Hello, this is Kyungjoon from the Security R&D team. I work as a FIDO (Fast Identity Online) engineer. Continuing from our last post FIDO at LINE: A First Step to a World Without Passwords, I would like to introduce you to FIDO2, and also share my experiences from participating in the interoperability testing event hosted by the FIDO Alliance earlier this year in March. Lastly I will talk about our very own LINE FIDO2 server, which will be made available as an open-source project.
Introducing FIDO2
FIDO currently has three coexisting standards: UAF (Universal Authentication Framework), U2F (Universal 2nd Factor), and FIDO2. Recent developments have lead to FIDO2 being adopted as the new main standard. Then how does FIDO2 differ from the other standards? Why was FIDO2 created? Let's take a look at each of the standards to find the answer.
UAF
FIDO UAF is a standard introduced to mobile apps on Android and iOS, where users would be able to authenticate themselves using biometrical data or PIN codes instead of a password. Android and iOS, the two major players in the mobile OS market, currently do not support the UAF API.
U2F
FIDO U2F is a two-factor authentication standard that required the user's ID and password, and then an additional authentication key through a hardware solution. Google, Facebook, and GitHub are among those who use this approach. It is mainly used for specific users or employees who need a high level of security.
FIDO2
FIDO2 is a standard that consolidates the former two, making it available on mobile devices, or any web-enabled environment. FIDO2 is comprised of WebAuthn1 for web browsers and CTAP (Client to Authenticator Protocol) for authenticators. Many modern web browsers support the WebAuthn API. As web browsers act as the client, products that would support biometric authentication could make use of the various API supported by the web browser to provide authentication products in more varied environments, and users can now authentication more safely and easily. Also, as U2F is backwards compatible with the CTAP2 standard, it supports the previous hardware-based authentication methods that were used with it. Below is a list of browsers that currently support the WebAuthn standard as of writing this blog post.
FIDO interoperability testing
The FIDO Alliance performs a quarterly interoperability test. Any product that qualifies in this test can be officially recognized for conforming to the FIDO standard.
The FIDO2 interoperability test is conducted with the WebAuthn API used on Google Chrome, Microsoft Edge, Mozilla Firefox among others. The test evaluates products submitted by various vendors on how well they inter-operate with FIDO2 servers, and how well the standard was followed. The testing that took place during March of 2021 was held virtually (in a remote environment) due to the current pandemic. Authenticator vendors were instructed to enable their webcams at a predetermined time and to integrate their authenticators with other vendors' FIDO2 servers to test if registration and authentication can be performed without issue. LINE FIDO2 was one of the available FIDO2 servers for testing, as we wanted to test the server before releasing it as an open-source project.
2021 interoperability testing schedule
The 2021 interoperability test took place following the schedule below as of August, 2021.
- March 8-12, 2021
- June 21-25, 2021
Interoperability testing procedure
The interoperability test had the following process: registration → exchange of NDA contracts → perform conformance self-validation and submit results → prepare for testing → test → submit results to be evaluated and to receive certificate of approval. Let's take a brief look at each step.
Testing registration and exchange of NDA contracts
Details on registration for the test and exchanging NDA contracts can be found on the webpage below.
Conformance self-validation
After registering for testing, you must perform and submit the results of a conformance self-validation test (162 test cases for version 1.6.14) two weeks before the interoperability test in order to participate in the actual test. You can request to download the conformance self-validation tool from the link below.
If you are having your server tested, you must provide the following API.
The self-validation test uses an authenticator specifically implemented for testing purposes. Details on the test can be found on the webpage below.
Preparing for the test
To perform the test, you must create a fido2-interop-webapp page by following the instructions in the webpage below. Other authenticator vendors will use this page to proceed with their tests.
You must share the URL of your FIDO2 relying party server to the FIDO Alliance. The FIDO Alliance will provide you with an authenticator metadata through email. You must add the provided metadata to your database.
Performing the test
Once you deploy your server, there is nothing that needs to be done unless there is an issue that occurs during testing. In our case, we only checked the logs that collected data from the authenticator vendors once or twice a day to check if there were any issues that needed to be addressed.
Sharing test results and receiving your certificate
The FIDO Alliance will send you the test results on the following Monday after the test. More information on certification fees can be found on the webpage below.
LINE FIDO2 server interoperability test approval
The LINE FIDO2 server has passed this year's interoperability test without any issues. As we already have our certification, we didn't apply for a new certificate this time around.
Introduction to the open-source LINE FIDO2 server
We at the LINE Security R&D team have decided to release the LINE FIDO2 server as an open-source project to make it available to a wider audience and also to further improve on it. We look forward to contributing back to the FIDO ecosystem with our public activities.
The URL of our open-source GitHub repo is as follows.
We have adopted the Apache-2.0 license, and everything we have made public can operate in the following environments.
- Spring Boot 2.4.3
- Gradle 6.8.3
- Java 1.8
We currently have three modules:
- LINE FIDO2 server: A FIDO2 server implementation conforming to the FIDO2 standard.
- FIDO2-spring-boot-starter, FIDO2-spring-boot-starter demo: A spring-boot-starter version of the LINE FIDO2 server application that can be easily integrated into a Spring Boot environment.
- RP server sample: A sample application with a FIDO2 RP implementation.
The LINE FIDO2 server fully supports the WebAuthn Level 1 standard, and partly supports the recently improved Level 2 standard. The list of attestation types supported by the LINE FIDO2 server are as follows.
- Supported attestation types
- Basic
- Self
- Attestation CA (Privacy CA)
- Anonymization CA
- None
- Supported attestation statement formats
- Packed
- TPM
- Android Key Attestation
- Android Safetynet
- Apple Anonymous
- FIDO U2F
- None
In conclusion
Our team plans to continue adding new features and fixing bugs to contribute to our now public open-source project. If any of you that are reading this post are interested, please use the LINE FIDO2 server where needed, and feel free to contribute the open-source project if you discover any bugs or features that need to be improved. We hope these activities will culminate in making the LINE FIDO2 server a better project. Thank you for reading the post, and I hope to see you on the repo!
- Suggested by the FIDO Alliance and adopted as standard by The World Wide Web Consortium (W3C), all modern web browers are strongly recommended to provide support for WebAuthn API. (Reference)