- 15 Oct 2024
- 1 Minute to read
- DarkLight
Integration of the Registration and Deregistration of a FIDO-Based Authenticator
- Updated on 15 Oct 2024
- 1 Minute to read
- DarkLight
Before you can use FIDO-based authentication for OneSpan Cloud Authentication, a FIDO authenticator must be registered for the UAF or FIDO2 protocol.
For information about deregistration and authenticator management, see Management of FIDO authenticators.
Prerequisites for the registration of a FIDO-based authenticator
The following prerequisites must be met before the registration process can be started:
The user must exist in the OneSpan Trusted Identity platform.
The user must be authenticated against OneSpan Cloud Authentication and logged in with the app.
FIDO-based authenticator registration flow
Sequence of registering a FIDO-based authenticator
The app starts the registration process. This triggers the web server to initiate the registration to the OneSpan Trusted Identity platform API by calling the POST /users/{userID@domain}/generate-fido-registration-request endpoint.
The OneSpan Trusted Identity platform API initializes the registration with the FIDO Server.
The FIDO Server generates a registration response that is sent to the OneSpan Trusted Identity platform API.
The OneSpan Trusted Identity platform API receives the registration request and sends it to the web server.
The web server forwards the request to the app.
The app communicates with the FIDO authenticator to generate a registration response.
The app forwards the registration response to the web server, which forwards the response to the OneSpan Trusted Identity platform API by calling the POST /users/{userID@domain}/register-fido-device endpoint.
The OneSpan Trusted Identity platform API finalizes the registration with the FIDO Server.
The FIDO Server verifies the registration response that is sent to the OneSpan Trusted Identity platform API.
The OneSpan Trusted Identity platform API receives the success response and sends it to the web server.
To conclude the registration process, the web server sends this verification response to the app.
The FIDO authenticator is now registered and ready to be used for passwordless authentication.
To register a FIDO-based authenticator
Issue a registration request with POST /users/{userID@domain}/generate-fido-registration-request.
Payload:
fidoProtocol: UAF11, FIDO2
displayName (FIDO2 only)
authenticatorSelection (FIDO2 only)
(Optional) authenticatorAttachment: platform, cross-platform
userVerification: required, preferred, discouraged
requireResidentKey: true, false
attestation: none, indirect, direct (FIDO2 only)
Response body:
registrationRequest
requestID (FIDO2 only)
uafStatusCode
For a full list of UAF status codes, refer to the FIDO alliance documentation.
For FIDO2, this field will return null.
Issue a register fido device request with POST /users/{userID@domain}/register-fido-device.
Payload:
fidoProtocol: UAF11, FIDO2
registrationResponse
requestID (FIDO2 only)
Response body:
uafStatusCode
For a full list of UAF status codes, refer to the FIDO alliance documentation.
For FIDO2, this field will return null.