It's wrong to implement FIDO2 server logic locally? (Huawei Devices)

Question

I'm new in FIDO2 and I'm learning how to use it in Huawei devices. I read Huawei's documentation and test their Demo App of FIDO2.

I notice in the demo project, that has an "server simulator" in the project code, so I'm curious about it: Can I implement FIDO server logic locally in the app? It's a wrong practice? Does affect the security about the biometric data or another data needed in the 2 main processes of FIDO (registration and authentication)?

Also I have another question: There is a FIDO server without cost that can be used with the app for end users?

I hope someone can resolve my doubts.

Thanks :)

Please provide enough code so others can better understand or reproduce the problem. — Community, Sep 28 '21 at 10:05

score 2 · Answer 1 · answered Sep 21 '21 at 14:27

Do not implement the server authentication logic in your client application - as the saying goes "never trust user input", the server must independently verify the client response.

For FIDO servers and server libraries, check out https://github.com/herrjemand/awesome-webauthn

It's wrong to implement FIDO2 server logic locally? (Huawei Devices)

1 Answers1