Skip to main content
Skip table of contents

FIDO 2.1 (Webauthn level 3)

The FIDO protocol is continuously evolving to meet the market demands, starting with Passkeys adoption and the support of synchronizable credentials targeting mainly consumer markets and wrapping up with Passkeys adoption for Enterprise ready solutions (like Microsoft Authenticator).

The latest features and changes within the protocol should be adopted in the Veridium FIDO server.

There are several steps to accomplish, as this is a continuous process that follows the evolution of the FidoAlliance specifications:

  1. Redesign the FIDO server integration APIs

    1. Remove the Veridium device business logic from the FIDO server.

    2. Improve support for authentication device management during enrolment and authentication

    3. Provide out-of-the-box FIDO conformance testing APIs;

  2. Enable FIDO Resident Key authentication as User Engagement in the Veridium IdP;

  3. Enable support for commonly used extensions:

    1. User Verification Method Extension (uvm);

    2. Device-bound public key extension (devicePubKey);

    3. minPinLength - enforce a minimum pin length for client pin verification method;

  4. Support iframe for cross-domain FIDO passkey registration and authentication:

    1. This may be useful to allow single credential registration for different domains. For example register within Veridium Self Service Portal credentials for Veridium internal/external domains or even Microsoft Entra.

  5. Address known issues:

    1. Improve Relying Party default configuration;

    2. Improve the FIDO authenticator management list and remove deprecated code;

    3. Fix the FIDO credential enrolment flow on SSP credential registration delegation.

The latest specifications are currently in release/working draft, but they will be published as

3.c. minPinLength extension

The organizations using FIDO keys want to have the possibility to enforce the minimum PIN length. To achieve this, Veridium Server uses the minPinLenght extension to get the minimum PIN length configured on the key.

If the key is not supporting this extension, or the key is not configured to share it with the server, then the validation ignores the configured values - they are not applied.

Also, for keys enrolled before this feature was available the validation is skipped because the key’s minPinLength is shared with the server during enrollment.

Configuration

Step 1

In Veridium Manager interface, go to Settings section, then select FIDO Relying Parties, then select the desired Relying Party and edit it

Screenshot 2024-08-12 at 17.24.27.png

Step 2

In the Relying Party details, scroll down to minPinLength configuration section, as shown below:

Screenshot 2024-08-12 at 17.34.49.png

Step 3

Configure as indicated below:

  1. Enable/disable minimum PIN length validation. This validation can be enabled/disabled by checking/unchecking the flag indicated below.

    1. If it is enabled, then the following values are enforced at enrollment and authentication, respectively.

    2. If the extension is disabled, then the validation is skipped, regardless of the values set for the following fields.

  2. Minimum PIN length value for enrollment.

    1. If this value is strictly positive, greater than 0 (zero), then this value is enforced at FIDO Enrollment, minPinLength value set on the device should be greater or equal to this value. If the device minPinLength is less than this value, then the enrollment fails with an error.

    2. If this value is 0 (zero) or negative, then the validation is skipped for enrollment.

  3. Minimum PIN length for authentication.

    1. If this value is strictly positive, greater than 0 (zero), then this value is enforced at FIDO Authentication, minPinLength value set on the device should be greater or equal to this value. If the device minPinLength is less than this value, then the authentication fails.

    2. If this value is 0 (zero) or negative, then the validation is skipped for authentication.

min-pin-length-cfg.png

Device setup

For this functionality to work, FIDO devices need to be instructed to share the minimum PIN length configuration with the desired relying party. This is a device specific/vendor specific operation, but for example, for Yubico Yubikey the following command sets the minimum PIN length to 8 and share this value with Relying Party, given by its ID (e.g: local.veridium-dev.com)

  • ykman fido access  set-min-length  8 -R relyingParty (e.g: ykman fido access  set-min-length  8 -R local.veridium-dev.com)

The Relying party ID is available in Veridium Manager interface, in the Relying party details, on top of the page with minimum PIN length details:

rp-id.png

JavaScript errors detected

Please note, these errors can depend on your browser setup.

If this problem persists, please contact our support.