An Overview of FIDO2 — Passwordless Authentication and Simple Web Application Passwordless Authentication using KeyCloak and WebAuthN

Password-based authentication has become the least efficient for enterprises and individuals in the cloud era due to the higher value of phishing attacks and difficulties encountered by users to create and remember unlimited accounts and passwords for various digital applications in their day to day activities. Recent studies highlighted that stolen or weak passwords are the cause of over 80% of all the hacking-related breaches.

Moreover, storing the millions of user credentials (including Plain / Encrypted passwords) in a cloud or an on-prem server can render a single point of the target for hackers, which can raise the cost of a single security breach. Password reset is an additional overhead for enterprises when users forget their passwords. Users always end up calling the helpdesk.

Introducing Multi-Factor authentication can reduce the attack on passwords by 99%. Unfortunately, passwords are still bad, should get eliminate and going entirely with a passwordless approach.

FIDO2 (Successor of FIDO UAF and FIDO U2F) is a passwordless authentication open standard attempted to reduce the importance of passwords. FIDO2 makes simpler and stronger authentication using asymmetric public key cryptography developed by the Fast Identity Online (FIDO) Alliance. The FIDO 2 authentication standard consists of the W3C Web Authentication specification, WebAuthN (Web Authentication) API, and the Client to Authenticator Protocol (CTAP).

FIDO2 in a nutshell

• Authentication using Public and Private keys
• Private Key stored on the user’s device and the Public Key shared with service provides
• Use local authentication for online authentications
• Users sign-in with a single Touch / Tap / Facial or Voice recognition / Entering a Pin in the local device for online registration and authentication
• Registration flow allows user to select FIDO Authenticator available (Internal or External) in device. Once user completed local Auth, user device creates a unique public-private key pair binding the local device, relying party and user’s account. Public key shared with replying party
• Authentication flow allows user to select FIDO Authenticator available (Internal or External) in device. Once user completed local Auth, authentication request signed with the user’s Private Key send to relying party and relying party will validate the signature of authentication request against the users Public Key
• No secrets stored on the server-side
• Users Bio-metrics data never leaves users device

Platform — Windows 10 and Android platforms

Browser — Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari web browsers

Platform /Internal Authenticator — Integrated with a device and capable of capturing an authentication factor. Touch ID, Face ID, Fingerprint Scanners and Windows Hello

External / Romain Authenticator — Also called Cross-Platform Authenticator, which are all plug-in with a device

WebAuthN — WebAuthN enables online services to use FIDO Authentication through a standard web API that can be built into browsers and related web platform infrastructure. WebAuthN allows users to log into internet accounts using their preferred device. Web services and apps can / should turn on this functionality to give their users a simple login experience via biometrics, mobile devices, FIDO security keys, and with much higher security over passwords.

U2F protocol — is designed to strengthen the existing password-based authentication mechanism by introducing second-factor authentication using plug-in or out-of-device (roaming) authenticator

UAF protocol — is designed to provide a passwordless experience with devices using built-in or plug-in authenticators

CTAP — Extend the UAF and U2F functionality by providing passwordless authentication and external devices such as mobile handsets or FIDO security keys to work with browsers supporting WebAuthN, and also to serve as authenticators to desktop applications and web services.

FIDO2 is still an emerging open standard and supported by selected platform and browsers. Microsoft has already enabled FIDO2 / WebAuthN with its Windows 10 Hello and Azure AD based identity services. KeyCloak recently enabled the WebAuthN based passwordless authentication.

Now let us see a simple hands-on lab of a web application delegate its authentication to KeyCloak for passwordless authentication with FIDO2 / WebAuthN standards. (Please see my previous article about KeyCloak in this link to understand more about KeyCloak.)

For this, you don’t need any environment, use the Katacoda online site and use the below configurations as a first step to bring up the latest version of KeyCloak which supports WebAuthN for passwordless authentication.

curl https://downloads.jboss.org/keycloak/11.0.3/keycloak-11.0.3.zip --output keycloak.zip

unzip keycloak.zip

cd keycloak-11.0.3/bin/

./add-user-keycloak.sh -r master -u admin -p admin
./standalone.sh -b 0.0.0.0 -Dkeycloak.profile.feature.account2=enabled -Dkeycloak.profile.feature.account_api=enabled -Dkeycloak.profile.feature.admin_fine_grained_authz=enabled -Dkeycloak.profile.feature.token_exchange=enabled

Create Realm and Enable user Self Registration

1. Create new Realm with the name webauthn-passwordless
2. Navigate to Login tab of Realm Setting and select ON for user registration. This is will enable user self registration with the portal

Authentication Orchestration

Here we can define the flow for an application that delegates its authentication to keyCloak IDP. For this lab, I’m setting a username with WebAuthN authentication as a priority flow and the username and password screen as an alternate.

1. Select Authentication -> Flow tab, Copy the Browser flow and name as Passwordless
2. Delete the existing Passwordless Forms under the Passwordless
3. Add a new Flow in Passwordless name it as Passwordless Form, Add a new Execution Username Form and Add one more Execution WebAuthN Passwordless Authenticator for Passwordless Form
4. Add one more new Flow name it as Password Form, Add a new Execution Username Password Form for Password Form
5. Make sure Passwordless Form and Password Form are at same level and make both of them as alternative as shown in below image

Binding and Required Action Settings

1. Go to Binding tab, select Passwordless as default Browser Flow
2. Go to Required Actions tab, click Register, and then tick Default Action for WebAuthN Registration Passwordless. It will make sure that the user registration flow will capture the FIDO2/WebAuthN authentication.

We are done with the required KeyCloak configuration to support the FIDO Registration and Authentication. I will use https://www.keycloak.org/app/ as a web application to test the FIDO/WebAuthN. Hence let’s create a client in keyCloak, and the testing app can delegate the authentication to KeyCloak using that client.

Client Configuration

1. Go to Clients Tab, Click new
2. Name as passwordless-client, Change Base URL = https://www.keycloak.org/app/ Valid Redirect URL = https://www.keycloak.org/app/* and Web Origins = *
3. Expand Authentication Flow Overrides and Change Browser Flow to Passwordless
4. Goto https://www.keycloak.org/app/ configure as shown below image
5. Click Sign-in button it will take to the KeyCloak Login page for the authentication. Click Register to register our first user

User Registration with FIDO2 Authenticator

1. Fill the Registration form with user details and click register
2. Browser will prompt to select the Internal or External Authenticator for FIDO2 WebAuthN authentication
3. My laptop has in-built Fingerprint sensor and I selected Built-in sensor
4. The browser will prompt the user to do the TouchID. Successful identity verification of the WebAuthN registration process will generate the Public / Private keys. That Public Key will send to the relying party. Private keys will be stored securely within the device (Mostly by TPM — Trusted Platform Module). Hence user should prove their identity every time before the WebAuthN authentication to retrieve the Private Key from the secured store.

Adding External Authenticator (CTAP) for the same user from KeyCloak user Account Page

I have a USB security key (without a Fingerprint sensor). Let me try to add this as an additional/backup security key for my account. If I want to login with a strange device, I can use this USB security key.

1. Go to the account page of user and login https://<<sername>/auth/realms/webauthn-passwordless/account/ and then click Set up Security Key (This Feature is only available as preview. To enable, change the account themes to preview under Themes tab of KeyCloak admin portal)
2. Complete the USB Security Key registration just by taping the key image on the USB key as shown in the below image
3. Now user account added with two security keys

User Details

1. Go to users tab and Click view all users and select the created user
2. Click the credential tab and then click the show data of any of the security key added for that user. It will show the public key generated for that user

Login with Multiple Security keys

1. Use the same testing app, type the user name and then click Login
2. The browser will prompt the user to verify the identity, and the user can go with the TouchID Fingerprint or Tap on the USB key to login with the account since the user account is enabled both the internal/external authenticator.

I guess this article will give my readers at least an overview of passwordless authentication and how FIDO2 open standards helping to achieve passwordless authentication. Also, I tried my best to explain in an abstract way to implement KeyCloak IdP’s WebAuthN capabilities with a simple web application. Now you can read the WebAuthN APIs on your own to understand them in detail.