As stronger passwords, second factors and other forms of authentication are becoming essential, FIDO2 provides a better user experience by eliminating manual input of user credentials or one-time passwords while keeping authentication secure.

FIDO2 utilises authenticators that implement the Client-to-Authenticator Protocol (CTAP) and browsers that implement WebAuthn specifications. The authenticators communicate with servers validating registration and authentication requests (for more information see FIDO2 specifications).

To meet your specific systems requirements for authentication flows using FIDO2/WebAuthn, ISAM 9.0.7.0 introduces functionality for:

• FIDO2 registration
• Step-up login with FIDO2 authentication as 2FA
• Username-less login with FIDO2 authentication

Prerequisites: 

• A hostname resolvable by your client browser, e.g. https://www.mmfa.ibm.com/ either via host file or a DNS server. FIDO2 is heavily dependent on hostname resolution.
• Configured a FIDO2 relying party and authentication policy in ISAM. Shane Weeden’s blog explains in detail how to add and configure authentication policy and relying party for FIDO2 authentication

  
Configuring AAC on a reverse proxy 

Even if AAC was configured on a previous version of ISAM, to expose FIDO2 APIs through WebSEAL you will still need to configure AAC again on a reverse proxy in ISAM 9.0.7.0. In order to do this, navigate to Secure Web Settings > Reverse Proxy. Select the specific reverse proxy, click Manage > AAC and Federation Configuration > Authentication and Context Based Access Configuration and follow the configuration steps in the AAC wizard.




Registration and user self-care

In 9.0.7.0 users can manage their FIDO2 registrations on the user self-care page https://<proxy hostname>/mga/sps/mga/user/mgmt/html/device/device_selection.html.

For example:
https://www.mmfa.ibm.com/mga/sps/mga/user/mgmt/html/device/device_selection.html.

After clicking on Register new authenticator, you will be prompted to select Require resident key, in this initial registration, leave blank, and click Next and finalise the registration process.

Note: The resident key configuration option must be selected for username-less authentication which will be explained in “Username-less flow” section below.




Step-up Flow 

Operating FIDO2 in a step-up operation is typically a ‘two phase’ process. A user would typically log in via a standard login experience, for example username/password, social login or even QR Code based authentication. And then either by a mandatory authentication policy or triggered by an authorisation policy be required to ‘step-up’ in order to continue.

That is, a user is required to further authenticate (commonly referred to as multifactor authentication or 2FA) using their FIDO2 authenticator to complete the authentication process and satisfy the authorisation policy. Unlike scenarios with one-time password as 2FA, the FIDO2 authentication experience requires minimal user input except interacting with the authenticator to complete the second factor prompt.

The steps to demonstrate this are as follows: 

1. Perform the initial authentication experience:
   Log in at https://<proxy hostname>
   e.g. https://www.mmfa.ibm.com
2. Trigger the stepup authentication policy:
   Navigate to the configured FIDO2 authentication policy URL
   https://<proxy hostname>/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:fido2
   e.g. https://www.mmfa.ibm.com/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:fido2
3. Complete step-up authentication by using FIDO2 authenticator

Username-less Flow 

To be able to perform username-less flow you will need to register your authenticator with selected “Require resident key” option on the user self-care page. This makes capable authenticators create and store a client-side-resident public key credential source, or what is essentially the username. This requires both a FIDO2 device that supports this and a supporting browser. (Note: This is not supported by older FIDO U2F devices)

At the time of writing this article, username-less flow was supported by Google Chrome Canary, Microsoft Edge and Safari Tech Preview with more browsers expected to bring mainstream support later in 2019.

When navigating to the FIDO2 authentication policy URL https://www.mmfa.ibm.com/mga/sps/authsvc?PolicyId=urn:ibm:security:authentication:asf:fido2 you will be prompted to use registered FIDO2 authenticator instead of entering your credentials to authenticate. This makes the entire authentication process a lot simpler and more secure by not having to enter your username and password.




This article briefly described ISAM 9.0.7.0 supported authentication scenarios using FIDO2/WebAuthn along with the prerequisites and configuration steps. I hope this overview was useful to get started with FIDO2 in ISAM.