FIDO2 uses the Token Binding feature as an additional means of security. It is a TLS extension that helps to prevent MITM (man-in-the-middle) attacks. The extension has to be negotiated during the TLS handshake: it has to be requested by the client during the ClientHello step of the TLS ceremony. The OneSpan FIDO2 SDK is capable of verifying token binding, but the binding needs to be delivered from the TLS channel. The sec-token-binding header has to be delivered with the request, parsed at the service layer, and then passed to the SDK. For more information, refer to:
- The com.onespan.tid.fido.fido2.common.TokenBindingHandlerImpl class in the sample web application.
- The entire com.onespan.fido.fido2.clientdata.tokenbinding package in the FIDO2 SDK.