This article will describe the FIDO2 authenticator. I will assume you have downloaded the FREE ASP.NET Core
3.1 - FIDO Utilities Project or created a new ASP.NET Core 3.1 Razor Pages project. I won't use Identity or
Individual User Accounts. See
Tutorial: Get started with Razor Pages in ASP.NET Core.
FIDO Utilities Project and Article Series
The ASP.NET Core 3.1 - FIDO Utilities Project (FUP) is a collection of utilities I use in the ASP.NET Core 5.0 - Users
Without Passwords Project (UWPP). I have upgraded the FUP with Bootstrap v5 and Bootstrap Native v4. FUP
version 2.1 features SingleUser Authentication, Admin Page with Send Email Tests, ExceptionEmailerMiddleware,
The SMTP Settings Tester is updated and now located in the authorized Pages > Admin folder. The EmailSender
and AES Cipher Demo are also updated. Registered users can download the source code for free on KenHaggerty.
Com at Manage > Assets.
The UWPP is published at Fido. KenHaggerty. Com.
I have 2 yubico keys with NFC (Security Key NFC), a HyperFIDO Titanium PRO and a HyperFIDO PRO MINI.
My laptop has a fingerprint scanner which works with Windows Hello. I even bought an IR webcam to test facial
recognition. Probably my most useful device is a male micro USB to female USB adapter because my phone
doesn't have NFC. See
ASP.NET Core 5.0 - FIDO2 Credential Devices.
I started my FIDO research over 8 months ago when I purchased a Security Key NFC by Yubico. The first
time I attempted to implement it with Windows 10 sign-in, the warnings about adding a second key for backup
scared me away. Now, Windows 10 account sign-in does not support security keys but allows you to add a key
for FIDO2. See Settings > Accounts > Sign-in options > Security Keys. My laptop has a fingerprint scanner
which is supported by Windows 10 Hello. Windows 10 Hello is certified as a FIDO2 authenticator for
passwordless sign-in on the web. Windows 10 Hello also supports a PIN and face recognition with a
compatible IR camera. See
MSDocs - Windows Hello.
I am using the Users Without Passwords Project to do the research for this article. A FIDO2 web application
needs to support multiple authenticators in the event the first one is lost, stolen, or broken. When the credential
is created, the authenticator returns a response with ClientDataJson and AttestationObject. First you decode the
ClientDataJson to verify the type (create or get), the challenge and Relying Party's origin. Then the attestationObject
is cast as a CBOR object which produces a byte array called authData. The authData byte array is sliced, diced, and
hashed to extract and validate properties. The most important are the CredentialId and the PublicKey.
I read somewhere external authenticators support the ES256 algorithm and Windows Hello supports the RS256
algorithm. Typically, the attestation signature is the concatenation of the authenticator data and the client data hash.
I have developed a crypto service class with algorithm models for the Users Without Passwords Project.
I have purchased a second Security Key and updated the YubiKey Manager. You have to run the manager as
an administrator to display the firmware version and update the PIN or Reset (restore defaults) for one key at a time.
The manager also allows you to enable or disable the interfaces for the key.
The early FIDO authenticators required a Metadata Service to validate security certificates and acquire make and
model information. FIDO2 authenticators employ a packed format for encryption which doesn't require a certificate
lookup for validation. You can request an AaGuid (Authenticator Attestation GUID) from FIDO2 authenticators which
can be used with Metadata Services to acquire make, model and firmware. You can use this information to restrict
access to specific authenticators. If you request the AaGuid, you will be prompted by the client to allow the request.
I decided to spend some time on FIDO2 utilities with this project so I can focus more on authenticators and users
with the Users Without Passwords Project where I will cover authenticators in more depth. See
ASP.NET Core 5.0 - Users Without Passwords Project.
Successfully completed. Thank you for contributing.
Contribute to enjoy content without advertisments.
Something went wrong. Please try again.