Thanks for the help. Unfortunately we are not in a position to implement Passkey yet, we are only looking for a solution to do cryptographic key based authentication. But thanks for clarifying that MMFA could work this way.
Original Message:
Sent: Thu October 03, 2024 08:59 AM
From: Carsten Hagemann
Subject: Fully password less authentication using biometric features
Hi Tian,
While the outlined approach can certainly work, I'd like to suggest using passkeys as an alternative that could simplify your architecture and enhance security.
Passkeys are based on public key cryptography and allow users to authenticate using biometrics without the need for traditional username-password combinations or OAuth token exchanges. After the initial setup, users can sign in seamlessly by presenting their biometrics, achieving exactly what you're aiming for in your current approach, but with several key advantages.
This approach would also address some (if not all) of your questions: no need to handle multi-device selections, keys are securely stored and managed by the OS, and no push notifications are required.
Here are some resources that explain the features and benefits in more detail:
- https://developers.google.com/identity/passkeys
- https://www.passkeys.com/
- https://passkeys.dev/
- https://community.ibm.com/community/user/security/blogs/lachlan-james-gleeson1/2021/04/05/fido-autentication-ibm-security-verify-access
- https://github.com/ibm-security-verify?q=passkey
------------------------------
Carsten Hagemann
Original Message:
Sent: Tue October 01, 2024 10:20 PM
From: Tian Xia
Subject: Fully password less authentication using biometric features
Hi Carsten,
Sorry to bump up an old thread, but I am looking into implementing biometrics sign-in on mobile app using ISAM MMFA mechanism as follows. What we try to achieve here is that, after initial registration, user is able to sign-in on mobile app against ISAM by only presenting registered biometrics (face ID or fingerprint).
#MMFA registration
1. First login using username and password
2. Kick off /authorize for MMFA - /aac/sps/oauth/oauth20/authorize?response_type=code&client_id=AuthenticatorClient&scope=mmfaAuthn&response_mode=form_post
3. Obtain authorization_code
4. Exchange token with authorization_code and post device details - /mga/sps/oauth/oauth20/token, save token in secure storage
5. Store private key in secure storage, and register device generated public key and key handle with ISAM - PATCH /scim/Me?attributes=urn:ietf:params:scim:schemas:extension:isam:1.0:MMFA:Authenticator:fingerprintMethods
#MMFA authentication
1. Trigger authentication and create pending MMFA transaction - from mobile app, call /aac/sps/apiauthsvc/policy/mmfa_fingerprint?username={uid}
- When signle device is registered, MMFA transaction is automatically created, mmfa.devicePrompt.skipIfOneDevice=true
- When multiple devices are registered, device selection TBD
2. Prompt for biometrics, retrieve refresh token and private key, use refresh token to refresh for new access token
3. Post back MMFA transaction id with obtained access_token - /aac/sps/apiauthsvc?MmfaTransactionId={txnId}, mobile app receives server challenge
4. Mobile app uses private key to sign challenge and post back - /aac/sps/apiauthsvc?StateId={stateId}
5. User is signed in in ISAM - 204 response, AAC sends am-eai-pac header back to WebSEAL
Questions:
1. In MMFA Cookbook chapter 11: An "initiate" Authentication Policy which initiates MMFA function. This is accessed by the browser.
Can we call MMFA /mmfa_fingerprint endpoint from mobile app? If Verify SDK doesn't support this usage, can we use HTTP client to call?
2. Step 1, how to handle multi device selection.
3. Step 4 in authentication, that should be for approving MMFA transaction? Can we skip push notification from mobile device and just approves it?
4. OAuth tokens for MMFA and private key need to be stored on device with biometrics protection, KeychainService to achieve that for iOS? Is it part of iOS or Verify SDK? How about Android.
With regards to your response to OP's question that states "Verify SDK will not help the scenario", could you elaborate on that further? I understand that we are trying to use MMFA "in a different way" as opposed to how it's normally intended to be used. But what would be the potential problem, and is it a wrong approach? A little background here, we basically are looking for an out of box mechanism in ISAM to replace existing custom biometrics sign-in flow of existing mobile app, the current custom implementation basically relies on registering a public key with server, and uses private key to sign challenge to authenticate to the server.
Thanks in advance,
Tian
------------------------------
Tian Xia
Original Message:
Sent: Thu July 21, 2022 09:23 PM
From: Carsten Hagemann
Subject: Fully password less authentication using biometric features
Hi Gabriel,
The features the Verify SDK provides will not help you with the scenario you described.
The recommended practices for authorizing with username and password in native apps is in an external user agent (usually the browser): https://datatracker.ietf.org/doc/html/rfc8252#section-4
When the user has successfully passed that step, it's the app responsibility to invoke a biometric authentication dialog (https://developer.android.com/training/sign-in/biometric-auth) on subsequent starts.
Depending on the security requirements of your app, you could also consider a user as already authenticated if he uses biometric authentication to unlock his phone. You should also consider scenarios where, after successfully registered in step 1, additional biometric IDs are registered on the phone.
------------------------------
Carsten Hagemann
Original Message:
Sent: Wed July 20, 2022 08:34 AM
From: Gabriel Pilagatto
Subject: Fully password less authentication using biometric features
Hi Carsten,
Yes sure! My app will be, as you say, a stand-alone application for Android and iOS where the user should authenticate every time he uses it. But I don't want (for user experience) to have to put the username and password every time, only the first time. I want the next time the users login, they only use the biometric feature.
Thank you for your time.
Gabriel.
------------------------------
Gabriel Pilagatto
Original Message:
Sent: Wed July 20, 2022 01:26 AM
From: Carsten Hagemann
Subject: Fully password less authentication using biometric features
Hi Gabriel,
Could you please provide us additional information about your mobile app and the scenarios you want to achieve? Is your mobile to be an authenticator for your web app? Or is it a stand-alone app where the user should authenticate every time he uses it?
------------------------------
Carsten Hagemann
Original Message:
Sent: Tue July 19, 2022 08:28 AM
From: Gabriel Pilagatto
Subject: Fully password less authentication using biometric features
Hello, I want to implement the IBM Verify SDK in our application (Android/iOS) for fully password less authentication using biometric features like fingerprint or face-ID. Can someone give me a step to step to do it? Just to clarify, we will not be doing multifactor authentication at this stage. Thanks!
------------------------------
Gabriel Pilagatto
------------------------------