Page 18 - Implementation of Secure Authentication Technologies for Digital Financial Services
P. 18
6.2.2 Universal Second Factor (U2F) The CTAP specification was created as part of the
The FIDO U2F specification is focused on the narrow FIDO2 project, in conjunction with the WebAuthn
goal of providing second-factor authentication specification. It contains two distinct protocols: 1) the
in browsers. It defines a JavaScript API for brows- original U2F transport protocols that enable authen-
ers to perform second factor authentication using ticator devices to perform second factor authentica-
JavaScript register() and sign() functions; as well tion, retroactively named “CTAP1”; 2) an extended
as defining NFC, Bluetooth Low Energy (BLE), and and reformatted set of U2F transport protocols that
USB communications protocols for registering and enable multifactor authentication, named “CTAP2”.
authenticating with security keys. These specifica-
tions allow better user experience and more secure 6.2.4 Web Authentication (WebAuthn)
second factor authentication. As part of the FIDO2 project, the FIDO Alliance
Note: The FIDO U2F JavaScript API has been super- collaborated with the World Wide Web Consortium
seded by WebAuthn and the transport specifications (W3C) to standardize the browser’s JavaScript APIs
for NFC, BLE, and USB have been merged into the for cryptographically strong multifactor authentica-
latest FIDO CTAP specifications. tion – known as Web Authentication. The WebAuthn
specification is a Proposed Recommendation of the
6.2.3 Client to Authenticator Protocol (CTAP) W3C and includes both browser specific portions of
The CTAP specification describes a set of protocols authentication (APIs and browser processing rules)
for communication between external authenticator as well as generic message formats (assertions and
devices and a client/platform, as well as bindings attestations) that may be reused for non-browser
of this application protocol to a variety of transport implementations such as servers, operating systems,
protocols using different device communication and authenticators communicating using the CTAP
protocols (USB, NFC, Bluetooth). Each transport protocol. The WebAuthn specification also defines a
binding defines the details of how a client (such as a series of extensible points, such as the ability to add
browser or operating system) can make requests to new attestation formats and the ability to add new
an authenticator to register or authenticate against extensions to the protocol and define their process-
various services. ing rules.
CTAP is intended to be used in scenarios where
a user interacts with a relying party (a website or 6.2.5 FIDO Registration Flow
native app) on some platform (e.g., a PC) which Figure 4 shows the simplified message flows for regis-
prompts the user to interact with an external authen- tration and authentication. Of note: the public-pri-
ticator (e.g., a smartphone). vate key pair is created by the FIDO authenticator,
In order to provide evidence of user interaction, an not by the Relying Party. This enables the individual
external authenticator implementing this protocol is to control how they wish to be known by the Rely-
expected to have a mechanism to obtain a user ges- ing Party and also does not disclose any part of the
ture. Examples of user gestures include: as a consent private key to external systems.
button, password, a PIN, a biometric or a combina-
tion of these.
16 Implementation of Secure Authentication Technologies for Digital Financial Services
