Skip to main content

Usernameless Authentication

Description

A user is trying to access a web application, for example an e-banking application, which requires authentication. The user must provide the required authentication with a FIDO2 capable authenticator. Furthermore, the web application is protected by Nevis (notably nevisProxy and nevisAuth).

Prerequisites

  • The user's device and browser must support FIDO2.
  • The user already has existing FIDO2 credentials which can be used to authenticate.

Discorverable credentials

An additional requirement for usernameless authentication is that a discoverable credential has been created on the client-side during the registration ceremony.

note

Discoverable credentials mean that the authenticator locally stores the created credentials. The cryptographic key in the credential in this case is referred to as a resident key, as it is a resident of the authenticator in the device. The creation of such a credential can be ensured by setting the residentKey = "required" option during the registration ceremony. If no such a credential is created, that means the server must store these credentials for the user. However, in the usernameless authentication use-case, the server is unaware of the user's identify, therefore it's credentials cannot be used to authenticate - no credentials means no authentication.

Example

  1. The user opens the browser to connect to a web application.
  2. The browser attempts to connect to a web application protected by Nevis.
  3. Nevis detects that the user is not authenticated.
  4. The browser sends usernameless login information to the Nevis backend.
  5. Nevis asks the user to provide FIDO2 authentication using one of its discoverable credentials.
  6. The user selects one of its discoverable credentials and authenticates using the FIDO2 Authenticator available on its device.
  7. The signed FIDO2 assertion is sent to the Nevis backend for validation.
  8. The assertion contains user related information and cryptographic material, which Nevis uses to identify and authenticate the previously unknown user.
  9. The user is now logged in and able to access the web application.
FIDO2 Authentication Example

Integrate

The technical flow as well as the integration of usernameless authentication is the same as FIDO2 Authentication, with notable exceptions:

  1. The requirement of discoverable credentials. The presence of discoverable credentials can be ensured by enforcing that during registration the ServerPublicKeyCredentialCreateOptionsRequest the FIDO2 Registration Client Javascript sends to nevisFIDO contains residentKey: "required". This forces the authenticator to create a credential on the client-side, or otherwise abort the registration.

  2. The authenticate(username) method of FIDO2 Authentication Client Javascript must be called with an empty string, as in "". The identification of the user is then accessible over the Status Service of nevisFIDO. To access this endpoint, the fido2SessionId is needed, which is returned in the ServerPublicKeyCredentialGetOptionsRequest the FIDO2 Authentication Client Javascript received upon starting authentication.

    Endpoint: https://<nevisProxy-host>:<nevisProxy-port>/nevisfido/fido2/status

    Reference: nevisFIDO Reference Guide