- 22 Oct 2024
- 4 Minutes à lire
- SombreLumière
Management of FIDO Authenticators
- Mis à jour le 22 Oct 2024
- 4 Minutes à lire
- SombreLumière
OneSpan Cloud Authentication offers consolidated authenticator management for FIDO2 and FIDO UAF as well as specific authenticator management for FIDO UAF only.
Consolidated authenticator management for FIDO2 and FIDO UAF
With a dedicated API to query FIDO-based authenticators, OneSpan Cloud Authentication offers consolidated authenticator management for both FIDO2 and FIDO UAF-based authenticators. This helps both administrators and end users to find and distinguish specific authenticators.
To find out which authenticators are used, you can query OneSpan Cloud Authentication for a specific user as well as for all users and list their authenticators. Also, end users can list their authenticators to know which authenticators they have registered. To enable this type of authenticator management, OneSpan Cloud Authentication uses the following parameters created during the registration of a FIDO-based authenticator:
Registration ID
OneSpan Cloud Authentication generates a specific ID for each registration.
Customized registration name of the user
During the registration process of a FIDO authenticator, users can provide a customized registration name (registration alias). If not provided, OneSpan Cloud Authentication uses the description of the relevant metadata and creates this customized name.
Registration time
Registration type
This can by FIDO2 or UAF11, as applicable.
AAID (returned for FIDO UAF only).
KeyID (returned for FIDO UAF only)
Any one or a combination of several of these parameters can be used to list, update, deregister, and delete specific authenticators for one or more specified users.
This feature is also available in the FIDO2 Bank Demo Web App to demonstrate the authenticator management for FIDO2 authenticators. For more information, see FIDO2 Bank Demo Web App.
Find registrations
This option allows end users to know which authenticators are registered for them and administrators to know which authenticators are used in OneSpan Cloud Authentication. Find FIDO authenticator registrations:
for a specific user
for a registration type
for a specific user and a certain registration type
for all users and a certain registration type
To find FIDO authenticator registrations
Issue a get fido registrations request with the GET /fido-registrations endpoint.
Query parameters:
userID@domain
Unique identifier for the user, formatted as userID@domain.
If userID@domain is not provided, all registrations for all users will be returned.
registrationType
If registrationType is not provided, FIDO2 and UAF registrations will be returned.
Response body:
userID@domain
Unique identifier for the user, formatted as userID@domain.
registrationID
registrationAlias
registrationType
registrationTime
AAID (FIDO UAF registrations only)
KeyID (FIDO UAF registrations only)
Update user registration name
You can update the customized registration name of the user that was generated during the registration of the FIDO authenticator. When you issue a GET fido registrations request, you will receive the registration ID in the response. You can use this registration ID to update the registration name.
To change the customized registration name with the registration ID
Issue an update fido registrations request with the PATCH /fido-registrations/{registrationID} endpoint.
Path parameter:
registrationID
This is the unique identifier of the registration to be updated.
Payload:
registrationAlias
This is the registration name.
Response body:
userID@domain
registrationID
registrationAlias
registrationType
registrationTime
AAID (FIDO UAF registrations only)
KeyID (FIDO UAF registrations only)
Delete registrations
With this, administrators can deregister and/or delete specific authenticators for one or more specified users.When you issue a GET fido registrations request, you will receive the registration ID in the response. You can use this registration ID to delete the registration.
To delete a FIDO authenticator registration
Issue a delete fido registrations request with the DELETE /fido-registrations/{registrationID} endpoint.
Path parameter:
registrationID
This is the unique identifier of the registration to be deleted.
FIDO UAF-only authenticator management
OneSpan Cloud Authentication offers the option to specifically deregister and delete FIDO authenticators that have been registered using the FIDO UAF protocol.
Deregistration of a FIDO UAF authenticator
Prerequisites for removing a previously registered FIDO-based authenticator
The following prerequisites must be met before the deregistration process can be started:
The user must be authenticated against OneSpan Cloud Authentication and logged in with the app.
Sequence of the deregistration of a FIDO UAF authenticator
The app sends a request to the web server. This request is forwarded to the OneSpan Trusted Identity platform API via the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint.
The OneSpan Trusted Identity platform API sends the request to the FIDO Server.
The FIDO Server removes the authenticator and sends a deregistration response to the OneSpan Trusted Identity platform API.
The OneSpan Trusted Identity platform API forwards this response to the web server.
The web server forwards the deregistration request to the authenticator. The authenticator then cleans up its internal storage accordingly.
If all authenticators that belong to a FIDO user have been deregistered, the FIDO user is automatically deleted.
To remove a previously registered FIDO-based authenticator
Issue a deregister fido uaf authenticator request with the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint.
Payload:
aaid
Response body:
deregistrationRequest
uafStatusCode
For a full list of UAF status codes, refer to the FIDO alliance documentation.
Deregistration of individual keys from an authenticator
Instead of completely deregistering an authenticator, individual keys can be removed from the authenticator and FIDO Server. The FIDO protocols use public-key cryptography techniques to provide stronger authentication. During registration, a new key pair is created that is unique to the user, authenticator, and to the AppId. The private key is retained within the authenticator, while the public key is stored on the FIDO Server.
It is only possible to remove individual keys from an authenticator if they have been registered using the UAF protocol.
Prerequisites for the removal of individual keys on a previously registered FIDO-based authenticator
The user must be authenticated against OneSpan Cloud Authentication and logged in with the app.
Sequence of the removal of individual keys on a previously registered FIDO-based authenticator
The app sends a request to the web server. This request is forwarded to the OneSpan Trusted Identity platform API via the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint.
The OneSpan Trusted Identity platform API sends the request to the FIDO Server.
The FIDO Server removes the keys and sends a deregistration response to the OneSpan Trusted Identity platform API.
The OneSpan Trusted Identity platform API forwards this response to the web server.
The web server forwards the deregistration request to the authenticator. The authenticator then cleans up its internal storage accordingly.
To remove individual keys on a previously registered FIDO-based authenticator
Issue a deregister fido uaf keys request with the POST /users/{userID@domain}/deregister-fido-uaf-keys endpoint.
Payload:
aaid
keyID
Response body:
deregistrationRequest