Integration of User Login with FIDO-Based Authentication

OneSpan Cloud Authentication allows you to integrate FIDO-based authentication in your solution. It supports the following FIDO protocols:

• FIDO UAF (Universal Authentication Framework)

• FIDO2

For more information about the FIDO UAF and FIDO2 protocols, see FIDO-based authentication.

Prerequisites for a FIDO-based authentication

To ensure successful FIDO-based authentication, the following prerequisites must be met:

• The user must exist in OneSpan Cloud Authentication.

• The user must be assigned to a registered tenant.

• FIDO has been configured for the relevant tenant in the Tenant Configuration service.

• The user must have a registered FIDO authenticator.

• A relying party instance with defined policies must have been created.

FIDO-based authentication flow

Sequence of a user login operation via FIDO-based authentication

1. The user starts the login operation and triggers the web server to initiate the authentication to the OneSpan Trusted Identity platform API by calling the POST users/{userID@domain}/generate-fido-authentication-request endpoint.

1. The OneSpan Trusted Identity platform API initializes the authentication request to the FIDO Server.

2. The FIDO Server retrieves the policies associated to the user and generates an authentication request that is sent to the OneSpan Trusted Identity platform API.

   These policies define which authenticator is authorized to be used for authentication.

3. The OneSpan Trusted Identity platform API receives the request and sends it to the web server.

4. The web server forwards the authentication request to the app.

5. The app communicates with the FIDO authenticator to generate an authentication response.

6. The app forwards the authentication response to the web server, which forwards the response to the OneSpan Trusted Identity platform API by calling the POST /users/{userID@domain}/login endpoint.

7. The OneSpan Trusted Identity platform API finalizes the authentication with the FIDO Server.

8. The FIDO Server verifies the authentication response that is sent to the OneSpan Trusted Identity platform API.

9. The OneSpan Trusted Identity platform API receives the success response and sends it to the web server.

10. The web server sends this verification response to the app and with this finalizes the authentication operation.

To integrate user login with FIDO-based authentication

1. Issue an authentication request with the POST /users/{userID@domain}/generate-fido-authentication-request endpoint.

   • Payload:

     • fidoProtocol: UAF11, FIDO2

     • authenticationMessage (UAF only)
       Contains a message is shown on a built-in display of an UAF authenticator.

     • userVerification: required, preferred, discouraged (FIDO2 only)

   • Response body:

     • authenticationRequest

     • requestID

     • uafStatusCode
       For a full list of UAF status codes, refer to the FIDO alliance documentation.
       For FIDO2, this field will return null.

2. Issue a login request with the POST /users/{userID@domain}/login endpoint.

   • Payload:

     • objecttype: "LoginInput"

     • credentials

       • fidoAuthenticator

         • authenticationResponse

     • requestID

   • Response body:

     • uafStatusCode

       For a full list of UAF status codes, refer to the FIDO alliance documentation.

       For FIDO2, this field will return null.