ASP.NET Core 3.1 - FIDO2 Authenticators


Ken Haggerty
Created 05/10/2020 - Updated 05/23/2020 15:24

This article will describe the FIDO2 authenticator. I will assume you have created a new ASP.NET Core 3.1 Razor Pages project and have reviewed the previous articles of the series. I won't use Identity or Individual User Accounts. See Tutorial: Get started with Razor Pages in ASP.NET Core.

FIDO Utilties Project and Article Series

This project helps mitigate some of the issues implementing the challenge only. The Users Without Passwords Project implements the challenge with users and authenticators.


Access to the research project source code may be purchased on KenHaggerty.Com at Manage > Assets.

I will publish the FIDO Utilities Project at fido.kenhaggerty.com until I publish the Users Without Passwords Project.

I enjoy writing these articles. It often enhances and clarifies my coding. The research project is a result of a lot of refactoring and hopefully provides logical segues for the articles. Thank you for supporting my efforts.

I started my FIDO research over 8 months ago when I purchased a Security Key NFC by Yubico. The first time I attempted to implement it with Windows 10 sign-in, the warnings about adding a second key for backup scared me away. Now, Windows 10 account sign-in does not support security keys but allows you to add a key for FIDO2. See Settings > Accounts > Sign-in options > Security Keys. My laptop has a fingerprint scanner which is supported by Windows 10 Hello. Windows 10 Hello is certified as a FIDO2 authenticator for passwordless sign-in on the web. Windows 10 Hello also supports a PIN and face recognition with a compatible IR camera. See MSDocs - Windows Hello

I am using the Users Without Passwords Project to do the research for this article. A FIDO2 web application needs to support multiple authenticators in the event the first one is lost, stolen or broken. When the credential is created, the authenticator returns a response with ClientDataJson and AttestationObject. First you decode the ClientDataJson to verify the type (create or get), the challenge and Relying Party's origin. Then the attestationObject is cast as a CBOR object which produces a byte array called authData. The authData byte array is sliced, diced and hashed to extract and validate properties. The most important are the CredentialId and the PublicKey.

I read somewhere external authenticators support the ES256 algorithm and Windows Hello supports the RS256 algorithm. Typically, the attestation signature is the concatenation of the authenticator data and the client data hash. I have developed a crypto service class with algorithm models for the Users Without Passwords Project.

I have purchased a second Security Key and updated the YubiKey Manager. You have to run the manager as an administrator to display the firmware version and update the PIN or Reset (restore defaults) for one key at a time.

YubiKey Manager One Key
YubiKey Manager Applications

The manager also allows you to enable or disable the interfaces for the key.

YubiKey Manager Interfaces

The early FIDO authenticators required a Metadata Service to validate security certificates and acquire make and model information. FIDO2 authenticators employ a packed format for encryption which doesn't require a certificate lookup for validation. You can request an AaGuid (Authenticator Attestation GUID) from FIDO2 authenticators which can be used with Metadata Services to acquire make, model and firmware. You can use this information to restrict access to specific authenticators. If you request the AaGuid, you will be prompted by the client to allow the request.

I decided to spend some time on FIDO2 utilities with this project so I can focus more on authenticators and users with the Users Without Passwords Project where I will cover authenticators in more depth.

Update 05/23/2020

I added the AES Cipher article link.


Article Tags:

Authorization FIDO

Comment Count = 0

Please log in to comment or follow.

Login Register
Follow to get web notifications when new comments are posted to this article.
Logged in users receive web notifications for new articles, topics and assets.
Web Notifications