Authentication Service Mechanism

The WebAuthn authentication ceremony (WebAuthn Ceremonies) is integrated to the Authentication Service using an authentication mechanism.

This provides out of the box template pages for the authentication flow, and the ability to be integrated into Context Based Access Policies.

Both step up authentication and username-less authentication are supported by WebAuthn. However username-less is highly dependent on the authenticator and browser being used.

Prerequisites

Before the FIDO2/WebAuthn Authentication Mechanism can be configured, a relying party must be defined. See FIDO2 Configuration.

WebAuthn includes support for authentication with existing U2F registrations. Before U2F registrations can be used with the FIDO2/WebAuthn authentication mechanism, the registration data must be migrated. See U2F Migration.

Request Flow

When the FIDO2/WebAuthn mechanism is triggered, IBM Security Verify Access returns a pending page to the user. This allows IBM Security Verify Access to provide the options required to trigger the browser to prompt the user for their authenticator. Once the user completes the required user presence and optional user verification steps, the browser sends the assertion result back to IBM Security Verify Access with the following request:

POST /mga/sps/authsvc
{
   "StateId":"...",
   "operation": "verify",
   "id": "LFdoCFJTyB82ZzSJUHc-c72yraRc_1mPvGX8ToE8su39xX26Jcqd31LUkKOS36FIAWgWl6itMKqmDvruha6ywA",
   "rawId": "LFdoCFJTyB82ZzSJUHc-c72yraRc_1mPvGX8ToE8su39xX26Jcqd31LUkKOS36FIAWgWl6itMKqmDvruha6ywA",
   "authenticatorData": "SZYN5YgOjGh0NBcPZHZgW4_krrmihjLHmVzzuoMdl2MBAAAAAA",
   "signature": "MEYCIQCv7EqsBRtf2E4o_BjzZfBwNpP8fLjd5y6TUOLWt5l9DQIhANiYig9newAJZYTzG1i5lwP-YQk9uXFnnDaHnr2yCKXL",
   "userHandle": "",
   "clientDataJSON": "eyJjaGFsbGVuZ2UiOiJ4ZGowQ0JmWDY5MnFzQVRweTBrTmM4NTMzSmR2ZExVcHFZUDh3RFRYX1pFIiwiY2xpZW50RXh0ZW5zaW9uc 
yI6e30sImhhc2hBbGdvcml0aG0iOiJTSEEtMjU2Iiwib3JpZ2luIjoiaHR0cDovL2xvY2FsaG9zdDozMDAwIiwidHlwZSI6IndlYmF1dGhuLmdldCJ9",
   "type": "public-key"
}

IBM Security Verify Access validates the assertion result and either allows the user to continue as expected, or returns an error. Unlike the FIDO2 Server Endpoints, the relying party ID is not consumed from the address path, but instead is obtained from mechanism or policy level configuration.

Parent topic: FIDO and WebAuthn Support