|Table of Contents|
About multi-factor authentication
Multi-factor Authentication (MFA) creates a layered defence and makes it more difficult for an unauthorized person to access a target such as a physical location, computing device, Web service, network or database. If one factor is compromised or broken, the attacker still has at least one more barrier to breach before successfully breaking into the target.
With a combination of two or more factors from the above three, the user is authenticated. A basic example is when withdrawing money with an ATM card; the card is the possession factor and the pin number is the knowledge factor.
MFA in mobiles
In this scenario, the mobile phone acts as the possession factor. This has become a trendy solution in the current market due to advancements in technology to accommodate different types of users.
The advantage of this method is that there is no need for an additional, dedicated token, as users tend to carry their mobile devices around at all times anyway. Some professional two-factor authentication solutions also ensure that there is always a valid passcode available for users. If the user has already used a sequence of digits (passcode), this is automatically deleted and the system sends a new code to the mobile device. And if the new code is not entered within a specified time limit, the system automatically replaces it. This ensures that no old, already used codes are left on mobile devices. For added security, it is possible to specify how many incorrect entries are permitted before the system blocks access.
With the rapid growth of the internet, more and more services are available for use by enterprises and organizations. However, username and password based authentication still plays a major role in authenticating users, and it is essential to use a strong password to keep your computer, data and accounts safe. However, if you are like most users, you will find that it is challenging to remember a strong password, especially if you have to change it once in awhile.
FIDO provides two user experiences to address a wide range of use cases and deployment scenarios. FIDO protocols are based on public key cryptography and are strongly resistant to phishing.
Figure 1: UAF and U2F.
Universal Authentication Framework (UAF)
UAF involves a password-less experience with the following key processes.
The user carries the client device with the UAF stack installed.
The user presents a local biometric or PIN.
The website can choose whether to retain the password.
Universal Second Factor (U2F)
U2F focuses on the 2nd factor experience and has the following key processes.
U2F Tokens provide cryptographic assertions that can be verified by relying parties. Typically, the relying party is a web server, and the cryptographic assertions are used as second-factors (in addition to passwords) during user authentication. U2F Tokens are typically small special-purpose devices and FIDO Client is a web browser communicate between token and relying party.
U2F protocol operations
The following are the two main processes that take place when using FIDO U2F.
Both the registration and authentication operation consist of three phases depicted in the following figure.
Figure 2: Three phases of U2F protocol operations.
- Setup: In this phase, the FIDO Client contacts the relying party and obtains a challenge. Using the challenge (and possibly other data obtained from the relying party and/or prepared by the FIDO Client itself), the FIDO Client prepares a request message for the U2F Token.
- Processing: In this phase, the FIDO Client sends the request message to the token, and the token performs some cryptographic operations on the message, creating a response message. This response message is sent to the FIDO Client.
- Verification: In this phase, the FIDO Client transmits the token's response message, along with other data necessary for the relying party to verify the token response, to the relying party. The relying party then processes the token response and verifies its accuracy. A correct registration response will cause the relying party to register a new public key for a user, while a correct authentication response will cause the relying party to accept that the client is in possession of the corresponding private key.
Basic authentication process flow of U2F
The following figure provides the complete authentication process flow when authenticating using FIDO U2F.
Figure 3: Authentication process flow for U2F
Configuring multi-factor authentication using FIDO
The instructions in this section enable you to successfully set up multi-factor authentication using the WSO2 Identity Server.
Setting up an account for MFA
- Log in to the WSO2 Identity Server end user dashboard.
- Navigate to the My Profile section by clicking the associated View Details button.
- Click Manage U2F Authentication.
You can add a new U2F device to your account and if needed you can remove it.
Tip: You can have multiple devices associated to your account.
Configuring FIDO U2F as an authenticator
- Log in to the Management Console.
- Navigate to the Main menu to access the Identity menu. Click Add under Service Providers.
- Fill in the Service Provider Name and provide a brief Description of the service provider. Only Service Provider Name is a required field.
- Click Register to add the new service provider.
- Access the service provider you just created and expand Local & Outbound Authentication Configuration.
- Select Advanced Configuration to configure multi-factor authentication.
- Click Add Authentication Step. Clicking this again will enable you to create another authentication step.
- Select whether this is a Subject Step, Attribute Step or both. In the case of multiple steps, you can have only one step as the subject step and one as the attribute step.
- Click the plus button to add a Local Authenticator. You can choose the type of authenticator using the dropdown. Clicking the plus button again will enable you to add a second local authenticator. As an example of this scenario, basic and fido are used as the two authenticators. Basic authentication allows you to authenticate users from the enterprise user store while FIDO authenticates you externally.
- Click the Update button. This will return you to the previous screen with your newly configured authentication steps.