Page 55 - Implementation of Secure Authentication Technologies for Digital Financial Services
P. 55

7.2.6   Example: FIDO Authentication
            A full list of the steps for validating an assertion can be found in the WebAuthn specification [9]. Assuming the
            validation is successful, the server will note that the user is now authenticated (e.g. – set a flag for the session,
            set a cookie, etc.).

            Figure 39 – Authentication process of FIDO


































              ⓪    Application Requests Authentication - The application makes the initial authentication request. The
                   protocol and format of this request is outside of the scope of FIDO.

              ①    Server Sends Challenge - The server sends a challenge to the application. The protocol for communi-
                   cating with the server is not specified and is outside of the scope of FIDO. Typically, server communi-
                   cations would be REST over TLS, but they could also be SOAP, RFC 2549 or nearly any other protocol
                   provided that the protocol is secure. The parameters received from the server will be passed to the
                   credentialGet call, typically with little or no modification. 

              ②    Client Calls authenticatorGetCredential on Authenticator via CTAP - Internally, the client will validate
                   the parameters and fill in any defaults, which become the clientData. One of the most important param-
                   eters is the Relying Party ID, which recorded as part of the clientData so that the Relying Party ID can
                   be verified by the server later. The parameters to the credentialGet call are passed to the authenticator,
                   along with a SHA-256 hash of the clientData (only a hash is sent because the link to the authenticator
                   may be a low-bandwidth NFC or Bluetooth link and the authenticator is just going to sign over the hash
                   to ensure that it isn't tampered with).

              ③    Authenticator Creates an Assertion - The authenticator finds a credential for this service that matches
                   the Relying Party ID and prompts a user to consent to the authentication. Assuming both of those steps
                   are successful, the authenticator will create a new assertion by signing over the clientDataHash and
                   authenticatorData with the private key generated for this account during the registration call.








                                             Implementation of Secure Authentication Technologies for Digital Financial Services  53
   50   51   52   53   54   55   56   57   58   59   60