Skip to main content

Legacy or Mobile Authentication Based on the User Registration Status

Description

Not all registered users have the FIDO UAF credentials needed for mobile authentication. As a result, these users cannot perform mobile authentication. For usability and security reasons, explicitly asking the user how he wants to authenticate is no good option: First, this requires an additional question/user interaction (usability). Furthermore, it is desirable using FIDO UAF credentials whenever available, instead of a legacy and less secure approach (security).

Ideally, only users with no credentials other than legacy credentials should log in with these credentials. All other users must use their FIDO UAF credentials to authenticate. You can achieve this with the nevisIDM AuthStates IdmUserVerifyState and IdmCredStatusCheckState: The IdmUserVerifyState loads information about the user's credentials, and the IdmCredStatusCheckState allows different login flows depending on whether the user has FIDO UAF credentials.

info

The IdmCredStatusCheckState supports checking FIDO UAF credentials from nevisIDM version 2.73.1 onwards.

Configuration Example

The next figure shows a sample setup for an authentication based on whether the user has FIDO UAF credentials or not. You can find the corresponding code snippet in "Nevis Component Configuration Examples".

The sample configuration uses the nevisIDM AuthState IdmUserVerifyState to load nevisIDM credential information into the authentication session (in the code snippet, the AuthState is named "FetchUser"). The next step in the authentication flow is the IdmCredStatusCheckState AuthState, which checks whether the user has any active nevisIDM FIDO UAF credentials - in the code snippet, the AuthState is named "CheckFidoCredential".

There are two possible outcomes of the check:

  • If FIDO UAF credentials are available, an AuthState of the type AuthGeneric is invoked (named SubmitOutOfBandParameters in the code snippet). This AuthState sets the values required by the OutOfBandFidoUafAuthState AuthState (which actually triggers the FIDO UAF authentication).
  • If no FIDO UAF credentials are available, an AuthState of the type TransformAttributes is invoked (named SetFidoUafNotFoundMessage in the code snippet). This AuthState overwrites the message set by the AuthState CheckFidoCredential, because this message is generic and might confuse the user. Next, the AuthState executes a transition to an AuthState that performs the relevant legacy authentication. In the code snippet, this legacy AuthState is called LegacyAuthState. Note that the code snippet does not include the contents of the LegacyAuthState: this could be any legacy authentication AuthState.
Flow for either legacy or mobile authentication
info

Instead of an OutOfBandFidoUafAuthState you could use an in-band FidoUafAuthState, depending on whether in-band or out-of-band is required. The code snippet referenced in this chapter uses an OutOfBandFidoUafAuthState.

Configuration Snippets

You will find example configuration snippets for all involved components in Nevis Component Configuration Examples.