MFA Login using FIDO2 Yubikey security key on OpenAM 6.5.x

With the release of OpenAM or Access Management version 6.5, ForgeRock announced support for FIDO2 authentication. FIDO2 is an open authentication standard that consists of Web Authentication a.k.a WebAuthn and the FIDO2 Client to Authenticator Protocol (CTAP2) to deliver FIDO2 MFA authentication experience. In this article, we’ll use YubiKey 5 Series a multi-protocol security key to deliver MFA Login on OpenAM version 6.5.x. You are free to experiment with your own FIDO2 security key and by no means YubiKey is a requirement. There are a few other options available in the market including Google’s Titan, Solo, etc.

Before we dive deeper, I do want to call out a few things. First, OpenAM’s WebAuthn tree node still have a few limitations and I suggest visiting documentation to see what is not covered in version 6.5.x. Second, FIDO2 requires communication over HTTPS. If you are terminating SSL at Layer 7 or Layer 4 and OpenAM itself is running on HTTP, your WebAuthn Authentication/Registration will likely fail with the below error message. The reason for this error is the failed “origin” validation. T̶h̶e̶ ̶s̶o̶l̶u̶t̶i̶o̶n̶ ̶i̶s̶ ̶t̶o̶ ̶i̶m̶p̶l̶e̶m̶e̶n̶t̶ ̶e̶n̶d̶-̶t̶o̶-̶e̶n̶d̶ ̶H̶T̶T̶P̶S̶ ̶f̶o̶r̶ ̶O̶p̶e̶n̶A̶M̶.̶

origin in response not valid for the actual origin

Update: If your architecture does not incorporate end-to-end HTTPS, I would recommend looking at the service called “Base URL Source Service” as suggested by one of my readers in the responses below.

Demo

For this demo, I will showcase the following features:

• WebAuthn Registration to register a FIDO2 security key;
• WebAuthn Authentication using FIDO2 security key;
• OpenAM’s Authentication Trees;
• Displaying a message using MessageNode for device registration;
• Login using Recovery Codes;
• Minor debugging for common pitfalls;
• Uses Chrome and Firefox for FIDO2 demo.