Authenticators
Available authentication methods
Application PIN
- Android
F1D0#0001 - iOS
F1D0#1001
The Application PIN authentication method ensures that only authorized users are allowed to use the key that is stored in the secure storage. An authorized user is a person who knows the correct PIN and provides it.
The Application PIN authentication method uses a PIN defined by the user during registration. The PIN is specific to this authenticator and is not bound to any specific FIDO registration. This means that a user does not necessarily need to define a new PIN for subsequent FIDO registrations on the same device. Once one is set, the PINs are completely independent.
The SDK manages the PIN: definition, validation and modification. During registration new PIN that matches the given format/policy must be provided. The operation fails if the PIN does not match the expected format. The Nevis Mobile Authentication SDK is responsible for validating the input format and storing the PIN in the secure storage.
The SDK is also responsible for carrying out user verification – that is, PIN verification. If the SDK can successfully match the PIN transferred by the mobile application, the SDK can then use the required private key in the FIDO operation.
It is the responsibility of the application to define and present the appropriate UI to the user to get the PIN value. The application is provided with a specific format to be used for the PIN and is expected to return the input values to the SDK.
This PIN is not the same as the one defined in the device system settings, that are used with the device lock screen. To use the device passcode to do authentication, refer to the device passcode authenticator.
Since the PIN is stored locally on the device, the user can change the PIN at any time, even if the device has no data connection to the backend.
To change the PIN of a user, the mobile application must obtain the following values to be passed to the SDK:
- The current PIN
- The new value
The current PIN is verified before the value is changed. The operation fails if the current PIN is wrong, or if the new value does not match the expected format.
On user verification, the only value that is required by the SDK is the current PIN entered by the user.
Brute force attack prevention
The PIN Authentication method is protected from brute force attacks. For details, see Brute force attack prevention in the Security Considerations chapter.
Android biometric
F1D0#0003
The Android biometric authentication method is available for Android OS versions with API level 29 (Android 10) or higher.
The authentication method makes use of the new Android biometrics APIs introduced with this API level.
The authentication method uses the biometric authentication method based on the device hardware capabilities. This means depending on the device model, either fingerprint scanning, facial recognition, or another biometric method supported by the API is offered to the user.
The Android biometric authenticator supports Class 2 and Class 3 biometric sensors. This is limited by the official Android API.
The Android Biometric authenticator will not show Face Authentication as an option for most devices, because currently only the face recognition biometric sensor of the Google Pixel devices is Class 3 and a handful of Samsung devices have Class 2 sensors (see Device Support for details).
Nevis recommends using this authentication method instead of the older Android fingerprint authentication method.
Android fingerprint
F1D0#0002
The Android fingerprint authentication method relies on the Android FingerprintManager which was added in API level 23 (Android 6) and deprecated in API level 28 (Android 9).
This authentication method requires app developers to supply their own dialog or screen for the fingerprint prompt. This is a severe drawback.
Projects should always use the newer Android Biometric Authentication method which uses the BiometricPrompt API, as it uses a system-provided dialog when starting authentication. As devices have different types of biometric authentication, it is more practical to have a system-provided authentication dialog, since the method may vary by vendor and device.
Nevis recommends only using this Authentication method for supporting Android OS versions below Android 9. All newer Android OS versions should only offer the newer Android Biometric authentication method.
The overall capabilities and restrictions of the TouchID authentication method also apply for the Android Fingerprint authentication method.
TouchID
F1D0#1002
The fingerprint authentication method ensures that only an authorized user is able to access the key that is stored in the secure storage. An authorized user is a person who registered a fingerprint on the device.
It is possible for that more than one person to register their fingerprint on the device. In this case, the fingerprint authentication method cannot distinguish between these users, and any one of them is considered to be an authorized user.
The fingerprint authentication method uses the fingerprint managed by the operating system of the device, and does not store additional ones in the SDK. This authentication method is only available on devices with a fingerprint sensor.
Since the Nevis Mobile Authentication SDK does not directly manipulate biometric data, user enrolment takes place outside of the SDK. Similarly, user verification is triggered by the SDK but verification itself is carried out completely by the OS. The OS only informs the SDK if there is a match or not. The biometric data of the user never leaves the operating system of the device.
FaceID
F1D0#1003
The FaceID authentication method is only available on iOS devices that support FaceID. This authentication method behaves in a similar way to fingerprint authentication. FaceID authentication, like fingerprint authentication, uses the biometric capabilities of the device.
Device passcode fallback option
- Only available for iOS for all available biometric authentication methods.
- Only available for Android when running API level 30 (Android 11) or later with the biometric authenticator.
- Only available for new registrations created with SDK version 2.0.0 or higher.
From version 2.0.0 to 3.1.0, all biometric authentication methods are configured to enable the device passcode fallback option. From version 3.2.0, enabling it is optional. In case the biometric verification fails, the device can offer an alternative (fallback) way of verification to the user, which is entering the device passcode. Enabling this feature for existing registrations made with SDK versions prior to 2.0.0 is not possible. To use this feature, the aforementioned registrations have to be deregistered, and new ones have to be created using SDK version 2.0.0 or higher.
To configure this option, see Registration.allowDevicePasscodeAsFallbackjava, swift, objc, flutter, react native.
Default Nevis Authenticator Metadata
The FIDO UAF metadata file contains a list of all supported authenticators and their corresponding Metadata.
The nevisFIDO server ignores any authenticators and halts all operations in relation to them, which do not have metadata data entries accessible for the server.
The following default metadata file is shipped with the nevisFIDO component as well as the nevisAdmin4 nevisFIDO UAF Instance pattern, the default value of this field represents the metadata required for nevisFIDO to be able to work with the Nevis Access App.
[
{
"aaid" : "F1D0#0001",
"description" : "Android NEVIS Mobile Authentication PIN Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 4
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 9,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 1,
"matcherProtection" : 1,
"publicKeyAlgAndEncoding" : 256,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#0002",
"description" : "Android NEVIS Mobile Authentication Fingerprint Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 2
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 9,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 4,
"matcherProtection" : 2,
"publicKeyAlgAndEncoding" : 256,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#0003",
"description" : "Android NEVIS Mobile Authentication Biometric Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 346
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 9,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 4,
"matcherProtection" : 2,
"publicKeyAlgAndEncoding" : 256,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#0004",
"description" : "Android NEVIS Mobile Authentication Device Passcode Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 132
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 9,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 4,
"matcherProtection" : 2,
"publicKeyAlgAndEncoding" : 259,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#1001",
"description" : "iOS NEVIS Mobile Authentication PIN Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 4
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 2,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 1,
"matcherProtection" : 1,
"publicKeyAlgAndEncoding" : 257,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#1002",
"description" : "iOS NEVIS Mobile Authentication Fingerprint Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 2
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 2,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 6,
"matcherProtection" : 2,
"publicKeyAlgAndEncoding" : 257,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#1003",
"description" : "iOS NEVIS Mobile Authentication Face Recognition Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 16
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 2,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 6,
"matcherProtection" : 2,
"publicKeyAlgAndEncoding" : 257,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
},
{
"aaid" : "F1D0#1004",
"description" : "iOS NEVIS Mobile Authentication Device Passcode Authenticator",
"assertionScheme" : "UAFV1TLV",
"attestationRootCertificates" : [],
"attestationTypes" : [ 15880 ],
"upv" : [ {
"major" : 1,
"minor" : 1
} ],
"userVerificationDetails" : [ [ {
"userVerification" : 4
} ] ],
"attachmentHint" : 1,
"authenticationAlgorithm" : 2,
"authenticatorVersion" : 1,
"isSecondFactorOnly" : false,
"keyProtection" : 6,
"matcherProtection" : 2,
"publicKeyAlgAndEncoding" : 257,
"tcDisplay" : 1,
"tcDisplayContentType" : "text/plain"
}
]