Difference between revisions of "FIDO U2F"

From MgmtWiki
Jump to: navigation, search
(Context)
(Solutions)
 
Line 14: Line 14:
 
* [[Universal Serial Bus (USB)]] tokens are now widely available, most allow late binding of the user to the [[Web Site]] that requires this factor of [[Authentication]].
 
* [[Universal Serial Bus (USB)]] tokens are now widely available, most allow late binding of the user to the [[Web Site]] that requires this factor of [[Authentication]].
 
* Other networks, link [[NFC]] or [[Bluetooth]] are offered for small hand-held devices, but have not been as successful as the USB versions.
 
* Other networks, link [[NFC]] or [[Bluetooth]] are offered for small hand-held devices, but have not been as successful as the USB versions.
* Initially the U2F functionality is available through JavaScript programs in the browser.
+
* Initially the U2F functionality is available through [[JavaScript]] programs in the browser.
 
* The spec claims that the same functionality could be embedded in [[Native App]]s in the browser, but does not explain how this might be [[Attested]] as trustworthy.
 
* The spec claims that the same functionality could be embedded in [[Native App]]s in the browser, but does not explain how this might be [[Attested]] as trustworthy.
 
* The goal of the working group was that modern client device owned by the user would just work without needing additional driver or middleware setup.
 
* The goal of the working group was that modern client device owned by the user would just work without needing additional driver or middleware setup.

Latest revision as of 16:16, 31 October 2021

Full Title or Meme

A family of standards[1] for adding more factors to an existing interchange.

Context

  • This spec is partially succeeded by Web Authentication.
  • FIDO = Fast Idenity Online, but does not in fact address identity at all, but rather authencition. It assumers that the same person that registeered is the one attempting a sign in process.

Problems

Existing Authentication protocols based on a User Name and Password are insufficient in a world were so many Users depend on the internet for so much of their daily lives. The first attempt at Multi-factor Authentication was Smart Cards using X.509 Certificates. This scheme worked for large Enterprises but was never accepted by regular Consumers of the internet.

Solutions

The following summary is abstracted from the FIDO U2F standard.[1]

  • All solutions depend on Late Binding Tokens to an "account at a particular origin (of the Relying Party, such as http://www.company.com) the device creates a new key pair usable only at that origin and gives the origin the public key to associate with the account."
  • Universal Serial Bus (USB) tokens are now widely available, most allow late binding of the user to the Web Site that requires this factor of Authentication.
  • Other networks, link NFC or Bluetooth are offered for small hand-held devices, but have not been as successful as the USB versions.
  • Initially the U2F functionality is available through JavaScript programs in the browser.
  • The spec claims that the same functionality could be embedded in Native Apps in the browser, but does not explain how this might be Attested as trustworthy.
  • The goal of the working group was that modern client device owned by the user would just work without needing additional driver or middleware setup.
  • So the USB U2F device is designed to work out of box with existing consumer operating systems with no driver installs or software changes.
  • USB device hardware key protection is the default, but other protection is provided with an Attestation mechanism.
  • The U2F device mints an origin-specific public/private key pair based on the origin's protocol (http(s)), host-name and port.
  • The U2F device gives the public key and a Key Handle to the origin online service or website during the user registration step.
  • The U2F signs the registration packet with an Attestation key burned into the U2F device to identified the U2F device as trustworthy.
  • The Key Handle is simply an identifierof a particular key on the U2F device.
  • The User Agent collects a challenge from the origin with its ID and a channel ID if that exists to hash for the Authentication step.
  • The U2F device signs the hash of the client data collected for return to the origin server where it is Validated.
  • The exact nature of the protection of the private key used above by the U2F device is dependent on the device must indicate the code used to sign.
  • Because of the various methods used to protect keys, the origin server must recognize the U2F device as one it has Attested to be secure for its use.

References

  1. 1.0 1.1 FIDO Index of /specs/ https://fidoalliance.org/specs/

Other external links