OpenOTP & FIDO2 Keys
  Download PDF

Overview

OpenOTP supports both OTP and FIDO2 standard from the FIDO Alliance for user authentication. If you intend to use OpenOTP with FIDO2, please read this document which explains how to enable and use FIDO2 with your application integrations.

1. What is FIDO2 ?

FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).

2. Benefits of FIDO Authentication

2.1 Security

FIDO2 cryptographic login credentials are unique across every website, never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.

2.2 Convenience

Users unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO security keys. Consumers can select the device that best fits their needs.

2.3 Privacy

Because FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites. Plus, biometric data, when used, never leaves the user’s device.

2.4 Scalability

Websites can enable FIDO2 through a simple JavaScript API call that is supported across leading browsers and platforms on billions of devices consumers use every day.

Note

Read more about FIDO on the Alliance website : https://fidoalliance.org.

2.5 Integrations Support

RCDevs is supporting FIDO2 authentication on the following integrations:

  • RCDevs Identity Provider (OpenID/SAML IDP),
  • OpenOTP Credential Provider for Windows,
  • OpenOTP Credential Provider for MacOS,
  • MFAVPN with Viscosity VPN client,
  • OpenOTP for ADFS plugin,
  • Spankey SSH key authentication (2nd factor),
  • Authentication on RCDevs Web Applications like Selfdesk, SelfReg and Helpdesk.

Note for Windows and MAC Credential Providers

The FIDO2 challenge is not supported through Remote Desktop Protocol (RDP). FIDO2 keys can be used for offline logins on these 2 integrations.

FIDO2 has been designed to be used with only one origin and the public key registered during the enrollment process is linked to that origin. If you want to have it working on multiple origins, the key must be registered x times on x origins.

2.6 U2F Compatibility

U2F APIs are now deprecated in favor of FIDO2. From WebADM v2.2, U2F support has been removed from OpenOTP Security Suite and its integration. It means, you are not able to register U2F devices anymore but you can still use them if they have been registered on previous WebADM/OpenOTP versions. RCDevs implemented in OpenOTP the possibility to enroll a deprecated U2F device in FIDO2 mode. That way, you don’t need to buy new security keys to switch to FIDO2 technology. There is no configuration to enable that feature, it is fully automatic and managed by WebADM.

3. Configuration

3.1 Enabling FIDO2 in OpenOTP

To enable FIDO2, you need to edit your OpenOTP configuration under the Applications menu in WebADM and scroll down to the FIDO Devices section. You must configure the FIDO origin or AppID setting. That setting must match the base DNS name of your domain. In that example rcdevs.com is the domain name configured for the FIDO origin. It is important to configure it to have that feature working correctly. If for any reason the domain name of your organization change (e.g: rcdevs.eu), then registered FIDO2 devices will need to be re-registered with the new origin. In other words, change the origin used during the enrollment will break the authentication for the FIDO2 devices registered with the old origin/base domain. The client applications which are Web based do not need to match the FIDO origin in the DNS name they are accessed.



Other settings allow you to limit how many devices can be registered per user. You can optionnaly request a Biometric or PIN verification by the FIDO2 device in order to use it during the authentication process. To finish, you can also choose which Trusted devices are allowed in your organization.

3.2 Register FIDO Devices

3.2.1 From WebADM

You must register a FIDO Device before a user can start using it :

Now click on Register / Unregister FIDO Devices

Note

If you change the domain you must register the tokens again and also change the domain in FIDO Origin, otherwise you will have this warrning: The DNS domain in the FIDO Origin does not match the current URL domain.Please use an enrolment URL under the configured FIDO Origin

3.2.2 From Self-Service Desk or User Self Registration applications

Here we demonstrate the FIDO2 enrollment from SelfDesk application but it is the same for SelfReg application. Before doing it, you must enable the FIDO2 enrollment from SelfDesk or SelfRegs configurations in order to allow your users to access the FIDO tab below once authenticated on the self-services. Click on the FIDO, choose the token slot you want to use and Click Register button.

Once you clicked on Register, you are prompted for the following screen:

Click on the Red message which is bliking to start the resgistration process. You are then invited to press your FIDO2 device. Press it and the registration should be done. On the next screen, you see the device enrolled.

3.2.2 From HelpDesk

Let’s register your FIDO2 device from Helpdesk. Before doing it, you must enable the FIDO2 enrollment from Helpdesk configuration in order for your Helpdesk users to access the FIDO tab below. Once arrived on that page, click on the orange message to start the registration.

You are then invited to press your FIDO2 key. Press it and the enrollment is finished.

3.3 Using a different TPM

WebADM supports all devices equipped with a Trusted Platform Module (TPM) like Mac, Iphone…

Through a web browser I’ll register my lapotop as FIDO2 device using Apple Passkeys technology. Click on the red message to start the registration.

The browser prompt you to use your TMP to enroll your device as a FIDO2 device. Provide your fingerprint.

The enrollment is finished.

3.4 Login Test

Once your key is registered on your account, you can test the key through the WebADM admin GUI or all other Web Application through the login tester functionnality. Click on your User account in the LDAP tree > Application Actions > MFA Authentication > Test OTP & FIDO authentication. To test the FIDO logins from WebADM, the Login Mode setting must be configured to LDAPMFA or LDAPU2F or U2F or MFA. Have a look on OpenOTP configuration or create a user/groug/client policy to meet that requirement. 





[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] New openotpNormalLogin SOAP request
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] > Username: test
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] > Domain: Default
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] > LDAP Password: xxxxxxxx
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] > Client ID: OpenOTP
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] > Source IP: 192.168.3.168
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] > Context ID: 0e8dc3d6504c57402e7f5511c821a2db
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Registered openotpNormalLogin request
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Resolved LDAP user: cn=test,o=Root (cached)
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Started transaction lock for user
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Found 47 user settings: LoginMode=LDAPMFA,OTPType=TOKEN,PushLogin=Yes,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,U2FPINMode=Discouraged,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Found 4 user data: Device1Type,Device1Name,Device1Data,Device1State
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] User has no OTP token registered
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Found 1 registered FIDO device
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Requested login factors: LDAP & U2F
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] LDAP password Ok
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Authentication challenge required
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Started U2F authentication session of ID si7QHE5MQ2VVnnI1 valid for 90 seconds
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Sent login challenge response
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] New openotpChallenge SOAP request
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] > Username: test
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] > Domain: Default
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] > Session: si7QHE5MQ2VVnnI1
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] > U2F Response: 356 Bytes
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] Found authentication session started 2023-01-30 15:30:32
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] Started transaction lock for user
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] FIDO response Ok (device #1)
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] Updated user data
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] Sent login success response

4.Example of integration

4.1 FIDO2 with Windows Credential Provider


FIDO2 supports multiple scenarios of login to your RCDevs Windows credential provider :

  • Online connected to your LDAP server (AD or RCDevs Directory, WebADM).
  • Offline mode with no connection at all.

Enter your Credentials

Now touch your FIDO to confirm : 



[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] New openotpSimpleLogin SOAP request
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Username: test
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Domain: WORKGROUP
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Password: xxxxxxxx
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Client ID: CP
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Source IP: %HOSTIP%
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Context ID: nzlaBFxGuAKbRiXwLmdX7u8V4zTMPjBC
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Options: OFFLINE,NOVOICE
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Virtual: preferredLanguage=EN
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Registered openotpSimpleLogin request
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Resolved LDAP user: cn=test,o=Root (cached)
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Started transaction lock for user
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Found user language: EN
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Found 47 user settings: LoginMode=LDAPMFA,OTPType=TOKEN,PushLogin=Yes,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,U2FPINMode=Discouraged,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Found 4 user data: Device1Type,Device1Name,Device1Data,Device1State
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] User has no OTP token registered
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Found 1 registered FIDO device
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Requested login factors: LDAP & U2F
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] LDAP password Ok
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Session already started (overriding)
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Authentication challenge required
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Started U2F authentication session of ID CizaioclXquzUtbh valid for 90 seconds
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Sent login challenge response
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] New openotpChallenge SOAP request
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] > Username: test
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] > Domain: WORKGROUP
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] > Session: CizaioclXquzUtbh
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] > U2F Response: 320 Bytes
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] Found authentication session started 2023-01-30 16:21:48
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] Started transaction lock for user
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] FIDO response Ok (device #1)
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] No registered Token supported for offline mode
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] Updated user data
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] Sent login success response

Note

Tokens registered before in U2F are still supported in login. The only difference is that the token will appear registered as FIDO2 for new enrollments.