FIDO 2

Overview

FIDO 2.0 (FIDO2) is an open authentication standard that enables people to leverage common devices to authenticate to online services in both mobile and desktop environments.

FIDO2 is comprised of the W3C's Web Authentication specification (WebAuthn) and FIDO's corresponding Client-to-Authenticator Protocol (CTAP). WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services.

Janssen includes a FIDO2 component to implement a two-step, two-factor authentication (2FA) with username / password as the first step, and any FIDO2 device as the second step.

API Reference

The API reference for the Janssen FIDO2 component is provided here .

Code Reference

A discovery document for FIDO2 is published by the Gluu Server at: https://<hostname>/.well-known/fido2-configuration This document specifies the URL of the registration and authentication endpoints.

Deployment

During Janssen installation, the administrator will have the option to also install the FIDO2 component.

Data

FIDO2 stores device credentials in the same persistence mechanism used by the Janssen deployment.

Testing

User Guide

Credential enrollment

FIDO2 device enrollment happens automatically during the first authentication attempt.

Subsequent authentications

All subsequent FIDO2 authentications for that user account will require the enrolled FIDO2 key.

FIDO2 credential management

A user's FIDO2 devices can be removed by a Gluu administrator in LDAP under the user entry as shown in the below screenshot.

Security Considerations