Skip to main content
Version: 8.2411.x.x RR

Failed login tracking

Apart from tracking the last successful login information, nevisFIDO also updates the failed login information for both UAF and FIDO2 credentials. However, tracking if failed login attempts is not always possible and additionally what constitutes a failed login attempt in the UAF and FIDO2 context may not be inherently clear.

Independent of the credential type:

  • The user and credential must be known at the time of the (failed) login attempt, requiring the credential identifier (nevisIDM extId) to be present.
  • An authentication attempt with a non-active nevisIDM credential leads to authentication failure.

UAF

Failed login attempts are tracked in step up scenarios, when the user is known at the time of authentication.

Authentication depends on successful verification of the UAF assertion sent by the client as part of the SendUafResponse, the following conditions lead to a failed login attempt:

  • The assertion scheme is not UAFV1TLV
  • The authenticator identifier (AAID) is not present in either the policy or metadata information
  • The authenticator versions don't match the metadata information
  • The assertion algorithms don't match the metadata information
  • The authenticators signCounter is lower than the current corresponding credential value
  • The transaction hash does not match the server side hash
  • The final challenge parameters fcParams hash does not match the server side hash
  • The assertions signature is invalid

For detailed information refer to the FIDO UAF server processing rules of the official specification.

FIDO2

Authentication depends on successful verification of the ServerAuthenticatorAssertionResponse sent by the client, the following conditions lead to a failed login attempt:

  • User verification / presence was required but corresponding flag is not set in the assertion
  • The backup eligibility in the assertion does not match the credential capabilities
  • The challenge received does not match the server side
  • The origin does not match the server side configuration
  • The collectedClientData is not WebAuthn conformant
  • The signature sig is invalid
  • The attestedCredentialData is not present
  • The credentialId exceeds the allowed maximum size
  • A not allowed cross-origin request was attempted
  • The assertion extension OID in the key is not present
  • The authenticators signCounter is lower than the current corresponding credential value
  • The public key and signature algorithms are not accepted by the server
  • The used credential is not present in the allowedCredentials list
  • Mismatch in token binding token
  • Credential is not in the allow-list in case fido2.metadata.allow-listing-enabled is set to true

For detailed information refer to the Authentication Assertion verification in the official specification.