FIDO UAF ceremonies

Prev Next

FIDO UAF provides the following ceremonies:

  • Registration
  • Authentication
  • Transaction confirmation
  • Deregistration

FIDO UAF registration

Figure: FIDO UAF registration ceremony

  1. The client initiates the registration ceremony using the initiate registration REST API endpoint of the relying party. Internally, this endpoint calls the Registering.prepareRequests() SDK method to prepare the registration request.
  2. The FIDO UAF server returns a registration request with a challenge and a policy.
  3. The client submits the request to the authenticator, and the authenticator challenges the user for verification. The authenticator generates a new key pair for the user and creates a signature.
  4. The client finalizes the registration using the registration finalize API endpoint of the relying party. Internally, this endpoint calls the Registering.register() SDK method with the response received from the authenticator passed as parameter.
  5. The FIDO UAF server validates the response and, if valid, stores the public key associated with the user. This completes the registration ceremony.

FIDO UAF authentication

Figure: UAF authentication ceremony

  1. The client initiates the authentication ceremony using the dedicated API endpoint of the relying party. Internally, the endpoint calls the Authenticating.prepareRequests() SDK method.
  2. The FIDO UAF server returns an authentication request with a challenge and a policy.
  3. The client submits the request to the authenticator, and the authenticator challenges the user for verification. The authenticator unlocks the user's private key and signs the challenge with it.
  4. The client finalizes the registration using the dedicated API endpoint of the relying party. Internally, the endpoint calls the Authenticating.authenticate() SDK method.
  5. The FIDO UAF server validates the response using the user's public key that is already stored. This completes the authentication ceremony.

FIDO UAF transaction confirmation

Figure: UAF transaction confirmation ceremony

  1. The client initiates the transaction confirmation using the dedicated API endpoint of the relying party. Internally, the endpoint calls the Authenticating.prepareRequests() SDK method with the transaction content (transactionContent) passed as parameter.
  2. The FIDO UAF server returns an authentication request with a challenge and the transaction text.
  3. The client submits the request to the authenticator. The authenticator displays the transaction text and challenges the user for verification. The authenticator unlocks the user's private key and signs the challenge and the transaction text hash with it.
  4. The client finalizes the transaction confirmation using the dedicated API endpoint of the relying party. Internally, the endpoint calls the Authenticating.authenticate() SDK method with the response received from the authenticator passed as parameter.
  5. The FIDO UAF server validates the response signature and text hash. This completes the transaction confirmation ceremony.

FIDO UAF deregistration

Figure: UAF deregistration ceremony

  1. The client initiates the deregistration ceremony using the dedicated API endpoint of the relying party. Internally, the endpoint calls the Deregistering.deregister() SDK method.
  2. The FIDO UAF server returns a deregistration request.
  3. The FIDO authenticator deletes the local key data.