Introduction to WebAuthn /FIDO 2

From IIW

Introduction to WebAuth/Fido2 (101 Session)

Tuesday 4B

Convener(s): Chris Slade & John Bradley

Notes-taker(s): Nick Roy

Tags for the session - technology discussed/ideas considered:

Discussion notes, key understandings, outstanding questions, observations, and, if appropriate to this discussion: action items, next steps:

W3C API spec called credential manager

User agent has a webauthn javascript api, talks to RP and the webauthn device.

Two basic javascript commands are get credential and make assertion.

User agent presents a UI that shows you which authenticators you can use.

Major difference between webauthn and U2F: Resident credentials- you can make a credential that lives on the platform of the authenticator. Passes info down to the user agent, platform authenticator creates keypair, stores persona/key/RP ID, creates pairwise cred for that RP. RP says: "get me this credential." Platform looks at the various authenticators, interrogates them for credentials for the RP, and if there is more than one, gives you a pick list.

RP can specify that user verification is ???/preferred/required. There are local verification methods available on the platform.

The secondary verification is per credential, not per RP.

Authenticator creates an attestation that goes back to the RP. RP can look that GUID up after the fact and examine the characteristics of the authenticator.

Almost any authenticator is going to be wayyyyy better than a password.

Right now almost all of the browsers support web authentication. Chrome, Edge, beta Safari, Firefox is looking for support to finish development. iOS is furthest behind. Apple won't say when they are going to release it on iOS. Brave on iOS supports it right now.

Apple would probably support TPM as webauthn platform backing store via their existing keychain functionality.

Duo has proposed a UDP transport. Pair your authenticator app on your phone with your browser.

CTAP2 transports are defined by FIDO, javascript API defined by W3C.

RP can add username, settable field to the credential which will be returned as part of the authn response. Field size for the settable field is 1K.

RP name and icon are sent, displayed in the browser when the user is asked to select a credential.

Discussion of how to do account recovery- backup authenticator, use of additional key material from the backup authenticator using EC stuff, etc.