Integration of the Registration and Deregistration of a FIDO-Based Authenticator

Before you can use FIDO-based authentication for OneSpan Cloud Authentication, a FIDO authenticator must be registered for the UAF or FIDO2 protocol.

For information about deregistration and authenticator management, see Management of FIDO authenticators.

Prerequisites for the registration of a FIDO-based authenticator

The following prerequisites must be met before the registration process can be started:

• The user must exist in the OneSpan Trusted Identity platform.

• The user must be authenticated against Intelligent Adaptive Authentication and logged in with the app.

FIDO-based authenticator registration flow

Sequence of registering a FIDO-based authenticator

1. The app starts the registration process. This triggers the web server to initiate the registration to the OneSpan Trusted Identity platform API by calling the POST /users/{userID@domain}/generate-fido-registration-request endpoint.

2. The OneSpan Trusted Identity platform API initializes the registration with the FIDO Server.

3. The FIDO Server generates a registration response that is sent to the OneSpan Trusted Identity platform API.

4. The OneSpan Trusted Identity platform API receives the registration request and sends it to the web server.

5. The web server forwards the request to the app.

6. The app communicates with the FIDO authenticator to generate a registration response.

7. The app forwards the registration response to the web server, which forwards the response to the OneSpan Trusted Identity platform API by calling the POST /users/{userID@domain}/register-fido-device endpoint.

8. The OneSpan Trusted Identity platform API finalizes the registration with the FIDO Server.

9. The FIDO Server verifies the registration response that is sent to the OneSpan Trusted Identity platform API.

10. The OneSpan Trusted Identity platform API receives the success response and sends it to the web server.

11. To conclude the registration process, the web server sends this verification response to the app.

The FIDO authenticator is now registered and ready to be used for passwordless authentication.

To register a FIDO-based authenticator

1. Issue a registration request with POST /users/{userID@domain}/generate-fido-registration-request.

   • Payload:

     • fidoProtocol: UAF11, FIDO2

     • displayName (FIDO2 only)

     • authenticatorSelection (FIDO2 only)

       • (Optional) authenticatorAttachment: platform, cross-platform

       • userVerification: required, preferred, discouraged

       • requireResidentKey: true, false

     • attestation: none, indirect, direct (FIDO2 only)

   • Response body:

     • registrationRequest

     • requestID (FIDO2 only)

     • uafStatusCode

       For a full list of UAF status codes, refer to the FIDO alliance documentation.

       For FIDO2, this field will return null.

2. Issue a register fido device request with POST /users/{userID@domain}/register-fido-device.

   • Payload:

     • fidoProtocol: UAF11, FIDO2

     • registrationResponse

     • requestID (FIDO2 only)

   • Response body:

     • uafStatusCode

       For a full list of UAF status codes, refer to the FIDO alliance documentation.

       For FIDO2, this field will return null.