Skip to main content

One post tagged with "enrollment"

View All Tags

· 5 min read
SimpleIdServer

Introduction

One of the biggest challenges in developing an Identity And Access Management solution like SimpleIdServer was choosing the best enrollment process for our mobile application.

Before explaining it, we must define what an Enrollment Process is.

Enrollment Process

In some scenarios, an application needs the consent of the end-user to obtain their personal information, such as their bank account, or to authorize a payment.

The standard OpenID Connect Client-Initiated Backchannel Authentication Flow exists to fulfill this need.

The Holder of personal information, for example, a bank, must be able to notify the end-user that a third party is trying to access their personal information.

Notifications are sent to mobile devices to obtain the consent of the end-users. Therefore, mobile devices must be known by the Holder to receive notifications.

We chose Firebase Cloud Messaging tool to send push notifications to devices because it is the most widely used.

An Enrollment Process for the mobile application is needed to register the Firebase Token.

Now that we understand the necessity to implement an Enrollment Process, we must choose the best approach to implement it.

There are two approaches :

  • Naive implementation, similar to a commercial product.
  • Use standard security protocols like FIDO and pass the Firebase Token as metadata.

Naive implementation

Forgerock

Generate a QR Code with the following parameters.

ParameterDescription
userIdThe ID of the user
aThe authentication endpoint
imageImage to display
bHex code of the background color
rRegistration endpoint
sRandom shared
cRandom challenge
lLoad balancer cookie
mMessage ID
issuerName of the issuer

Ping Identity

Generate a QR Code containing a unique pairing key code.

We did not opt for a naive approach due to security risks.

Instead, we selected the FIDO standard Protocol as it has been specifically designed for registering a user's device, such as a smartphone or security key.

Standard approach

CTAP2

FIDO CTAP enables an external and portable authenticator, such as a hardware security key, to interoperate with a client platform, such as a computer.

The following transports are supported :

  • USB Human Interface Device (USB HID)
  • Near Field Communication (NFC)
  • Bluetooth Smart
  • Bluetooth Low Energy Technology (BLE)

While attempting to implement CTAP2 in our mobile application, we encountered constraints with Android that prevented us from completing the development.

ProtocolLimitation
Bluetooth SmartThere is a strong dependency on the driver installed on the computer. If the driver Bluetooth HID is not installed, the computer is not discoverable by the smartphone.
BLEAndroid actively prevents the implementation of a FIDO over BLE for non system application.

Due to the issues encountered during development, we decided to choose U2F and bypass the different protocol transports, such as USB, Bluetooth, BLE, etc

U2F

FIDO Universal 2nd Factor (U2F) is an open authentication standard that enhances and simplifies two-factor authentication by employing specialized USB or NFC devices.

Our mobile application utilizes public-key encryption in accordance with the FIDO U2F Authentication standard. During device enrollment, the mobile application registers its public key with our FIDO U2F Endpoint and includes the Firebase token in the metadata. When authentication occurs, a challenge-response mechanism is employed to verify that the device possesses the corresponding key.

SimpleIdServer's implementation

Our mobile enrollment process comprises the following steps:

  1. The mobile device scans the QR code, which contains the following parameters:
ParameterDescription
session_idA unique session identifier created when the enrollment process starts.
read_qrcode_urlThe URL used by the mobile device to fetch the information necessary to generate an enrollment response.
actionThe type of action, with possible values being register or authentication. During enrollment, the action is set to register.
  1. Information is retrieved from the read_qrcode_url, which includes the following data:
ParameterDescription
session_idA unique session identifier created when the enrollment process begins.
loginLogin of the user
credential_create_optionsIncludes a challenge to create a new credential
end_register_urlURL called by the mobile application to finish the enrollment
  1. The credential_create_options are used to construct an attestation response.
  2. The attestation response, along with the Firebase token and mobile information, is sent to the end_register_url.
  3. The private key used to generate the attestation response is stored in a database. The password required to access the database is secure and can only be accessed by the mobile application.

The mobile device is now enrolled and can receive push notifications from the Identity Provider.

Conclusion

U2F is the best choice for implementing your enrollment process for several reasons :

  • Enhanced Security: U2F adheres to the FIDO Security Standard, providing a higher level of security and preventing various attacks, including Man-in-the-Middle attacks.
  • Streamlined Connectivity: U2F bypasses the need for specific transports like USB, BLE, or Bluetooth, allowing direct utilization of the API.