The multi-factor authentication flow for a FIDO device checks the authenticator assertion response, which contains the signed challenge needed to complete the MFA flow. The MFA actions service validates the challenge.
The following sample shows the POST /{{envID}}/deviceAuthentications/{{deviceAuthID}} operation to validate the assertion used in the multi-factor authentication flow. This operation uses the application/vnd.pingidentity.assertion.check+json custom media type as the content type in the request header.
A FIDO2 biometrics device flow uses functions from the Web Authentication API (webauthn API) to manage device authentication. The following sample JavaScript code will help you implement the webauthn API for browser-based operations.
For more information about the Web Authentication API, see Web Authentication: An API for accessing Public Key Credentials.
Call the navigator.credentials.get method using the publicKeyCredentialOptions returned from the assertion.check action of the Flows service (see Assertion Check). As an example, see the WebAuthnAuthentication function in the following code sample:
var authAbortController = window.PublicKeyCredential ? new AbortController() : null;
var authAbortSignal = window.PublicKeyCredential ? authAbortController.signal : null;
window.abortWebAuthnSignal = function abortWebAuthnSignal() {
authAbortController.abort();
authAbortController = new AbortController();
authAbortSignal = authAbortController.signal;
}
window.IsWebAuthnSupported = function IsWebAuthnSupported() {
if (!window.PublicKeyCredential) {
console.log("Web Authentication API is not supported on this browser.");
return false;
}
return true;
}
window.isWebAuthnPlatformAuthenticatorAvailable = function isWebAuthnPlatformAuthenticatorAvailable() {
var timer;
var p1 = new Promise(function(resolve) {
timer = setTimeout(function() {
resolve(false);
}, 1000);
});
var p2 = new Promise(function(resolve) {
if (IsWebAuthnSupported() && window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable) {
resolve(
window.PublicKeyCredential.isUserVerifyingPlatformAuthenticatorAvailable().catch(function(err) {
console.log(err);
return false;
}));
}
else {
resolve(false);
}
});
return Promise.race([p1, p2]).then(function (res) {
clearTimeout(timer);
console.log("isWebAuthnPlatformAuthenticatorAvailable - " + res);
return res;
});
}
window.WebAuthnPlatformAuthentication = function WebAuthnPlatformAuthentication(publicKeyCredentialRequestOptions) {
return new Promise(function(resolve, reject) {
isWebAuthnPlatformAuthenticatorAvailable().then(function (result) {
if (result) {
resolve(Authenticate(publicKeyCredentialRequestOptions));
}
reject(Error("UnSupportedBrowserError"));
});
});
}
function Authenticate(publicKeyCredentialRequestOptions) {
return new Promise(function(resolve, reject) {
var options = JSON.parse(publicKeyCredentialRequestOptions);
var publicKeyCredential = {};
publicKeyCredential.challenge = new Uint8Array(options.challenge);
if ('allowCredentials' in options) {
publicKeyCredential.allowCredentials = credentialListConversion(options.allowCredentials);
}
if ('rpId' in options) {
publicKeyCredential.rpId = options.rpId;
}
if ('timeout' in options) {
publicKeyCredential.timeout = options.timeout;
}
if ('userVerification' in options) {
publicKeyCredential.userVerification = options.userVerification;
}
console.log(publicKeyCredential);
navigator.credentials.get({"publicKey": publicKeyCredential})
.then(function (assertion) {
// Send new credential info to server for verification and registration.
console.log(assertion);
var publicKeyCredential = {};
if ('id' in assertion) {
publicKeyCredential.id = assertion.id;
}
if ('rawId' in assertion) {
publicKeyCredential.rawId = toBase64Str(assertion.rawId);
}
if ('type' in assertion) {
publicKeyCredential.type = assertion.type;
}
var response = {};
response.clientDataJSON = toBase64Str(assertion.response.clientDataJSON);
response.authenticatorData = toBase64Str(assertion.response.authenticatorData);
response.signature = toBase64Str(assertion.response.signature);
response.userHandle = toBase64Str(assertion.response.userHandle);
publicKeyCredential.response = response;
resolve(JSON.stringify(publicKeyCredential));
}).catch(function (err) {
// No acceptable authenticator or user refused consent. Handle appropriately.
console.log(err);
reject(Error(err.name));
});
});
}
function credentialListConversion(list) {
var credList = [];
for (var i=0; i < list.length; i++) {
var cred = {
type: list[i].type,
id: new Uint8Array(list[i].id)
};
if (list[i].transports) {
cred.transports = list[i].transports;
}
credList.push(cred);
}
return credList;
}
function toBase64Str(bin){
return btoa(String.fromCharCode.apply(null, new Uint8Array(bin)));
}
const isWebAuthnSupported = () => {
if (!window.PublicKeyCredential) {
return false;
}
return true;
};
function getCompatibility() {
return isWebAuthnPlatformAuthenticatorAvailable()
.then((result) => {
if (result) {
return 'FULL';
} else if (isWebAuthnSupported()) {
return 'SECURITY_KEY_ONLY';
} else {
return 'NONE';
}
})
.catch(() => {
if (isWebAuthnSupported()) {
return 'SECURITY_KEY_ONLY';
} else {
return 'NONE';
}
});
}{{deviceAuthID}} for the endpoint. For more information, see MFA Device Authentications.| Property | Type | Required? |
|---|---|---|
origin |
String | Required |
assertion |
String | Required |
compatibility |
String | Optional |
See the Device authentications data model for full property descriptions.