This site contains the documentation that is relevant to older WSO2 product versions and offerings.
For the latest WSO2 documentation, visit https://wso2.com/documentation/.

Multi-factor Authentication using FIDO

The following topics provide details and instructions on how to configure multi-factor authentication (MFA) using the WSO2 Identity Server. This topic expands on what MFA is and how it can be used in certain scenarios. It also provides information on FIDO and how MFA can be configured using FIDO U2F.

About multi-factor authentication

Multi-factor Authentication (MFA) creates a layered defence and makes it more difficult for an unauthorized person to access a target such as a physical location, computing device, Web service, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.

Authentication factors in MFA relies on two or more independent credentials of the three categories.

  • Knowledge factors - Things only the user knows, such as passwords
  • Possession factors - Things only the user has, such as ATM cards
  • Inherence factors - Things only the user is, such as a fingerprint

With a combination of two or more factors from the above three, the user is authenticated. A basic example is when withdrawing money with an ATM card; the card is the possession factor and the pin number is the knowledge factor.

MFA in mobiles

In this scenario, the mobile phone acts as the possession factor. This has become a trendy solution in the current market due to advancements in technology to accommodate different types of users.

A user can be authenticated using OTP, an interactive telephone call, or via a downloadable application to a smartphone. Newer solutions have the ability to use a QR code scanned by a smartphone as the second factor authentication.

The advantage of this method is that there is no need for an additional, dedicated token, as users tend to carry their mobile devices around at all times anyway. Some professional two-factor authentication solutions also ensure that there is always a valid passcode available for users. If the user has already used a sequence of digits (passcode), this is automatically deleted and the system sends a new code to the mobile device. And if the new code is not entered within a specified time limit, the system automatically replaces it. This ensures that no old, already used codes are left on mobile devices. For added security, it is possible to specify how many incorrect entries are permitted before the system blocks access.

About FIDO

With the rapid growth of the internet, more and more services are available for use by enterprises and organizations. However, username and password based authentication still plays a major role in authenticating users, and it is essential to use a strong password to keep your computer, data and accounts safe. However, if you are like most users, you will find that it is challenging to remember a strong password, especially if you have to change it once in awhile.

The Fast IDentity Online (FIDO) attempts to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. In short, FIDO U2F can make it easy for you to authenticate users while also ensuring that security is enhanced.

FIDO provides two user experiences to address a wide range of use cases and deployment scenarios. FIDO protocols are based on public key cryptography and are strongly resistant to phishing.

Figure 1: UAF and U2F.

Universal Authentication Framework (UAF)

UAF involves a password-less experience with the following key processes.

  • The user carries the client device with the UAF stack installed.

  • The user presents a local biometric or PIN.

  • The website can choose whether to retain the password.

Universal Second Factor (U2F)

U2F focuses on the 2nd factor experience and has the following key processes.

  • The user carries the U2F device with built-in support in web browsers.
  • The user presents the U2F device.
  • The website can simplify the password (for example, if can be simplified to a 4 digit pin).

U2F Tokens provide cryptographic assertions that can be verified by relying parties. Typically, the relying party is a web server, and the cryptographic assertions are used as second-factors (in addition to passwords) during user authentication. U2F Tokens are typically small special-purpose devices and FIDO Client is a web browser communicate between token and relying party.

U2F protocol operations

The following are the two main processes that take place when using FIDO U2F.

  1. Registration: Upon registration, a device gives the server its attestation certificate. This certificate can be (optionally) used to verify the authenticity of the device.
  2. Authentication: The authentication operation proves possession of a previously-registered keypair to the relying party.

Both the registration and authentication operation consist of three phases depicted in the following figure.

Figure 2: Three phases of U2F protocol operations.

  1. Setup: In this phase, the FIDO Client contacts the relying party and obtains a challenge. Using the challenge (and possibly other data obtained from the relying party and/or prepared by the FIDO Client itself), the FIDO Client prepares a request message for the U2F Token.
  2. Processing: In this phase, the FIDO Client sends the request message to the token, and the token performs some cryptographic operations on the message, creating a response message. This response message is sent to the FIDO Client.
  3. Verification: In this phase, the FIDO Client transmits the token's response message, along with other data necessary for the relying party to verify the token response, to the relying party. The relying party then processes the token response and verifies its accuracy. A correct registration response will cause the relying party to register a new public key for a user, while a correct authentication response will cause the relying party to accept that the client is in possession of the corresponding private key.

Basic authentication process flow of U2F

The following figure provides the complete authentication process flow when authenticating using FIDO U2F.

Figure 3: Authentication process flow for U2F

Configuring multi-factor authentication using FIDO

The instructions in this section enable you to successfully set up multi-factor authentication using the WSO2 Identity Server.

Setting up an account for MFA

  1. Log in to the WSO2 Identity Server end user dashboard.
  2. Navigate to the My Profile section by clicking the associated View Details button.
  3. Click Manage U2F Authentication.

  4. You can add a new U2F device to your account and if needed you can remove it.

    Tip: You can have multiple devices associated to your account.

     

Configuring FIDO U2F as an authenticator

  1. Log in to the Management Console. 
  2. Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
  3. Fill in the Service Provider Name and provide a brief Description of the service provider. Only Service Provider Name is a required field.
  4. Click Register to add the new service provider.
  5. Access the service provider you just created and expand Local & Outbound Authentication Configuration.
  6. Select Advanced Configuration to configure multi-factor authentication.
  7. Click Add Authentication Step. Clicking this again will enable you to create another authentication step.
  8. Select whether this is a Subject Step, Attribute Step or both. In the case of multiple steps, you can have only one step as the subject step and one as the attribute step.
  9. Click the plus button to add a Local Authenticator. You can choose the type of authenticator using the dropdown. Clicking the plus button again will enable you to add a second local authenticator. As an example of this scenario, basic and fido are used as the two authenticators. Basic authentication allows you to authenticate users from the enterprise user store while FIDO authenticates you externally.
  10. Click the Update button. This will return you to the previous screen with your newly configured authentication steps.