The 11.0.2.0 release of IBM Verify Identity Access (IVIA) adds support for Elliptic Curve (EC) and Edwards Curve (Ed25519) keys when signing transactions using a Mobile Multi-Factor Authenticator (MMFA). This enables cryptographic algorithms with smaller key sizes compared to traditional RSA keys.

Register a mobile device:

To register an Elliptic Curve key for transaction signing, first register a mobile device for authentication. This can be done by performing an authorization code flow using a public OAuth 2.0 client to register a device. The IBM Verify mobile application and SDK provide an example for how a mobile device can be registered.

Once the device is registered, generate a Public/Private key and enroll it in either the userpresence or fingerprint authentication methods.

You can use the User Self Care management pages to help you register a device:

https://www.myidp.ibm.com/mga/sps/mmfa/user/mgmt/html/mmfa/usc/manage.html

Key Generation:

Generate the Elliptic Curve asymmetric key pair which will be used by the mobile device to sign transactions. Keep the private key secret and safe, and provide the public key as part of the enrollment data.

Supported algorithms include:

• Elliptic Curves: P-256 (secp256r1), P-384 (secp384r1), P-521 (secp521r1)
• Edwards curves: Ed25519

An example key can be generated with OpenSSL as follows:

# Generate private key
openssl ecparam -name prime256v1 -genkey -noout -out private-key.pem

# Extract public key
openssl ec -in private-key.pem -pubout -out public-key.pem

# Get base64-encoded public key
openssl ec -in private-key.pem -pubout -outform DER | base64 -w 0

Enrollment via SCIM API:

Enroll a user via the SCIM API. Here is an example PATCH request to enroll a user for fingerprint authentication with an Elliptic Curve public key:

PATCH /v2.0/Users/{user_id}
Content-Type: application/scim+json
Authorization: Bearer {access_token}

{
  "schemas": ["urn:ietf:params:scim:api:messages:2.0:PatchOp"],
  "Operations": [{
    "op": "add",
    "path": "urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator:fingerprintMethods",
    "value": {
      "id": "{device_id}",
      "methods": [{
        "methodType": "fingerprint",
        "enabled": true,
        "attributes": {
          "publicKey": "MFkwEwYHKoZIzj0CAQYIKoZIzj0DAQcDQgAE...",
          "keyHandle": "EllipticCurveKeyExample",
          "algorithm": "SHA256withECDSA",
          "enabled": true
        }
      }]
    }
  }]
}

Note: The signing and hashing algorithm name follows the Java Security Standard Algorithm Names specification.

Transaction Signing:

Once enrolled, the device can be used to sign MMFA transaction data generated by IVIA. Here is an example transaction for a banking scenario, where the user is asked to confirm a transaction request by signing a JSON summary of the transaction data:

{
  "stateId": "DAQcDQgEwYHK...",
  "serverChallenge": "Approve transfer of $500.00 to Account ****1234"
}

The serverChallenge field contains transaction details that must be signed using the device's private key.

Use the private key you previously generated to sign the supplied transaction data, then POST the result back to IVIA to complete the transaction:

POST /mga/sps/apiauthsvc?StateId=uMDAiLCJMjAyNC0xMi0wN1...
Content-Type: application/json
Authorization: Bearer {access_token}

{
  "signedChallenge": "DAQcDQgEwYHK...",
  "operation": "verify"
}

The signature must be base64-encoded and is verified using the public key supplied when the authentication method was enrolled.

Additional Resources:

Administrators can use the MMFA cookbook as a guide for configuring IVIA for MMFA authentication.
For more details on supported algorithms and key formats, refer to the IBM Verify Access Knowledge Center or API Documentation Hub.