Functional Adaptions of the FIDO UAF Specification

The Nevis Access App deviates from the UAF 1.1 specifications in regard to its functionality in certain limited parts. This chapter describes the differences as well as the consequences. It also mentions the reasons for choosing to deviate.

FacetID Calculation

The FIDO UAF 1.1 Specifications states that the Android FacetID must be calculated by using SHA-1.

Nevis decided to implement and use SHA-256 for the hash calculation. This adaption has been done because:

• The usage of the deprecated SHA-1 is widely discouraged.
• The successor of the FIDO UAF 1.1 specification, FIDO UAF 1.2, already allows the use of both SHA-1 and SHA-256.
• This adaption has no influence on the Nevis Mobile Authentication Backend, which supports both SHA-1 and SHA-256 hashed FacetIDs.

Wildcard Facet IDs

The 3.1.7.1 Wildcards in TrustedFacet identifiers chapter of the official FIDO UAF 1.1 protocol specification describes wildcard facets as follows:

Wildcards are not supported in TrustedFacet identifiers.

As a consequence, when wildcard facets are configured they introduce undesirable ambiguity in the definition of the principal.

The Nevis Mobile Authentication solution allows using wildcard facetIDs for Android and iOS apps for development purposes for the following reasons:

• Using production facet IDs hampers early-stage development.
• In addition to allow customers having a "quick win" when using the Nevis Mobile Authentication example apps, wildcard facets can be used for development and demo purposes but are not allowed in production environments.