U2F Migration

The WebAuthn specification includes backwards compatibility support for FIDO U2F. To allow previously registered U2F tokens to authenticate with the FIDO2/WebAuthn mechanisms and delegates, the U2F registration data must be migrated. Not all WebAuthn scenarios are supported as FIDO U2F authenticators are unable to store a user handle. IBM Security Verify Access offers two ways to migrate data using the U2F Migration section of the FIDO2 Configuration screen. Select...

AAC > Manage > FIDO2 Configuration > U2F Migration

Manual migration in batches

In this section, the number of unmigrated U2F registrations is displayed. An IBM Security Verify Access administrator can choose the batch size, and Whether to migrate a single batch or all batches available.

Auto-migration on use

U2F registrations will be migrated when WebAuthn authentication is attempted. When auto-migration is enabled and a WebAuthn authentication flow is attempted, the server checks if a user has any WebAuthn registrations. If a user does not have WebAuthn registrations, the server checks if a user has any U2F registrations, and migrates any that it finds. The server then resumes the authentication flow.

New U2F Registrations

IBM Security Verify Access decides which HVDB table is used to store new U2F token registrations based on a number of factors. This applies only to new U2F tokens that are added by the FIDO Universal 2nd Factor mechanism.

1. The mechanism checks if the registration JSON request includes a parameter called legacyMode.

2. If present and set to true, the new registration is stored in the U2F table.

   If legacyMode is not set to true, the mechanism checks if Auto-migration on use is enabled for U2F Migration. If enabled, the new registration is stored in the FIDO table.

3. If neither legacyMode or Auto-migration on use are set to true, the mechanism checks for existing registrations in the two tables. New registrations are stored in the U2F table if tokens already exist in the U2F table and there are no registrations in the FIDO table. Otherwise all new U2F registrations are automatically stored in the FIDO table.

This enables an administrator to have complete control over which table is used to store new registrations, while also allowing existing systems that use U2F to continue as they were. If a U2F registration exists in the U2F table, it can only be used for authentication with the FIDO Universal 2nd Factor mechanism. If the U2F registration has been migrated to the FIDO table, or was stored in the FIDO table on creation because of the logic above, it can be used for authentication in both the FIDO Universal 2nd Factor mechanism and the FIDO2 WebAuthn Authenticator mechanism.

Parent topic: FIDO and WebAuthn Support