-3

In something like Android, it's possible to simply check for a valid fingerprint scan and base abilities on whether or not a match occurred. As far as I can tell with webauthn, it looks like a server is required for ANY fingerprint scanning. Is that true? Is there no way to simply have a line of code that will not execute unless a fingerprint scan occurs that the OS considers valid?

I don't need to store credentials, I just want to only fire off an AJAX request if the fingerprint scan is valid as a sort of "Yes I am sure I want to do this, and the OS says I'm the logged in user" -- even if it's just a client side check. I'm ok with that in this instance.

richie
  • 91
  • 1
  • 6
  • 1
    So what you’re saying is that you don’t care *who’s* fingerprint it is? Or do you? Your question is contradictory in that aspect: you can’t possibly securely assure that any one specific user is providing their fingerprint if you’re implicitly trusting the client and not verifying yourself. – esqew Oct 07 '21 at 20:57
  • Does the OS (say, touchID) not know if the fingerprint matches its library of fingers used to log into the computer? – richie Oct 08 '21 at 04:13
  • It does but in the WebAuthn context TouchID/FaceID (or a PIN for that matter) only serve to protect the credential stored on the device which is then used to sign the assertion which is then verified in your backend using the public key. Without the ability to generate and verify the assertion you aren't protecting anything and someone could easily circumvent the client side check. You imply that you have a backend in play (AJAX request) so would it not be feasible to do this properly? – mackie Oct 08 '21 at 16:20
  • @richie What's to stop me from compiling my own OS that always tells your app "yes, this matches my database" even if I'm not the currently logged-in user...? – esqew Oct 08 '21 at 16:23
  • Nothing, but I don't need that amount of security in this instance. This is an internal tool that requires having code, being on vpn, having pre-shared credentials on hand, etc. I was just looking for a "yes I'm sure" behavior that's slightly more intentional than a simple confirm dialog. – richie Oct 08 '21 at 18:45

2 Answers2

2

So first lets separate two different actions that are performed in FIDO2/Webauthn.

  1. User Verification - is an action of verifying user genuineness. Is it really Richie or someone else? This is where the "biometrics" occur, but it could be pin code for example. Fingerprint biometrics is just one of the user verification methods. The user verification is performed on the device by the device. Server will NEVER, and must NEVER receive any user verification information as this would be a huge breach of privacy and security.

  2. Authentication - is an action of proving your authenticity. In case of FIDO2/Webauthn this is done by performing cryptographic signature over the challenge.

The authentication is being done to someone. The same way you go to the bank and authenticate yourself to the bank by showing them your passport, the exactly the same way you go the FIDO server and authenticate to it with your device.

You can't authenticate without FIDO server for the same reason that you can't authenticate yourself to the bank, and take 100,000$ loan without banks approval.

From more in-depth technical view: the FIDO authenticator has a private key, while the server has a public key and a credential id. The server generates a random, per session challenge, and the corresponding signature by the device contains this challenge. The server guarantees that the challenge was not modified, because, well, servers do these things. If you would try to attempt to implement client(browser) side verification, it would be like to implement password verification on the browser side, not safe at all.

If you are struggling with your implementation, I would suggest either taking one of the many existing open source servers: https://github.com/herrjemand/awesome-webauthn, or here is a good article on how to verify assertions https://medium.com/webauthnworks/verifying-fido2-responses-4691288c8770 (P.S. you do not need attestation)

Ackermann Yuriy
  • 537
  • 3
  • 10
0

You will need to ask why you are doing a fingerprint scan.

If you do not have a server, what are you asking the user to authenticate into? Are you just asking for a fingerprint as an arbitrary hurdle beyond phone lock screens to have users "feel" like they are extra secure?

In any case, WebAuthn is meant to provide a user-chosen mechanism to authenticate. You do not have policy controls on how the user authenticates - it could for example be via entering a PIN.

You can ask for WebAuthn locally without a back-end server (and there are demos to that effect on the internet). However, you would not actually be authenticating into anything, so it would be security theatre. Normally, a back-end is the one requesting the actual authentication, so it would be providing a security challenge.

David Waite
  • 104
  • 3