Integration of the Registration and Deregistration of a FIDO-Based Authenticator
  • 15 Oct 2024
  • 1 Minute à lire
  • Sombre
    Lumière

Integration of the Registration and Deregistration of a FIDO-Based Authenticator

  • Sombre
    Lumière

The content is currently unavailable in French. You are viewing the default English version.
Résumé de l’article

Before you can use FIDO-based authentication for OneSpan Cloud Authentication, a FIDO authenticator must be registered for the UAF or FIDO2 protocol.

For information about deregistration and authenticator management, see Management of FIDO authenticators.

Prerequisites for the registration of a FIDO-based authenticator

The following prerequisites must be met before the registration process can be started:

  • The user must exist in the OneSpan Trusted Identity platform.

  • The user must be authenticated against OneSpan Cloud Authentication and logged in with the app.

FIDO-based authenticator registration flow

Sequence of registering a FIDO-based authenticator

  1. The app starts the registration process. This triggers the web server to initiate the registration to the OneSpan Trusted Identity platform API by calling the POST /users/{userID@domain}/generate-fido-registration-request endpoint.

  2. The OneSpan Trusted Identity platform API initializes the registration with the FIDO Server.

  3. The FIDO Server generates a registration response that is sent to the OneSpan Trusted Identity platform API.

  4. The OneSpan Trusted Identity platform API receives the registration request and sends it to the web server.

  5. The web server forwards the request to the app.

  6. The app communicates with the FIDO authenticator to generate a registration response.

  7. The app forwards the registration response to the web server, which forwards the response to the OneSpan Trusted Identity platform API by calling the POST /users/{userID@domain}/register-fido-device endpoint.

  8. The OneSpan Trusted Identity platform API finalizes the registration with the FIDO Server.

  9. The FIDO Server verifies the registration response that is sent to the OneSpan Trusted Identity platform API.

  10. The OneSpan Trusted Identity platform API receives the success response and sends it to the web server.

  11. To conclude the registration process, the web server sends this verification response to the app.

The FIDO authenticator is now registered and ready to be used for passwordless authentication.

To register a FIDO-based authenticator

  1. Issue a registration request with POST /users/{userID@domain}/generate-fido-registration-request.

    • Payload:

      • fidoProtocol: UAF11, FIDO2

      • displayName (FIDO2 only)

      • authenticatorSelection (FIDO2 only)

        • (Optional) authenticatorAttachment: platform, cross-platform

        • userVerification: required, preferred, discouraged

        • requireResidentKey: true, false

      • attestation: none, indirect, direct (FIDO2 only)

    • Response body:

      • registrationRequest

      • requestID (FIDO2 only)

      • uafStatusCode

        For a full list of UAF status codes, refer to the FIDO alliance documentation.

        For FIDO2, this field will return null.

  2. Issue a register fido device request with POST /users/{userID@domain}/register-fido-device.

    • Payload:

      • fidoProtocol: UAF11, FIDO2

      • registrationResponse

      • requestID (FIDO2 only)

    • Response body:


Cet article vous a-t-il été utile ?

Changing your password will log you out immediately. Use the new password to log back in.
First name must have atleast 2 characters. Numbers and special characters are not allowed.
Last name must have atleast 1 characters. Numbers and special characters are not allowed.
Enter a valid email
Enter a valid password
Your profile has been successfully updated.
ESC

Ozzy, facilitant la découverte de connaissances grâce à l’intelligence conversationnelle