FIDO 2.0 (FIDO2) , an open authentication standard that enables people to leverage common devices to authenticate to online services in both mobile and desktop environments. The Janssen server includes a FIDO2 server implementation. This enables authentications by using platform authenticators embedded into a person's device or physical USB, NFC or Bluetooth security keys that are inserted into a USB slot of a computer.

FIDO2 is comprised of the W3C’s Web Authentication specification (WebAuthn) and FIDO’s corresponding Client-to-Authenticator Protocol (CTAP). WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services.

This document explains how to use the Janssen Auth Server's built-in FIDO2 interception script to implement a two-step, two-factor authentication (2FA) with username / password as the first step, and any FIDO2 device as the second step.

• A Janssen Server (installation instructions)
• FIDO2 interception script (included in the default Gluu Server distribution);
• At least one FIDO2 device for testing, like one of the devices listed below.
• For Linux-based operating systems, a little modification required in udev rule, that is stated below.

Some well known FIDO2 devices and manufacturers include:

• Yubico
• Vasco DIGIPASS SecureClick
• HyperFIDO
• Feitian Technologies
• AuthenTrend
• Apple's built-in Touch ID

Purchase FIDO2 devices on Amazon. Or, check FIDO's certified products for a comprehensive list of FIDO2 devices (sort by Specification == FIDO2).

The script has the following properties

By default, users will get the default authentication mechanism as specified above. However, using the OpenID Connect acr_values parameter, web and mobile clients can request any enabled authentication mechanism.

1. Obtain the json contents of fido2 custom script by using a jans-cli command like get-config-scripts-by-type, get-config-scripts-by-inum etc.

e.g : /opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-type --url-suffix type:PERSON_AUTHENTICATION , /opt/jans/jans-cli/config-cli.py --operation-id get-config-scripts-by-inum --url-suffix inum:6122281b-b55d-4dd0-8115-b098eeeee2b7

2. Update the custom script and change the enabled attribute to true

Now FIDO2 is an available authentication mechanism for your Janssen Server. This means that, using OpenID Connect acr_values, applications can now request FIDO2 authentication for users.

!!! Note To make sure FIDO2 has been enabled successfully, you can check your Janssen's Auth Server OpenID Connect configuration by navigating to the following URL: https://<hostname>/.well-known/openid-configuration. Find "acr_values_supported": and you should see "fido2".

Use this link as a reference. Follow the steps below to enable FIDO2 authentication:

1. Create a file say fido2-auth-default.json with the following contents

{
  "defaultAcr": "fido2"
}

2.Update the default authentication method to fido2

/opt/jans/jans-cli/config-cli.py --operation-id put-acrs --data /tmp/fido2-auth-default.json

!!! Note If FIDO2 is set as a default authentication mechanism users will not be able to access the protected resource(s) while using a mobile device or a browser that does not support FIDO2 (e.g. Internet Explorer).

Below is an illustration of the Janssen Server's default FIDO2 login page:

The design is being rendered from the FIDO2 xhtml page. To customize the look and feel of this page, follow the customization guide.

FIDO2 device enrollment happens during the first authentication attempt.

All subsequent FIDO2 authentications for that user account will require the enrolled FIDO2 key.

A user's FIDO2 devices can be removed by a Janssen administrator in LDAP under the user entry as shown in the below screenshot.

A discovery document for FIDO2 is published by the Janssen Server at: https://your.hostname/.well-known/fido2-configuration This document specifies the URL of the registration and authentication endpoints.