OpenOTP & FIDO2 Keys
Overview
OpenOTP supports both OTP and FIDO2 standard from the FIDO Alliance for user authentication. If you intend to use OpenOTP with FIDO2, please read this document which explains how to enable and use FIDO2 with your application integrations.
1. What is FIDO2 ?
FIDO2 enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. The FIDO2 specifications are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).
2. Benefits of FIDO Authentication
2.1 Security
FIDO2 cryptographic login credentials are unique across every website, never leave the user’s device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
2.2 Convenience
Users unlock cryptographic login credentials with simple built-in methods such as fingerprint readers or cameras on their devices, or by leveraging easy-to-use FIDO security keys. Consumers can select the device that best fits their needs.
2.3 Privacy
Because FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites. Plus, biometric data, when used, never leaves the user’s device.
2.4 Scalability
Websites can enable FIDO2 through a simple JavaScript API call that is supported across leading browsers and platforms on billions of devices consumers use every day.
Note
Read more about FIDO on the Alliance website : https://fidoalliance.org.
2.5 Integrations Support
RCDevs is supporting FIDO2 authentication on the following integrations:
- RCDevs Identity Provider (OpenID/SAML IDP),
- OpenOTP Credential Provider for Windows,
- OpenOTP Credential Provider for MacOS,
- MFAVPN with Viscosity VPN client,
- OpenOTP for ADFS plugin,
- Spankey SSH key authentication (2nd factor),
- Authentication on RCDevs Web Applications like Selfdesk, SelfReg and Helpdesk.
Note for Windows and MAC Credential Providers
The FIDO2 challenge is not supported through Remote Desktop Protocol (RDP). FIDO2 keys can be used for offline logins on these 2 integrations.
FIDO2 has been designed to be used with only one origin and the public key registered during the enrollment process is linked to that origin. If you want to have it working on multiple origins, the key must be registered x times on x origins.
2.6 U2F Compatibility
U2F APIs are now deprecated in favor of FIDO2. From WebADM v2.2, U2F support has been removed from OpenOTP Security Suite and its integration. It means, you are not able to register U2F devices anymore but you can still use them if they have been registered on previous WebADM/OpenOTP versions. RCDevs implemented in OpenOTP the possibility to enroll a deprecated U2F device in FIDO2 mode. That way, you don’t need to buy new security keys to switch to FIDO2 technology. There is no configuration to enable that feature, it is fully automatic and managed by WebADM.
3. Configuration
3.1 Enabling FIDO2 in OpenOTP
To enable FIDO2, you need to edit your OpenOTP configuration under the Applications menu in WebADM and scroll down to the FIDO Devices section.
You must configure the FIDO origin or AppID setting. That setting must match the base DNS name of your domain. In that example rcdevs.com is the domain name configured for the FIDO origin. It is important to configure it to have that feature working correctly. If for any reason the domain name of your organization change (e.g: rcdevs.eu), then registered FIDO2 devices will need to be re-registered with the new origin.
In other words, change the origin used during the enrollment will break the authentication for the FIDO2 devices registered with the old origin/base domain.
The client applications which are Web based do not need to match the FIDO origin in the DNS name they are accessed.
Other settings allow you to limit how many devices can be registered per user. You can optionnaly request a Biometric or PIN verification by the FIDO2 device in order to use it during the authentication process. To finish, you can also choose which Trusted devices are allowed in your organization.
3.2 Register FIDO Devices
3.2.1 From WebADM
You must register a FIDO Device before a user can start using it :
Now click on Register / Unregister FIDO Devices
Note
If you change the domain you must register the tokens again and also change the domain in FIDO Origin, otherwise you will have this warrning: The DNS domain in the FIDO Origin does not match the current URL domain.Please use an enrolment URL under the configured FIDO Origin
3.2.2 From SelfDesk
3.2.2 From HelpDesk
3.3 Using a different TPM
WebADM supports all devices equipped with a Trusted Platform Module (TPM) like Mac, Iphone…
Using Safari browser i’ll register a token with TPM MAC laptop :
3.4 Login Test
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] New openotpNormalLogin SOAP request
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] > Username: test
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] > Domain: Default
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] > LDAP Password: xxxxxxxx
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] > Client ID: OpenOTP
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] > Source IP: 192.168.3.168
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] > Context ID: 0e8dc3d6504c57402e7f5511c821a2db
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Registered openotpNormalLogin request
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Resolved LDAP user: cn=test,o=Root (cached)
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Started transaction lock for user
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Found 47 user settings: LoginMode=LDAPMFA,OTPType=TOKEN,PushLogin=Yes,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,U2FPINMode=Discouraged,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Found 4 user data: Device1Type,Device1Name,Device1Data,Device1State
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] User has no OTP token registered
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Found 1 registered FIDO device
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Requested login factors: LDAP & U2F
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] LDAP password Ok
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Authentication challenge required
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Started U2F authentication session of ID si7QHE5MQ2VVnnI1 valid for 90 seconds
[2023-01-30 15:30:32] [192.168.4.177:53452] [OpenOTP:S6GEXPZ2] Sent login challenge response
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] New openotpChallenge SOAP request
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] > Username: test
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] > Domain: Default
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] > Session: si7QHE5MQ2VVnnI1
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] > U2F Response: 356 Bytes
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] Found authentication session started 2023-01-30 15:30:32
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] Started transaction lock for user
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] FIDO response Ok (device #1)
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] Updated user data
[2023-01-30 15:30:55] [192.168.4.177:58697] [OpenOTP:S6GEXPZ2] Sent login success response
4.Example of integration
4.1 FIDO2 with Windows Credential Provider
FIDO2 supports multiple scenarios of login to your RCDevs Windows credential provider :
- Online connected to your LDAP server (AD or RCDevs Directory, WebADM).
- Offline mode with no connection at all.
Enter your Credentials
Now touch your FIDO to confirm :
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] New openotpSimpleLogin SOAP request
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Username: test
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Domain: WORKGROUP
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Password: xxxxxxxx
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Client ID: CP
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Source IP: %HOSTIP%
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Context ID: nzlaBFxGuAKbRiXwLmdX7u8V4zTMPjBC
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Options: OFFLINE,NOVOICE
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] > Virtual: preferredLanguage=EN
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Registered openotpSimpleLogin request
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Resolved LDAP user: cn=test,o=Root (cached)
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Started transaction lock for user
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Found user language: EN
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Found 47 user settings: LoginMode=LDAPMFA,OTPType=TOKEN,PushLogin=Yes,ChallengeMode=Yes,ChallengeTimeout=90,OTPLength=6,OfflineExpire=30,MobileTimeout=30,EnableLogin=Yes,HOTPLookAheadWindow=25,TOTPTimeStep=30,TOTPTimeOffsetWindow=120,OCRASuite=OCRA-1:HOTP-SHA1-6:QN06-T1M,U2FPINMode=Discouraged,SMSType=Normal,SMSMode=Ondemand,MailMode=Ondemand,PrefetchExpire=10,LastOTPTime=300,ListChallengeMode=ShowID
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Found 4 user data: Device1Type,Device1Name,Device1Data,Device1State
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] User has no OTP token registered
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Found 1 registered FIDO device
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Requested login factors: LDAP & U2F
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] LDAP password Ok
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Session already started (overriding)
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Authentication challenge required
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Started U2F authentication session of ID CizaioclXquzUtbh valid for 90 seconds
[2023-01-30 16:21:48] [192.168.3.222:56109] [OpenOTP:4R9OA2ZI] Sent login challenge response
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] New openotpChallenge SOAP request
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] > Username: test
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] > Domain: WORKGROUP
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] > Session: CizaioclXquzUtbh
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] > U2F Response: 320 Bytes
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] Found authentication session started 2023-01-30 16:21:48
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] Started transaction lock for user
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] FIDO response Ok (device #1)
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] No registered Token supported for offline mode
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] Updated user data
[2023-01-30 16:21:51] [192.168.3.222:56112] [OpenOTP:4R9OA2ZI] Sent login success response
Note
Tokens registered before in U2F are still supported in login. The only difference is that the token will appear registered as FIDO2 for new enrollments.