Integration considerations
  • 17 Jan 2025
  • 1 Minute à lire
  • Sombre
    Lumière
  • PDF

Integration considerations

  • Sombre
    Lumière
  • PDF

The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article

The OneSpan FIDO2 SDK contains many features, not all of which may be applicable to your specific use case. The SDK has been designed to offer you functionalities that are scalable to the needs of your organization. The following articles provide information on considerations when integrating the SDK.

Challenge replay attacks

From a high-level perspective, when implementing the SDK-based logic, the registration and authentication requests (first incoming messages) must be correlated with their corresponding responses (second incoming messages). However, this is not enough to resist replay attacks. Only one response should be expected for a given request, and therefore a mechanism must be implemented to reject second incoming messages that have already been handled once. Additionally, a good practice is to reject second messages after a certain amount of time (process timeout), and always reject incoming second messages that are unrelated to any process initiated by the first message.

The FIDO2 SDK also supports the Token Binding mechanism, which is another layer of protection against MITM and replay attacks. However, to work properly, this feature needs to be supported by the client, the authenticator, and the server at the same time.

The FIDO2 SDK does not support any storage or deregistration mechanism on its own, or suggest an interface to implement one. Therefore, any application that wants to use the authentication functionality of OneSpan FIDO2 SDK has to provide some kind of storage (for both the temporary session and the permanent session), together with methods to manage that data and save the resulting credentials received from the SDK.


Cet article vous a-t-il été utile ?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle