Currently in beta. Good for demos and prototypes, but not production ready.

Installation

NPM

git clone --recursive https://github.com/apowers313/fido2-server-demo
cd fido2-server-demo
npm install
npm start

Note: this has been developed and tested on MacOS X, and webauthn.org was running this server on Ubuntu Linux. It has not been tested on Windows -- please open issues for Windows bugs.

Note: this project uses async / await and requires node.js 7.6+. If you are running OpenSSH >1.1.0 (e.g. - Debian Buster), it requires node.js 10+.

Docker

There is also a Docker image available, which makes it much less likely that you will have configuration problems. Here are the instructions for using the Docker image.

• Install Docker for Windows or Docker for Mac or use one of the several other install options.
• run the command: docker run -d -p 8888:8888 -p 8443:8443 apowers313/fido2-server:prod-canary
• open https://localhost:8443

Configuration

Edit scm-config.json to change ports, domains, and certificate paths.

This a simple-component-manager configuration file where each component is replaceable with one of a similar type (logger, user data store, cert manager, etc.). More components and documentation will be forthcoming. For now, hopefully things like changing ports and certificate paths are fairly obvious.

Components

The following components are used for this server:

• component-fido2 (Also note that the core FIDO2 functionality is implemented in fido2-lib)
• component-uds-json
• component-certs
• component-web
• component-logger-winston

Bugs / Help / Contributing

If you find bugs or need help, open a GitHub issue. If you are so inspired, feel free to submit a pull request. Also feel free to just send a note saying that you're using the server and what you think of it -- it's nice to know when a project is being used.

You can also find me on Twitter at @apowers313.

Security Considerations

This server does a number of things that shouldn't be done in a real server. These are for demonstration purposes and will be phased out over the next couple months:

1. Attestation is not currently required to be verified. If an authenticator doesn't have attestation, the registration will still be successful and a warning message will be logged.
2. This allows both User Presence (UP) and User Verification (UV) to be used for first-factor authentication. Typically only UV should be used for first-factor authentication, but given that U2F tokens are going to be the most commonly available authenticator in the short term, this server still allows UP-only authenticators to behave in a password-less fashion.
3. User accounts are wide open -- the session is not currently checked for previous authentication, so anyone can add any authenticator to any username. This is great for demos (and inspired by demo.yubico.com/u2f) but not how things would work in the real world. This will change in the near future.

Sponsor

Note that while I used to be Technical Director for FIDO Alliance (and I am currently the Technical Advisor for FIDO Alliance), THIS PROJECT IS NOT ENDORSED OR SPONSORED BY FIDO ALLIANCE.

Work for this project is supported by my consulting company: WebAuthn Consulting.

Other FIDO2 / WebAuthn Projects

There are a number of other great FIDO2 and WebAuthn projects out there. I love all things FIDO2 and WebAuthn, so here's a list of other projects (Note: I'm not affiliated with any of these projects):

Open Source Servers

• Google / Java
• MasterCard / Java (Spring)
• Mozilla / JavaScript (Browser)
• FIDO Alliance / JavaScript
• cedarcode / Ruby
• abergs / .NET

Open Source Clients

• apowers313 / JavaScript (Browser)

Open Source CTAP2

• Yubico / C
• Yubico / Python

Open Access Servers

• Duo: webauthn.io
• Mozilla: webauthn.bin.coffee
• Yubico: demo.yubico.com/webauthn
• watahani: webauthn-tutorial-haniyama.now.sh

If your project isn't listed here and you would like it to be, drop me a note and I would be happy to add it.