Legacy or Mobile Authentication Based on the User Registration Status
Not all registered users have the FIDO UAF credentials needed for mobile authentication. As a result, these users cannot perform mobile authentication. For usability and security reasons, explicitly asking the user how he wants to authenticate is no good option: First, this requires an additional question/user interaction (usability). Furthermore, it is desirable using FIDO UAF credentials whenever available, instead of a legacy and less secure approach (security).
Ideally, only users with no credentials other than legacy credentials should log in with these credentials. All other users must use their FIDO UAF credentials to authenticate. You can achieve this with the nevisIDM AuthStates IdmUserVerifyState and IdmCredStatusCheckState: The IdmUserVerifyState loads information about the user's credentials, and the IdmCredStatusCheckState allows different login flows depending on whether the user has FIDO UAF credentials.
The IdmCredStatusCheckState supports checking FIDO UAF credentials from nevisIDM version 2.73.1 onwards.
The next figure shows a sample setup for an authentication based on whether the user has FIDO UAF credentials or not. You can find the corresponding code snippet in "NEVIS Component Configuration Examples".
The sample configuration uses the nevisIDM AuthState IdmUserVerifyState to load nevisIDM credential information into the authentication session (in the code snippet, the AuthState is named "FetchUser"). The next step in the authentication flow is the IdmCredStatusCheckState AuthState, which checks whether the user has any active nevisIDM FIDO UAF credentials - in the code snippet, the AuthState is named "CheckFidoCredential".
There are two possible outcomes of the check:
- If FIDO UAF credentials are available, an AuthState of the type AuthGeneric is invoked (named SubmitOutOfBandParameters in the code snippet). This AuthState sets the values required by the OutOfBandFidoUafAuthState AuthState (which actually triggers the FIDO UAF authentication).
- If no FIDO UAF credentials are available, an AuthState of the type TransformAttributes is invoked (named SetFidoUafNotFoundMessage in the code snippet). This AuthState overwrites the message set by the AuthState CheckFidoCredential, because this message is generic and might confuse the user. Next, the AuthState executes a transition to an AuthState that performs the relevant legacy authentication. In the code snippet, this legacy AuthState is called LegacyAuthState. Note that the code snippet does not include the contents of the LegacyAuthState: this could be any legacy authentication AuthState.
Instead of an OutOfBandFidoUafAuthState you could use an in-band FidoUafAuthState, depending on whether in-band or out-of-band is required. The code snippet referenced in this chapter uses an OutOfBandFidoUafAuthState.
To see the example configuration code snippet for this use case, refer to NEVIS Component Configuration Examples. Here you find code snippets/use cases for all involved components.