering.generatePublicKeyCredentialCreationOptions() SDK method.
    2. The FIDO2 server returns a PublicKeyCredentialCreationOptions object, which contains the RP and user data, a challenge, the authenticator selection etc.
    3. The client-side JavaScript invokes navigator.credentials.create() of the WebAuthN API in the web browser.
    4. The client submits the RP and user data as well as a client data hash of the operation, challenge, and the origin to the roaming authenticator.
    5. The authenticator challenges the user for verification.
    6. The authenticator generates a new key pair for the user and a signature.
    7. The authenticator returns the credential identifier, the public key, and the attestation object to the client.
    8. The client finalizes the registration using the dedicated API endpoint of the relying party. Internally, the endpoint calls the Registering.finalizeRegistration() SDK method.
    9. The FIDO2 server validates the signature and, if valid, stores the public key associated with the user. This completes the registration ceremony.

    Refer to the relying party endpoints implementation in the sample web application for examples of how to implement the REST API of the relying party

    FIDO2 authentication

    Figure: FIDO2 authentication ceremony

    1. The client initiates the authentication ceremony using the dedicated API endpoint of the relying party. Internally, the endpoint calls the Authenticating.generatePublicKeyCredentialRequestOptions() SDK method.
    2. The FIDO2 server returns a PublicKeyCredentialRequestOptions object, which contains the RP identifier, a challenge, timeout parameters etc.
    3. The client-side JavaScript invokes navigator.credentials.get() of the WebAuthN API in the web browser.
    4. The client submits the RP identifier and a client data hash of the operation, challenge, and the origin to the roaming authenticator.
    5. The authenticator challenges the user for verification.
    6. The authenticator generates an assertion signed with the user's private key.
    7. The authenticator returns the authenticator data and the signature to the client.
    8. The client finalizes the authentication using the dedicated API endpoint of the relying party. Internally, the endpoint calls the Authenticating.finalizeAuthentication() SDK method.
    9. The FIDO2 server validates the signature with the user's public key it has already stored. This completes the authentication ceremony.

    Refer to the relying party endpoints implementation in the sample web application for examples of how to implement the REST API of the relying party

    Cet article vous a-t-il été utile ?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle