In-band communication | Using the current channel. | A message is delivered through an already established and currently used HTTP communication channel. |
Out-of-band (OOB) communication | Using a channel other than the main communication channel. | A message is delivered via a dispatching channel (for example, as push notification, QR code, or link) instead of a currently used HTTP communication channel. |
Out-of-band authentication | Authentication done in an application separated from the application that requires it with no direct communication between the two applications. | A web application for banking is accessed from a browser on a laptop. The web application handles the banking-related business logic but requires authentication by a distinguished Access App which is installed on a mobile device. |
In-band authentication | Authentication done within the same application that requires it. | A mobile banking application which does not require the installation of another application to handle the authentication. All required functionality is built into one application. |
Transaction confirmation | An operation in the FIDO protocol that allows a relying party to request that a FIDO Client displays some information to the end user, and requires the user to authenticate locally to their FIDO Authenticator to confirm the information. This provides proof-of-possession of previously registered key material and an attestation of the confirmation back to the relying party. | A mobile banking application has among its capabilities bank transfers. If the amount of the transfer exceeds a threshold, the user must confirm the transaction after authenticating. In the confirmation message presented to the user, the amount of the transaction is included. When the user confirms the transaction, the contents of the message (and thus the amount) are proven by the FIDO server. |
Access App | Dedicated native mobile app built to implement the FIDO UAF authentication, registration and deregistration capabilities. Optionally also implements transaction confirmation capabilities. | |
Business App | A business application end users interact with to conduct business with Nevis customers. | A mobile banking application which can be used to make payments. |
Relying Party | *"A web site or other entity that uses a FIDO protocol to directly authenticate users | |
FIDO | Fast Identity Online | |
FIDO UAF Client | A FIDO UAF Client implements the client side of the FIDO UAF protocols. | |
FIDO UAF Server | A FIDO UAF server implements the server side of the FIDO UAF protocols. | |
FIDO UAF Protocol | The FIDO UAF protocols carry FIDO UAF messages between user devices and Relying Parties. | |
FIDO Authenticator | A FIDO Authenticator is responsible for user verification, and maintaining the cryptographic material required for the relying party authentication. | |
FIDO UAF Authenticator | A FIDO UAF Authenticator is a secure entity, connected to or housed within FIDO user devices, that can create key material associated to a Relying Party. The key can then be used to participate in FIDO UAF strong authentication protocols. | |
UAF | The FIDO Protocol and family of authenticators which enable a service to offer its users flexible and interoperable authentication. This protocol allows triggering the authentication before the server knows the user | |
Client TLS | A two way TLS connection where the client also needs a valid certificate. (Also known as two way SSL) | |
Dispatch Target | Client identifier used in out-of-band message transmission. | A unique id identifying a physical mobile device of an end user |
Dispatch Channel | Means of which the message is transmitted to the client. | Push (message), E-Mail, ... |
Dispatcher | Concrete implemented component tasked with sending an out-of-band message. | The Firebase Cloud Messaging Dispatcher (bound to the 3rd party Firebase Cloud Messaging Service) |
Channel Linking | Channel linking describes the concept where a user is requested to visually confirm an out-of-band authentication. The user does so by comparing information shown in a web browser and in the authentication client application.The purpose of channel linking is verifying the current channel/operation to prevent login attempts by a malicious second party (e.g., another user). | During authentication, the browser shows the characters "6A". The same characters are shown in the mobile application, allowing the user to "link" these two channels. |