Introduction
One of the biggest challenges in developing an Identity And Access Management solution like SimpleIdServer was choosing the best enrollment process for our mobile application.
Before explaining it, we must define what an Enrollment Process is.
Enrollment Process
In some scenarios, an application needs the consent of the end-user to obtain their personal information, such as their bank account, or to authorize a payment.
The standard OpenID Connect Client-Initiated Backchannel Authentication Flow exists to fulfill this need.
The Holder of personal information, for example, a bank, must be able to notify the end-user that a third party is trying to access their personal information.
Notifications are sent to mobile devices to obtain the consent of the end-users. Therefore, mobile devices must be known by the Holder to receive notifications.
We chose Firebase Cloud Messaging tool to send push notifications to devices because it is the most widely used.
An Enrollment Process for the mobile application is needed to register the Firebase Token.
Now that we understand the necessity to implement an Enrollment Process, we must choose the best approach to implement it.
There are two approaches :
- Naive implementation, similar to a commercial product.
- Use standard security protocols like FIDO and pass the Firebase Token as metadata.
Naive implementation
Forgerock
Generate a QR Code with the following parameters.
| Parameter | Description |
|---|---|
| userId | The ID of the user |
| a | The authentication endpoint |
| image | Image to display |
| b | Hex code of the background color |
| r | Registration endpoint |
| s | Random shared |
| c | Random challenge |
| l | Load balancer cookie |
| m | Message ID |
| issuer | Name of the issuer |
Ping Identity
Generate a QR Code containing a unique pairing key code.
We did not opt for a naive approach due to security risks.
Instead, we selected the FIDO standard Protocol as it has been specifically designed for registering a user's device, such as a smartphone or security key.
Standard approach
CTAP2
FIDO CTAP enables an external and portable authenticator, such as a hardware security key, to interoperate with a client platform, such as a computer.
The following transports are supported :
- USB Human Interface Device (USB HID)
- Near Field Communication (NFC)
- Bluetooth Smart
- Bluetooth Low Energy Technology (BLE)
While attempting to implement CTAP2 in our mobile application, we encountered constraints with Android that prevented us from completing the development.
| Protocol | Limitation |
|---|---|
| Bluetooth Smart | There is a strong dependency on the driver installed on the computer. If the driver Bluetooth HID is not installed, the computer is not discoverable by the smartphone. |
| BLE | Android actively prevents the implementation of a FIDO over BLE for non system application. |
Due to the issues encountered during development, we decided to choose U2F and bypass the different protocol transports, such as USB, Bluetooth, BLE, etc
U2F
FIDO Universal 2nd Factor (U2F) is an open authentication standard that enhances and simplifies two-factor authentication by employing specialized USB or NFC devices.
Our mobile application utilizes public-key encryption in accordance with the FIDO U2F Authentication standard. During device enrollment, the mobile application registers its public key with our FIDO U2F Endpoint and includes the Firebase token in the metadata. When authentication occurs, a challenge-response mechanism is employed to verify that the device possesses the corresponding key.
SimpleIdServer's implementation
Our mobile enrollment process comprises the following steps:
- The mobile device scans the QR code, which contains the following parameters:
| Parameter | Description |
|---|---|
| session_id | A unique session identifier created when the enrollment process starts. |
| read_qrcode_url | The URL used by the mobile device to fetch the information necessary to generate an enrollment response. |
| action | The type of action, with possible values being register or authentication. During enrollment, the action is set to register. |
- Information is retrieved from the
read_qrcode_url, which includes the following data:
| Parameter | Description |
|---|---|
| session_id | A unique session identifier created when the enrollment process begins. |
| login | Login of the user |
| credential_create_options | Includes a challenge to create a new credential |
| end_register_url | URL called by the mobile application to finish the enrollment |
- The
credential_create_optionsare used to construct an attestation response. - The attestation response, along with the Firebase token and mobile information, is sent to the
end_register_url. - The private key used to generate the attestation response is stored in a database. The password required to access the database is secure and can only be accessed by the mobile application.
The mobile device is now enrolled and can receive push notifications from the Identity Provider.
Conclusion
U2F is the best choice for implementing your enrollment process for several reasons :
- Enhanced Security: U2F adheres to the FIDO Security Standard, providing a higher level of security and preventing various attacks, including Man-in-the-Middle attacks.
- Streamlined Connectivity: U2F bypasses the need for specific transports like USB, BLE, or Bluetooth, allowing direct utilization of the API.