webauthnfidopassword-less

Few open questions around FIDO2 webauthn and U2F



Solution

  • The spec specifically refers to it as an application layer protocol in the abstract:

    https://fidoalliance.org/specs/fido-v2.0-ps-20190130/fido-client-to-authenticator-protocol-v2.0-ps-20190130.html

    The implementation from browser to browser and OS to OS will differ. Windows 10 now offers a native API which sits over the top of Windows Hello and standardises interactions with authenticator devices. Prior to this browsers on Windows had their own implementations and their own UIs. A given CTAP2 implementation would include support for 1 or more of the transports defined in the spec, each having a binding specific to the needs of that transport. The spec is worth a read.

    Lack of CTAP2 support in the examples given above would mean that while you could use a backwards compatible FIDO2/CTAP2 compliant device you'd miss out on the added features of FIDO2 - primarily resident keys and thus the ability to have passwordless logins.

    ETA: This artical is pretty good and has some nice diagrams: https://hybrismart.com/2019/05/23/authentication-with-hardware-security-keys-via-webauthn-in-sap-commerce-cloud/