FIDO2 for ASP.NET Core - Solving the Password Problem

•
Date Posted: 10 September 2019; •
Author: Scott Brady; •
Estimated Reading Time: 6 minute read

Users cannot secure your web applications through password choice alone. We cannot blame them for this; it is not their problem to solve. It is ours, as security professionals, identity professionals, and software developers.

FIDO2 offers a realistic solution in the form of frictionless, possession-based authentication and, thanks to our newest component, FIDO2 for ASP.NET Core, this is now something Rock Solid Knowledge can help you with.

FIDO2 for ASP.NET Core is designed to be as simple as possible to use. Our goal is to help you secure your web applications using methods that won’t compromise you or your users in the event of a breach or leave your users vulnerable to phishing. Our experience has shown us that FIDO2 is the only way to do this.

Unphishable Second Factor

One-Time Passwords via SMS are vulnerable to targeted SIM jacking, and TOTP & Push Notifications cannot protect themselves against phishing sites. These MFA methods are good starting points, but FIDO2 is the only authentication method that is unaffected by these growing risks.

Follow our quickstart documentation to add FIDO2 authentication to your ASP.NET Core application.

First-Factor Authentication – MFA in a single step

In fact, you can do away with passwords in your application altogether. Modern FIDO2 authenticators can provide multi-factor authentication without the second factor (e.g., a PIN or fingerprint) leaving the device. FIDO2 allows the use of biometrics in combination with your security key or smartphone to log into your ASP.NET website.

Follow our passwordless quickstart to add first-factor authentication to your ASP.NET Core application.

Beta Program

For the next two weeks (ending 24th September), we will be running a beta program for FIDO2 for ASP.NET Core. During this time, you can use the component for free, and start playing with unphishable authentication.

FIDO2 for ASP.NET has now completed its beta program. To get a demo license, simply sign up on the products page.

To implement this in your ASP.NET Core web application, you’ll need to write some JavaScript to trigger the WebAuthn APIs, but for the ASP.NET Core side of things, we’ve aimed to keep things as simple as possible. Check out the following registration process:

public class HomeController : Controller {
    private readonly IFidoAuthentication fido;

    public HomeController(IFidoAuthentication fido) {
        this.fido = fido ?? throw new ArgumentNullException(nameof(fido));
    }

    public async Task<IActionResult> Register(RegistrationModel model) {
        var challenge = await fido.InitiateRegistration(model.UserId, model.DeviceName);

        return View(challenge.ToBase64Dto());
    }

    public async Task<IActionResult> CompleteRegistration(Base64FidoRegistrationResponse registrationResponse) {
        var result = await fido.CompleteRegistration(registrationResponse.ToFidoResponse());

        if (result.IsError) return BadRequest(result.ErrorDescription);
        return Ok();
    }
}

Here, we start the registration process, with the FIDO2 component generating the challenge and storing it within a cookie. We then use WebAuthn to communicate with the authenticator (e.g., a security key or a smartphone) and return its response to the FIDO2 component.

Check out our quickstart guide for full integration and sample WebAuthn usage.

What's Next?

Use Cases

We’re aiming to keep usage of this component as simple as possible, but we still want to meet as many use cases as possible, and the only way we can do that is using feedback from you. Are you looking to use FIDO in a busy warehouse where users don’t have time to enter passwords? Are you looking to use it within IdentityServer? Let us know at [email protected].

Development

Until the release of v1 in the coming weeks, we’ll continue working on documentation, including quickstarts for ASP.NET Identity and IdentityServer4. ASP.NET Core 3.0 support is already available, with this component continuing to target .NET Standard 2.0 for the foreseeable future.

Feature-wise, we are working on support for the various attestation formats.

Test Your Authenticator

We've set up a basic demo of the component on fido.identityserver.com. Here you can register and authenticate using your authenticator (platform or roaming) and get a feel for the FIDO flow.

Certification

Once development is complete, as members of the FIDO Alliance, we’ll be looking to get the component certified as a FIDO relying party. Certification will ensure interoperability with FIDO U2F and FIDO2 authenticators.

Get in Contact

FIDO2 for ASP.NET is a simple to use component that enables user authentication with a strong second factor or passwordless authentication. If you want to learn more or wish to discuss your FIDO2 requirements, get in contact at [email protected].

To get a demo license, simply sign up on the products page.

fido2

Scott Brady

•
Job Role: Security Consultant

10 Sept 2019
2FA All the Way

For over 30 years, we have used single passwords to verify identity, and we have known that they are vulnerable to a variety of attacks. Two-Factor authentication has been applied to strengthen the mechanism, but they often increase friction for the user, and can still be vulnerable to phishing attacks. The solution: FIDO2.

Andrew Clymer

Job Role

Head of Identity and Access Management

2FA All the Way