Authenticators
Overall authenticator information
Authenticators are used in the context of FIDO UAF. For the purposes of this documentation, authenticators refer to the devices used for authentication, whereas authentication methods refer to the actual PIN-based or biometric means of authentication. Authenticators are responsible for user verification as well as maintaining the cryptographic material required for authentication. A FIDO UAF authentication method guarantees that a user is securely verified and authenticated.
FIDO UAF authenticators are fully specified by the FIDO Alliance.
The authentication methods provided by the Nevis Mobile Authentication SDK are:
- Application PIN authentication
- Biometric face Authentication (Android only)
- Android fingerprint authentication (Android only)
- TouchID authentication (iOS only)
- FaceID authentication (iOS only)
Any supported mobile devices integrating these software-based authentication methods can immediately provide FIDO authentication to users. No other hardware-based FIDO UAF authenticators are needed on the mobile device.
The authentication methods provided by the Nevis Mobile Authentication SDK share the following main functionalities and properties:
- Protection of key material
The key material is generated and stored securely by the authenticator.
- User verification
User verification is carried out in any FIDO UAF operation where the authenticator accesses the private key.
- Sign challenge
The signing of a challenge is an internal SDK process that comes into play during the authentication and transaction confirmation FIDO operations.
- One credential
An authenticator supports only one credential at a time. This means that a user can use one authenticator to authenticate only one account. In the FIDO context, the authenticators do not support the concept of the persona.
- First-factor bound authenticator
The authenticators are of type first-factor bound authenticator. For details, refer to the FIDO UAF specification.
- Surrogate basic attestation
Since the attestation key of software-based authenticators cannot be sufficiently protected, the authenticators support only surrogate basic attestation. This means that they are also called non-attested authenticators.
It is possible, and recommended by the FIDO Alliance, to register more than one authenticator.
An authenticator is the most critical security element, because it manipulates sensitive user data. Protecting it from attackers is crucial. For more information on how to protect an authenticator, see Security Considerations.
Available authentication methods
Application PIN
- Android
F1D0#0001 - iOS
F1D0#1001
The Application PIN authentication method ensures that only authorized users are allowed to use the key that is stored in the secure storage. An authorized user is a person who knows the correct PIN and provides it.
The Application PIN authentication method uses a PIN defined by the user during registration. The PIN is specific to this authenticator and is not bound to any specific FIDO registration. This means that a user does not necessarily need to define a new PIN for subsequent FIDO registrations on the same device. Once one is set, the PINs are completely independent.
The SDK manages the PIN: definition, validation and modification. During registration new PIN that matches the given format/policy must be provided. The operation fails if the PIN does not match the expected format. The Nevis Mobile Authentication SDK is responsible for validating the input format and storing the PIN in the secure storage.
The SDK is also responsible for carrying out user verification – that is, PIN verification. If the SDK can successfully match the PIN transferred by the mobile application, the SDK can then use the required private key in the FIDO operation.
It is the responsibility of the application to define and present the appropriate UI to the user to get the PIN value. The application is provided with a specific format to be used for the PIN and is expected to return the input values to the SDK.
This PIN is not the same as the one defined in the device system settings, that are used with the device lock screen. To use the device passcode to do authentication, refer to the device passcode authenticator.
Since the PIN is stored locally on the device, the user can change the PIN at any time, even if the device has no data connection to the backend.
To change the PIN of a user, the mobile application must obtain the following values to be passed to the SDK:
- The current PIN
- The new value
The current PIN is verified before the value is changed. The operation fails if the current PIN is wrong, or if the new value does not match the expected format.
On user verification, the only value that is required by the SDK is the current PIN entered by the user.
Brute force attack prevention
The PIN Authentication method is protected from brute force attacks. For details, see Brute force attack prevention in the Security Considerations chapter.
Android biometric
F1D0#0003
The Android biometric authentication method is available for Android OS versions with API level 29 (Android 10) or higher.
The authentication method makes use of the new Android biometrics APIs introduced with this API level.
The authentication method uses the biometric authentication method based on the device hardware capabilities. This means depending on the device model, either fingerprint scanning, facial recognition, or another biometric method supported by the API is offered to the user.
The Android biometric authenticator supports Class 2 and Class 3 biometric sensors. This is limited by the official Android API.
The Android Biometric authenticator will not show Face Authentication as an option for most devices, because currently only the face recognition biometric sensor of the Google Pixel devices is Class 3 and a handful of Samsung devices have Class 2 sensors (see Device Support for details).
Nevis recommends using this authentication method instead of the older Android fingerprint authentication method.
Device passcode
- Android
F1D0#0004 - iOS
F1D0#1004
The device passcode authentication method is available for all supported iOS versions and for Android 11 (API level 30) or higher.
The authentication method uses the device passcode used to lock the device. The device passcode is defined in the operating system and can be of different nature: PIN, password or gesture.
The authentication method relies on the operating system to perform the user interaction. So, contrary to what happens with the application PIN authenticator, there is no need to implement a UI for this authenticator.
Android fingerprint
F1D0#0002
The Android fingerprint authentication method relies on the Android FingerprintManager which was added in API level 23 (Android 6) and deprecated in API level 28 (Android 9).
This authentication method requires app developers to supply their own dialog or screen for the fingerprint prompt. This is a severe drawback.
Projects should always use the newer Android Biometric Authentication method which uses the BiometricPrompt API, as it uses a system-provided dialog when starting authentication. As devices have different types of biometric authentication, it is more practical to have a system-provided authentication dialog, since the method may vary by vendor and device.
Nevis recommends only using this Authentication method for supporting Android OS versions below Android 9. All newer Android OS versions should only offer the newer Android Biometric authentication method.
The overall capabilities and restrictions of the TouchID authentication method also apply for the Android Fingerprint authentication method.
TouchID
F1D0#1002
The fingerprint authentication method ensures that only an authorized user is able to access the key that is stored in the secure storage. An authorized user is a person who registered a fingerprint on the device.
It is possible for that more than one person to register their fingerprint on the device. In this case, the fingerprint authentication method cannot distinguish between these users, and any one of them is considered to be an authorized user.
The fingerprint authentication method uses the fingerprint managed by the operating system of the device, and does not store additional ones in the SDK. This authentication method is only available on devices with a fingerprint sensor.
Since the Nevis Mobile Authentication SDK does not directly manipulate biometric data, user enrolment takes place outside of the SDK. Similarly, user verification is triggered by the SDK but verification itself is carried out completely by the OS. The OS only informs the SDK if there is a match or not. The biometric data of the user never leaves the operating system of the device.
FaceID
F1D0#1003
The FaceID authentication method is only available on iOS devices that support FaceID. This authentication method behaves in a similar way to fingerprint authentication. FaceID authentication, like fingerprint authentication, uses the biometric capabilities of the device.
Device passcode fallback option
- Only available for iOS for all available biometric authentication methods.
- Only available for Android when running API level 30 (Android 11) or later with the biometric authenticator.
- Only available for new registrations created with SDK version 2.0.0 or higher.
From version 2.0.0 to 3.1.0, all biometric authentication methods are configured to enable the device passcode fallback option. From version 3.2.0, enabling it is optional. In case the biometric verification fails, the device can offer an alternative (fallback) way of verification to the user, which is entering the device passcode. Enabling this feature for existing registrations made with SDK versions prior to 2.0.0 is not possible. To use this feature, the aforementioned registrations have to be deregistered, and new ones have to be created using SDK version 2.0.0 or higher.
To configure this option, see Registration.allowDevicePasscodeAsFallbackjava, swift, objc, flutter, react native.
Authentication method security comparison
The authentication private key is a highly sensitive asset. To enable as much protection as possible, the asymmetric key pairs are stored in hardware-backed keystores. The authentication methods differ in the way they access the key in the keystore:
- Biometric authentication requires the user to scan their fingerprint, face or Iris. If there is a biometric credentials match, then the private key is unlocked to carry out the cryptographic operations.
- Application PIN authentication requires the user to provide a PIN. If there is a PIN match, then the private key is unlocked to carry out the cryptographic operations.
- Device passcode authentication requires the user to provide a PIN, password or gesture, depending on how the device lock is configured in the operating system. If there is a device passcode match, then the private key is unlocked to carry out the cryptographic operations.
The important difference related to security is where matching takes place:
- Application PIN authentication matching takes place in the Nevis Mobile Authentication SDK itself.
- Biometric and device passcode authentication matching is carried out in the secure part of the system.
Default Nevis Authenticator Metadata
The FIDO UAF metadata file contains a list of all supported authenticators and their corresponding Metadata.
The nevisFIDO server ignores any authenticators and halts all operations in relation to them, which do not have metadata data entries accessible for the server.
The following default metadata file is shipped with the nevisFIDO component as well as the nevisAdmin4 nevisFIDO UAF Instance pattern, the default value of this field represents the metadata required for nevisFIDO to be able to work with the Nevis Access App.
[
{
"aaid" : "F1D0#0001",
"description" : "Android NEVIS Mobile Authentication PIN Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 4
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 9,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 1,
"matcherProtection" : 1,
"publicKeyAlgAndEncoding" : 256,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#0002",
"description" : "Android NEVIS Mobile Authentication Fingerprint Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 2
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 9,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 4,
"matcherProtection" : 2,
"publicKeyAlgAndEncoding" : 256,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#0003",
"description" : "Android NEVIS Mobile Authentication Biometric Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 346
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 9,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 4,
"matcherProtection" : 2,
"publicKeyAlgAndEncoding" : 256,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#0004",
"description" : "Android NEVIS Mobile Authentication Device Passcode Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 132
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 9,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 4,
"matcherProtection" : 2,
"publicKeyAlgAndEncoding" : 259,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#1001",
"description" : "iOS NEVIS Mobile Authentication PIN Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 4
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 2,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 1,
"matcherProtection" : 1,
"publicKeyAlgAndEncoding" : 257,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#1002",
"description" : "iOS NEVIS Mobile Authentication Fingerprint Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 2
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 2,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 6,
"matcherProtection" : 2,
"publicKeyAlgAndEncoding" : 257,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#1003",
"description" : "iOS NEVIS Mobile Authentication Face Recognition Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 16
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 2,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 6,
"matcherProtection" : 2,
"publicKeyAlgAndEncoding" : 257,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#1004",
"description" : "iOS NEVIS Mobile Authentication Device Passcode Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 4
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 2,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 6,
"matcherProtection" : 2,
"publicKeyAlgAndEncoding" : 257,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
}
]