Management of FIDO Authenticators

Consolidated authenticator management for FIDO2 and FIDO UAF

With a dedicated API to query FIDO-based authenticators, OneSpan Cloud Authentication offers consolidated authenticator management for both FIDO2 and FIDO UAF-based authenticators. This helps both administrators and end users to find and distinguish specific authenticators.

To find out which authenticators are used, you can query OneSpan Cloud Authentication for a specific user as well as for all users and list their authenticators. Also, end users can list their authenticators to know which authenticators they have registered. To enable this type of authenticator management, OneSpan Cloud Authentication uses the following parameters created during the registration of a FIDO-based authenticator:

• Registration ID

  OneSpan Cloud Authentication generates a specific ID for each registration.

• Customized registration name of the user

  During the registration process of a FIDO authenticator, users can provide a customized registration name (registration alias). If not provided, OneSpan Cloud Authentication uses the description of the relevant metadata and creates this customized name.

• Registration time

• Registration type

  This can by FIDO2 or UAF11, as applicable.

• AAID (returned for FIDO UAF only).

• KeyID (returned for FIDO UAF only)

Any one or a combination of several of these parameters can be used to list, update, deregister, and delete specific authenticators for one or more specified users.

This feature is also available in the FIDO2 Bank Demo Web App to demonstrate the authenticator management for FIDO2 authenticators. For more information, see FIDO2 Bank Demo Web App.

Find registrations

This option allows end users to know which authenticators are registered for them and administrators to know which authenticators are used in OneSpan Cloud Authentication. Find FIDO authenticator registrations:

• for a specific user

• for a registration type

• for a specific user and a certain registration type

• for all users and a certain registration type

To find FIDO authenticator registrations

• Issue a get fido registrations request with the GET ​/fido-registrations endpoint.

  • Query parameters:

    • userID@domain

      Unique identifier for the user, formatted as userID@domain.

      If userID@domain is not provided, all registrations for all users will be returned.

    • registrationType

      If registrationType is not provided, FIDO2 and UAF registrations will be returned.

  • Response body:

    • userID@domain

      Unique identifier for the user, formatted as userID@domain.

    • registrationID

    • registrationAlias

    • registrationType

    • registrationTime

    • AAID (FIDO UAF registrations only)

    • KeyID (FIDO UAF registrations only)

Update user registration name

You can update the customized registration name of the user that was generated during the registration of the FIDO authenticator. When you issue a GET fido registrations request, you will receive the registration ID in the response. You can use this registration ID to update the registration name.

To change the customized registration name with the registration ID

• Issue an update fido registrations request with the PATCH ​/fido-registrations/{registrationID} endpoint.

  • Path parameter:

    • registrationID

      This is the unique identifier of the registration to be updated.

  • Payload:

    • registrationAlias

      This is the registration name.

  • Response body:

    • userID@domain

    • registrationID

    • registrationAlias

    • registrationType

    • registrationTime

    • AAID (FIDO UAF registrations only)

    • KeyID (FIDO UAF registrations only)

Delete registrations

With this, administrators can deregister and/or delete specific authenticators for one or more specified users.When you issue a GET fido registrations request, you will receive the registration ID in the response. You can use this registration ID to delete the registration.

To delete a FIDO authenticator registration

• Issue a delete fido registrations request with the DELETE ​/fido-registrations/{registrationID} endpoint.

  • Path parameter:

    • registrationID

      This is the unique identifier of the registration to be deleted.

OneSpan Cloud Authentication offers the option to specifically deregister and delete FIDO authenticators that have been registered using the FIDO UAF protocol.

Deregistration of a FIDO UAF authenticator

Prerequisites for removing a previously registered FIDO-based authenticator

The following prerequisites must be met before the deregistration process can be started:

• The user must be authenticated against OneSpan Cloud Authentication and logged in with the app.

Sequence of the deregistration of a FIDO UAF authenticator

1. The app sends a request to the web server. This request is forwarded to the OneSpan Trusted Identity platform API via the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint.

2. The OneSpan Trusted Identity platform API sends the request to the FIDO Server.

3. The FIDO Server removes the authenticator and sends a deregistration response to the OneSpan Trusted Identity platform API.

4. The OneSpan Trusted Identity platform API forwards this response to the web server.

5. The web server forwards the deregistration request to the authenticator. The authenticator then cleans up its internal storage accordingly.

If all authenticators that belong to a FIDO user have been deregistered, the FIDO user is automatically deleted.

To remove a previously registered FIDO-based authenticator

• Issue a deregister fido uaf authenticator request with the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint.

  • Payload:

    • aaid

  • Response body:

    • deregistrationRequest

    • uafStatusCode
      For a full list of UAF status codes, refer to the FIDO alliance documentation.

Deregistration of individual keys from an authenticator

Instead of completely deregistering an authenticator, individual keys can be removed from the authenticator and FIDO Server. The FIDO protocols use public-key cryptography techniques to provide stronger authentication. During registration, a new key pair is created that is unique to the user, authenticator, and to the AppId. The private key is retained within the authenticator, while the public key is stored on the FIDO Server.

It is only possible to remove individual keys from an authenticator if they have been registered using the UAF protocol.

Prerequisites for the removal of individual keys on a previously registered FIDO-based authenticator

• The user must be authenticated against OneSpan Cloud Authentication and logged in with the app.

Sequence of the removal of individual keys on a previously registered FIDO-based authenticator

1. The app sends a request to the web server. This request is forwarded to the OneSpan Trusted Identity platform API via the POST /users/{userID@domain}/deregister-fido-uaf-authenticators endpoint.

2. The OneSpan Trusted Identity platform API sends the request to the FIDO Server.

3. The FIDO Server removes the keys and sends a deregistration response to the OneSpan Trusted Identity platform API.

4. The OneSpan Trusted Identity platform API forwards this response to the web server.

5. The web server forwards the deregistration request to the authenticator. The authenticator then cleans up its internal storage accordingly.

To remove individual keys on a previously registered FIDO-based authenticator

• Issue a deregister fido uaf keys request with the POST /users/{userID@domain}/deregister-fido-uaf-keys endpoint.

  • Payload:

    • aaid

    • keyID

  • Response body:

    • deregistrationRequest