New issue

Have a question about this project? Sign up for a free GitHub account to open an issue and contact its maintainers and the community.

By clicking “Sign up for GitHub”, you agree to our terms of service and privacy statement. We’ll occasionally send you account related emails.

Already on GitHub? Sign in to your account

Add new endpoints for FIDO 2 / W3C web authentication #781

Open
willow9886 opened this Issue Apr 12, 2018 · 4 comments

Comments

Projects
None yet
4 participants

@willow9886 willow9886 added this to the 3.1.4 milestone Apr 12, 2018

@elukewalker

This comment has been minimized.

elukewalker commented Aug 3, 2018

@yurem let me know if there is anything I can do to help add FIDO2 support.

@yurem

This comment has been minimized.

Contributor

yurem commented Aug 14, 2018

@elukewalker I'm planning to work on this on next week. Are there FIDO 2.0 spec? I only found out v 1.2.
Do you know what changed in FIDO since 1.x

@elukewalker

This comment has been minimized.

elukewalker commented Aug 14, 2018

Hi @yurem I consider FIDO2 to be composed of two open standards:

  1. FIDO Client To Authenticator Protocol 2.0 (CTAP2) and,
  2. W3C Web Authentication (WebAuthn)

Note: I will refer to the FIDO U2F Client To Authenticator Protocol 1.2 as CTAP1.

The main differences between FIDO U2F and FIDO2 are:

  1. W3C WebAuthn standardizes how browsers create and use attested, scoped, public key-based credentials. This is enabling broader adoption beyond just Chrome.
  2. CTAP2 allows credentials to be stored in authenticators, like a YubiKey. These are called resident keys.
  3. CTAP2 allows user verification, e.g. a user can set a PIN which is required to unlock cryptographic operations
  4. The combination of resident keys and user verification enables multifactor-authentication from a single authenticator. This can enable interesting use cases such as passwordless authentication.
  5. CTAP2 also includes a hmac-secret extension which can be used to help implement offline authentication with an authenticator, e.g. YubiKey.
  6. FIDO2 is backwards compatible with FIDO U2F.

Yubico has some videos which go into more detail and a java-webauthn-server which implements the WebAuthn relying party operations.

Don't hesitate to reach out if you have any questions. I am happy to help.

@nynymike nynymike modified the milestones: 3.1.4, 3.1.5 Sep 4, 2018

@elukewalker

This comment has been minimized.

elukewalker commented Sep 18, 2018

Any update? Let me know when you have a branch I can spin up an test out.

Sign up for free to join this conversation on GitHub. Already have an account? Sign in to comment