0

I know that fido is for authentication in web applications. But my question is whether fido is also suitable for authentication on a local .net application. The Fido server should be on the same computer as the .net application, since the computer is not on the Internet.

If that's possible in principle, I'm wondering how the authentication works. Does the app have to open the browser on which the WebAuthn API is located during the login process? Or is there a solution to use the WebAuthn API directly from the .net application?

Thanks in advance.

Julian Krebs
  • 5
  • 2

1 Answers1

1

Many of FIDO2's uses do focus on authentication for web applications through WebAuthn, but there are some other options to look into for offline native applications. Below is some architectural guidance that you could leverage.

Our preferred option is to use the FIDO2 hmac-secret-extension. The FIDO2 authenticator can store and retrieve an hmac-secret as part of its assertion. The client app will then use the secret to unlock a local vault with the users credentials. Here is a Yubico explanation on the extension. You'll need to leverage a FIDO2 library to talk to the FIDO2 device to store/retrieve the secret. Here is a link to Yubico's libfido2 library, and an example of the command needed to get the HMAC secret. Here's an example of how to encrypt/decrypt the credential vault with this library. It should be noted that the auth token and vault implementation is out of scope for the CTAP2 spec - Your CTAP/CTAP2 authenticator stores/supplies the secret, but holds no responsibility for how the secret is used after.

Hope this helps

Cody Salas
  • 431
  • 1
  • 6
  • Good explanation. Just one note: I don't think the authenticator ever stores the hmac-secret. – enzian Jan 21 '23 at 12:58