Hi Yasara, This will be the next-gen authentication mechanism of the Identity Server and I'm glad that we've started to implement the idea. I have a few queries.
1. Are we planning to implement a mobile app as well with this effort? Or can we use some third-party app that's already available? 2. How do we plan to get the device-id? Was this the firebase token generated for the device? Regards, Vihanga. On Wed, Sep 25, 2019 at 12:31 PM Yasara Yasawardhana <yasa...@wso2.com> wrote: > Hi All, > > Currently WSO2 Identity Server does not support biometrics for > authentication. Hence I’m currently working on a Biometric Authenticator to > Integrate with Android Mobile Devices. Right now we are planning to add the > above feature to WSO2 IS for following reasons. > > Insights behind the feature > > > - > > Bringing OOTB support for biometric authentication > - > > Integrating a passwordless solution for authentication from biometrics > is way simpler and faster for the user. > - > > Biometrics is an inheritance factor(something that you are). Hence > it's one of the most secure authentication methods to authenticate a user > with the fingerprint. > - > > Biometric authenticators in the mobile devices are easily accessible > to users. > > > Design > > BIOMETRIC AUTHENTICATOR > > We planned to deploy the Biometric Authenticator as a Federated > Authenticator in the WSO2 Identity Server. > > Interaction flow with EndPoints > > (i) Device Registration Flow > > Mobile device of the user has to be registered in WSO2 IS in order to use > it as the authentication device. Consumption device is the device that the > client uses to consume any service. Authentication device is the mobile > device used by the client to authenticate using his/her fingerprint. > > > > > > 1. > > Client (consumption device) requests to register in the WSO2 IS. > 2. > > WSO2 IS responds by prompting a QR code which includes the username, a > challenge, and the url of ‘Device Registration Endpoint’. > 3. > > Client scans the QR code with his mobile device and extracts the > required data. > 4. > > Mobile device generates a key pair with private and public keys. > 5. > > Mobile device encrypts the challenge received upon scanning the QR > code with its private key. > 6. > > The signed challenge, device ID and the generated public key is sent > back to the Device Registration Endpoint. > 7. > > WSO2 IS checks using the public key whether the received signed > challenge is the same as the challenge sent. > 8. > > If the challenge is verified correctly, IS stores the client username, > mobile device ID and the public key in the database. The current plan is to > store these values in a separate table. > > > > > > > > (ii) Biometric Authentication flow > > > > > 1. > > Client initiates the authentication request from the consumption > device. > > > > 1. > > Gets the username from the previous step (eg. from basic > authentication step) and checks the database in IS. If the client device is > already registered, device ID is extracted. > 2. > > IS initiates the push notification upon receiving the firebase server > key. Session Data Key, Device ID and a challenge is also passed as data > messages to firebase. > 3. > > WSO2 IS prompts a UI which will indicate that the IS is waiting for > the biometric response from the user's authentication device. > 4. > > Firebase handles the received request and sends a push notification to > the specific device ID along with the session data key and a challenge. > 5. > > Upon providing the consent with fingerprint, mobile device sends back > the response to ‘endpoint 1’ with the session data key and challenge > encrypted with the private key. > 6. > > WSO2 IS decrypts the challenge with the stored public key and > verifies whether the challenge sent is the same as challenge received. > 7. > > At user's browser(consumption device), the intermediate page keeps on > polling to the endpoint and checks whether a response (success/failure) > with a matching Session Data Key has received. > 8. > > If the user response has received, then the Authenticator will > complete the flow and hand over to the framework which will handle the rest > of the process. > > > > Newly introduced Endpoints > > These new endpoints are separately hosted in the WSO2 IS which are created > with a servlet based approach. > > > - > > Biometric Authenticator Endpoint - Checks whether a response from the > authentication device is received. Upon receiving the response, it sets a > query parameter t=test. The polling requests from the consumption device > checks whether a response with the same SDK has arrived and for this query > parameter. If it's set to t=test, the authentication response is passed to > the authentication framework. > - > > Device Registration Endpoint- Registers the authentication devices of > users. > > > > Your feedback on the proposal is highly appreciated. > > Thank you. > > -- > Yasara Yasawardhana > Intern | WSO2 > > mobile +94718556737 > email yasa...@wso2.com > -- Vihanga Liyanage Software Engineer | WS*O₂* Inc. M : +*94710124103* | http://wso2.com [image: http://wso2.com/signature] <http://wso2.com/signature>
_______________________________________________ Architecture mailing list Architecture@wso2.org https://mail.wso2.org/cgi-bin/mailman/listinfo/architecture