-
-
Notifications
You must be signed in to change notification settings - Fork 5
ExtendedFIDO
TL;DR:
- adds administrator to the list of actors/entities: relying party - platform - user - authenticator - administrator
- adds rules to the list of experience defining factors: relying party requests; user decisions; administrator set rules
A traditional FIDO2 (aka WebAuthn) authenticator can be described as "user controlled device with fixed behaviour, where relying party defines the desired tuning of the supported features and where authenticator owner can have a final say about certain aspects (mostly privacy related)". X-FIDO authenticator changes this by adding more traditional "enterprise administration" features, similar to group policy on Windows. Without sacrificing user privacy nor security. Think of this as CTAP2 Enterprise Attestation and other related CTAP2 features on steroids.
When a standard FIDO authenticator has a fixed state (set of properties) and behaves the same way irrelevant of the Relying Party, X-FIDO adds rules that change the behaviour of the authenticator based on the relying party. Standard enterprise style access control applies to those rules - what has been set by the administrator, can not be changed by the user.
Rules - which can be dynamically updated during the lifecycle of the authenticator - affect both credential registration and credential use. A single list of rules is checked against a first match, and those rules affect the way the authenticator features behave. A match-all rule is always present at the end of the list and defines the default behaviour of the authenticator.
Example:
- *.mycompany.com: pin=required,attestation=enterprise
- *.mypartnercompany.com: attestation=standard
- *.google.com: attestation=self,resident=true
- *: allowed=false
This way all RP-s in your own company get a possibly personal attestation certificate and will require a PIN code for all assertions, Google properties get standard self-attestation (a record is created in authenticator even if not requested by Google) and use on other websites is not allowed with this authenticator.
- Attestation - different attestations can be provisioned and enforced for an authenticator
- "enterprise" - much like traditional X509 certificate with user details
- "device" - carries information about the company or device batch, but not user details
- "self" - standard CTAP2 self-attestation with the anonymous per-RP key
- Dynamic provisioning
- authenticators can be pre-personalized on-demand like traditional X509 smart cards, with pre-provisioned X509 certificate with user details for attestation. This allows to continue to use your existing X509 infrastructure with much better support from browser vendors than traditional smart cards.
- Flexible PIN handling
- Standard FIDO tokens assume that either a PIN is unset or PIN is set and available to RP. X-FIDO makes this configurable.
- "required" - true: PIN is required for all operations, even if user verificatiion not requested by RP
- "disabled" - true: PIN is not required, even if user verification requested by RP and PIN is set
- Disabling RP-s
- "allowed" - disable registering new credentials and also disable use of existing credentials
- Enforcing resident keys (discoverable credentials)
- Standard FIDO authenticators (according to CTAP2 specification) MAY store a key even if "rk" option is not set, without further specification
- "resident" - true: a credential record is created even if "rk" is not requested by relying party. false: "rk" option is actively rejected for a relying party
- Admin role with secure remote management
- All X-FIDO rules and commands can be executed centrally, over authenticated secure channel
- Administrator can listing and modify all of rules and credentials on the device.
- Credentials have usage counters, visible to administrator
- PIN policy - define requirements for the structure of PIN
- CTAP2.1 allows to shorten the minimal PIN length
- X-FIDO allows to fine-tune the requirements for the authenticator PIN code like a standard password policy, enforced by the device itself