IBM Verify

IBM Verify

Join this online user group to communicate across Security product users and IBM experts by sharing advice and best practices with peers and staying up to date regarding product enhancements.

 View Only

  • 1.  U2F Register and Authenticate Policy

    Posted Wed October 24, 2018 03:32 AM
    Edited by Pang Dela Cruz Wed October 24, 2018 10:01 PM
    We notice the appId(valid URL) is included during registration and  U2F_TOKENS table, does that mean that we can only authenticate to a single virtualhost site per u2f device?

    is possible to have 1 registered u2f device that can authenticate different virtualhost junctions?

    Any idea @Jon Harry

    ------------------------------
    Pang
    ------------------------------


  • 2.  RE: U2F Register and Authenticate Policy

    Posted Thu October 25, 2018 01:19 AM
    Edited by Shane Weeden Thu October 25, 2018 01:20 AM

    >>does that mean that we can only authenticate to a single virtualhost site per u2f device?

    No it does not.

    >> is possible to have 1 registered u2f device that can authenticate different virtualhost junctions?
    Yes.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 3.  RE: U2F Register and Authenticate Policy

    Posted Thu October 25, 2018 02:36 AM
    Hi @Shane Weeden,

    Thanks for the reply.
    We tried to use the out of the box u2f register and authenticate policy with appId in session(managed by custom mapping rule that will get the URL and set the value in the session).

    1. Register device using urn:ibm:security:authentication:asf:u2f_register policy using site1
    2. Authenticate(urn:ibm:security:authentication:asf:u2f_authenticate) to site1 using registered device, success as expected.
    3. In new session, authenticate to site2 using registered device but failed and we are getting this in the response of https://site2.adb.org/mga/sps/authsvc?TransactionId=a2baa5b7-ef90-4a5d-b60d-7c27a3336270

    var existingTokenString = '[{"name":"mfatest","key_handle":"abcde","id":"uuidac572b96-cb98-44c6-b057-cac4ec27f5ed","app_id":"https:\/\/site1.adb.org","enabled":true}]';

    var authenticateRequest = {
    "appId": "https://site2.adb.org",
    "challenge": "022Kzw0CoZkqZLDsXJhz",
    "version": "U2F_V2"
    };

    I hope you can help us, we are planning to add this in our MFA setup.

    ------------------------------

    Thank you,
    Pang
    ------------------------------

    Original Message


  • 4.  RE: U2F Register and Authenticate Policy

    Posted Thu October 25, 2018 03:00 AM

    You have to register separately for each site. You can use the same physical token, but you cannot re-use the registration across sites. That's standard U2F. 

    Additionally there is a small change you will need to make to the authenticate.html page template to filter out tokens which are NOT part of the "current site" in the call to u2f_authenticate. 

    Look for (and update) this code in the page template C/authsvc/authenticator/u2f/authenticate.html

    It's in the checkTokens() javascript function:

    for(var i = 0; i < tokens.length; i++) {
  var tokenAttrs = tokens[i];

  // this is new - only add tokens that match the requested appId
  if (tokenAttrs['app_id'] == authenticateRequest.appId) {
    var token = {
      keyHandle: tokenAttrs['key_handle'],
      version: authenticateRequest.version,
      appId: tokenAttrs['app_id']
    };
    existingTokens.push(token);
  }
}





    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 5.  RE: U2F Register and Authenticate Policy

    Posted Thu October 25, 2018 04:45 AM
    @Shane Weeden

    ISAM doesn't support U2F's Multi-facet AppId?  Seems that u2f should be able to specify a trusted list of facets (hostnames) within a json file. -- https://developers.yubico.com/U2F/App_ID.html

    ------------------------------
    Pierre Passin
    ------------------------------

    Original Message


  • 6.  RE: U2F Register and Authenticate Policy

    Posted Thu October 25, 2018 06:41 AM
    There's no reason why it couldn't. The AppId is settable, and can point to your own hosted JSON document. You could also serve the JSON document via a HTTP transformation rule.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 7.  RE: U2F Register and Authenticate Policy

    Posted Thu October 25, 2018 07:15 AM
    Hmm - it may not be that simple. I think an RFE would be needed for facet support.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message


  • 8.  RE: U2F Register and Authenticate Policy

    Posted Mon October 29, 2018 04:52 AM
    @Shane Weeden

    So right now registration of push notification/totp/u2f is centrally managed by a web application that does REST calls to AAC instead of using the default template pages of AAC. If we do u2f via this route it gets registered under that specific hostname alone. It was originally hoped to be able authenticate to multiple virtual host junctions (probably a hundred vhjs). Any suggestions on how to handle this? Or how other customers handled it?

    Also since u2f's multi-facet isn't supported right now, is the direction going forward straight to FIDO2 or will missing gaps in ISAM's implementation still be developed?


    ------------------------------
    Pierre Passin
    ------------------------------

    Original Message


  • 9.  RE: U2F Register and Authenticate Policy

    Posted Mon October 29, 2018 06:14 AM
    Formal statements on product commitments don't come from just me however as the product architect I can suggest that  I see little future in further development on U2F in ISAM when it is clear the industry is moving to WebAuthn. I don't even concede that [lack of] support for facets is a big gap - my understanding is that Firefox don't support facets anyway, so you'd be restricting yourself to only the Chrome browser.

    In WebAuthn, the only mention of facets is in relation to the AppID extension - i.e. supporting WebAuthn authentication using older U2F registrations. I don't yet see any provision for the support of a single WebAuthn registration across multiple virtual hosts in the same way as it is described for U2F and UAF.

    ------------------------------
    Shane Weeden
    IBM
    ------------------------------

    Original Message