search

GluuFederation / fido2

Fido2 server
MIT License
2 stars 4 forks source link

Apple iPhone / Mac Touch ID as a FIDO2 device for authentication #7

Closed maduvena closed 2 years ago

maduvena commented 3 years ago

Authenticate using the built-in biometric authenticators in an Apple device.

References -

  1. https://developer.apple.com/videos/play/wwdc2020/10670/
  2. https://github.com/webauthn4j/webauthn4j
  3. https://webkit.org/blog/11312/meet-face-id-and-touch-id-for-the-web/
maduvena commented 3 years ago

Enrollment

Fido2 Server - Steps for attestation:

  1. Verify |x5c| is a valid certificate chain starting from the |credCert| (the first certificate in x5c) to the Apple WebAuthn root certificate.
  2. Concatenate |authenticatorData| and |clientDataHash| to form |nonceToHash|.
  3. Perform SHA-256 hash of |nonceToHash| to produce |nonce|.
  4. Verify |nonce| matches the value of the extension with OID (1.2.840.113635.100.8.2 ) in |credCert|.
  5. Verify credential public key matches the Subject Public Key of |credCert|.

Client side - Enabling Apple Anonymous Attestation on Browser:

const options = {
    publicKey: {
        rp: { name: "example.com" },
        user: {
            name: "john.appleseed@example.com",
            id: userIdBuffer,
            displayName: "John Appleseed"
        },
        pubKeyCredParams: [ { type: "public-key", alg: -7 } ],
        challenge: challengeBuffer,
        authenticatorSelection: { authenticatorAttachment: "platform" } // indicates the builtin authenticator TouchID
    }
};

const publicKeyCredential = await navigator.credentials.create(options);
yackermann commented 3 years ago

https://medium.com/webauthnworks/webauthn-fido2-verifying-apple-anonymous-attestation-5eaff334c849