IBM Security Verify

Hi all,
we are finally working on Fido2 and finishing our first implementation.

We have nearly everything working as we wish, except for one small detail : we are unable to modify the user's authentication level after a successfull fido2 authentication.

For doing that, we implemented a fido2 mapping rule (called mediators), and if in the "assertion_result" context type, we tried modifying the authentication level :
- directly in the stsuu (won't work, stsuu is readonly as specified in the documentation)
- by using the credentialData Hashmap

We are unable to modify the authentication level.


We think it's because we directly call the FIDO2 endpoints from the browser, instead of calling the fido2 authentication policy.

Can someone confirm that we have to call FIDO2 api via the authentication policy to be able to modify user authentication level ?
Or is there another way to do it when directly calling the FIDO2 endpoints ?

Thanks a lot for any feedback on this last issue we have before being able to validate all the solution end 2 end.

------------------------------
André Leruitte
------------------------------

That is correct. Calling /assertion/result endpoint directly is stateless, and doesn't do anything other than tell you it was a valid assertion.

If you want to modify the session attributes of a user, this must be done via an authentication policy. You can (and should) directly call an authentication policy which has the FIDO2 authentication mechanism in it. There is an alternative, which is to build your own infomap-based authentication policy which internally uses the HTTP client to call /assertion/result, but I don't recommend this if what you are really doing is browser session authentication.

Please feel free to reach out with any other FIDO2 questions, and I would be very much interested in seeing your use case in action when done!

Cheers,

Shane.

------------------------------
Shane Weeden
IBM
------------------------------

Original Message:
Sent: Thu March 26, 2020 11:15 AM
From: André Leruitte
Subject: FIDO2 : modify user authentication_level after successful auth

Hi all,
we are finally working on Fido2 and finishing our first implementation.

We have nearly everything working as we wish, except for one small detail : we are unable to modify the user's authentication level after a successfull fido2 authentication.

For doing that, we implemented a fido2 mapping rule (called mediators), and if in the "assertion_result" context type, we tried modifying the authentication level :
- directly in the stsuu (won't work, stsuu is readonly as specified in the documentation)
- by using the credentialData Hashmap

We are unable to modify the authentication level.


We think it's because we directly call the FIDO2 endpoints from the browser, instead of calling the fido2 authentication policy.

Can someone confirm that we have to call FIDO2 api via the authentication policy to be able to modify user authentication level ?
Or is there another way to do it when directly calling the FIDO2 endpoints ?

Thanks a lot for any feedback on this last issue we have before being able to validate all the solution end 2 end.

------------------------------
André Leruitte
------------------------------

Hi Shane,

Thanks a lot for your feedback.

In the meanwhile, we switched the way our webapp calls the fido2 webauth by using an authentication policy, and indeed we can now modify user session attributes (as the Authentication Level)

On the FIDO2 side, we have now everything working as we wished !


We still have a bit of work on the TOTP implementation because we want to offer our users a fallback 2fa method (not easy to buy fido2 devices at the moment except online).
We are trying to nail the enrollment and "replace/lost Device" processes that are quite sensitive.


Thanks again for the confirmation about FIDO2 behavior.

------------------------------
André Leruitte
------------------------------

Original Message:
Sent: Sun March 29, 2020 06:14 PM
From: Shane Weeden
Subject: FIDO2 : modify user authentication_level after successful auth

That is correct. Calling /assertion/result endpoint directly is stateless, and doesn't do anything other than tell you it was a valid assertion.

If you want to modify the session attributes of a user, this must be done via an authentication policy. You can (and should) directly call an authentication policy which has the FIDO2 authentication mechanism in it. There is an alternative, which is to build your own infomap-based authentication policy which internally uses the HTTP client to call /assertion/result, but I don't recommend this if what you are really doing is browser session authentication.

Please feel free to reach out with any other FIDO2 questions, and I would be very much interested in seeing your use case in action when done!

Cheers,

Shane.

------------------------------
Shane Weeden
IBM

Original Message:
Sent: Thu March 26, 2020 11:15 AM
From: André Leruitte
Subject: FIDO2 : modify user authentication_level after successful auth

Hi all,
we are finally working on Fido2 and finishing our first implementation.

We have nearly everything working as we wish, except for one small detail : we are unable to modify the user's authentication level after a successfull fido2 authentication.

For doing that, we implemented a fido2 mapping rule (called mediators), and if in the "assertion_result" context type, we tried modifying the authentication level :
- directly in the stsuu (won't work, stsuu is readonly as specified in the documentation)
- by using the credentialData Hashmap

We are unable to modify the authentication level.


We think it's because we directly call the FIDO2 endpoints from the browser, instead of calling the fido2 authentication policy.

Can someone confirm that we have to call FIDO2 api via the authentication policy to be able to modify user authentication level ?
Or is there another way to do it when directly calling the FIDO2 endpoints ?

Thanks a lot for any feedback on this last issue we have before being able to validate all the solution end 2 end.

------------------------------
André Leruitte
------------------------------