Legacy or Mobile Authentication Based on the User Registration Status
Not all registered users have the FIDO UAF credentials needed for mobile authentication. As a result, these users cannot perform mobile authentication. For usability and security reasons, explicitly asking the user how he wants to authenticate is no good option: First, this requires an additional question/user interaction (usability). Furthermore, it is desirable using FIDO UAF credentials whenever available, instead of a legacy and less secure approach (security).
Ideally, only users with no credentials other than legacy credentials should log in with these credentials. All other users must use their FIDO UAF credentials to authenticate. You can achieve this with the nevisIDM AuthStates
IdmUserVerifyState loads information about the user's credentials, and the
IdmCredStatusCheckState allows different login flows depending on whether the user has FIDO UAF credentials.
IdmCredStatusCheckState supports checking FIDO UAF credentials from nevisIDM version 2.73.1 onwards.
The next figure shows a sample setup for an authentication based on whether the user has FIDO UAF credentials or not. You can find the corresponding code snippet in "NEVIS Component Configuration Examples".
The sample configuration uses the nevisIDM AuthState
IdmUserVerifyState to load nevisIDM credential information into the authentication session (in the code snippet, the AuthState is named "FetchUser"). The next step in the authentication flow is the
IdmCredStatusCheckState AuthState, which checks whether the user has any active nevisIDM FIDO UAF credentials - in the code snippet, the AuthState is named "CheckFidoCredential".
There are two possible outcomes of the check:
- If FIDO UAF credentials are available, an AuthState of the type
AuthGenericis invoked (named
SubmitOutOfBandParametersin the code snippet). This AuthState sets the values required by the
OutOfBandFidoUafAuthStateAuthState (which actually triggers the FIDO UAF authentication).
- If no FIDO UAF credentials are available, an AuthState of the type
TransformAttributesis invoked (named
SetFidoUafNotFoundMessagein the code snippet). This AuthState overwrites the message set by the AuthState
CheckFidoCredential, because this message is generic and might confuse the user. Next, the AuthState executes a transition to an AuthState that performs the relevant legacy authentication. In the code snippet, this legacy AuthState is called
LegacyAuthState. Note that the code snippet does not include the contents of the
LegacyAuthState:this could be any legacy authentication AuthState.
Instead of an
OutOfBandFidoUafAuthState you could use an in-band
FidoUafAuthState, depending on whether in-band or out-of-band is required. The code snippet referenced in this chapter uses an
You will find example configuration snippets for all involved components in Nevis Component Configuration Examples.