WebAuthN level 3 and Passkeys

The FIDO protocol is continuously evolving to meet the market demands, starting with Passkeys adoption and the support of synchronizable credentials targeting mainly consumer markets and wrapping up with Passkeys adoption for Enterprise ready solutions (like Microsoft Authenticator).

To keep Veridium FIDO server up to date with the evolution of the FidoAlliance specifications, there are several steps to accomplish:

1. Enable FIDO Resident Key authentication as User Engagement in the Veridium IdP;

2. Veridium Authenticator as Passkey application

3. Redesign the FIDO server integration APIs

   1. Remove the Veridium device business logic from the FIDO server.

   2. Improve support for authentication device management during enrolment and authentication

   3. Provide out-of-the-box FIDO conformance testing APIs;

   4. Improve Relying Party default configuration;

   5. Improve the FIDO authenticator management list and remove deprecated code;

   6. Fix the FIDO credential enrolment flow on SSP credential registration delegation.

4. Enable support for commonly used extensions:

   1. User Verification Method Extension (uvm);

   2. Device-bound public key extension (devicePubKey);

5. Support iframe for cross-domain FIDO passkey registration and authentication:

   1. This may be useful to allow single credential registration for different domains. For example register within Veridium Self Service Portal credentials for Veridium internal/external domains or even Microsoft Entra.

The latest specifications are currently in release/working draft, but they will be published as

• https://www.w3.org/TR/webauthn-3/

• https://fidoalliance.org/specs/fido-v2.2-rd-20230321/fido-client-to-authenticator-protocol-v2.2-rd-20230321-old.html

• https://passkeys.dev/docs/intro/what-are-passkeys/