ASP.NET Core 5.0 - Multiple FIDO2 Credentials
This article will demonstrate management of multiple FIDO2 devices in the Users Without Passwords Project (UWPP). I will assume you have downloaded the ASP.NET Core 5.0 - Users Without Passwords Project.
Users Without Passwords Project and Article Series
I have developed two separate projects in the Users Without Passwords Project (UWPP) solution. The Users Without Passwords v4 project supports Bootstrap v4 and the new Users Without Passwords project supports Bootstrap v5. The new version is published at Fido.KenHaggerty.Com. You can register a new user with Windows Hello or a FIDO2 security key. Details, screenshots, and related articles can be found at ASP.NET Core 5.0 - Users Without Passwords Project. The details page includes the version change log.
- ASP.NET Core 5.0 - Users Without Passwords
- ASP.NET Core 5.0 - Migrate To Bootstrap v5
- ASP.NET Core 5.0 - The TempData Challenge
- ASP.NET Core 5.0 - FIDO2 Challenge Options
- ASP.NET Core 5.0 - FIDO2 Credential Devices
- ASP.NET Core 5.0 - FIDO2 Credential Create
- ASP.NET Core 5.0 - FIDO2 Credential Get
- ASP.NET Core 5.0 - FIDO2 Attestation Trust
- ASP.NET Core 5.0 - Multiple FIDO2 Credentials
An early objective was to implement multiple credentials and credential management per user. At the time, my first FIDO2 device was a yubico Security Key NFC and my second FIDO2 device was Windows Hello. The yubico security key uses Elliptic Curve cryptography and Windows Hello uses RSA cryptography. With the help of GitHub - passwordless-lib / fido2-net-lib, I implemented RSA cryptography. The UWPP configures a list of AllowCredentials, including Transport hints, which are all the Credential Ids related to the user before the user calls the navigator. credentials. get() function from JavaScript during the log in or assertion ceremony. See ASP.NET Core 5.0 - Credential Get.
When the user adds a new credential, the ExcludedCredentials list is used by the attestation ceremony and excludes known authenticators.
CredentialChallenge.cshtml.cs > OnGetAsync:
// 5.4 https://www.w3.org/TR/webauthn-2/#dictionary-makecredentialoptions
// excludeCredentials, of type sequence<PublicKeyCredentialDescriptor>, defaulting to []
var excludeCredentials = new List<ExcludedCredential>();
var credentialIds = await _credentialService.GetCredentialIdsByAppUserIdAsync(AppUserId);
if (credentialIds.Count == 0)
throw new InvalidOperationException($"No Credentials found for AppUser.Id = {AppUserId})");
foreach (var cid in credentialIds)
excludeCredentials.Add(new ExcludedCredential()
{
Type = _challengeOptions.CredentialType,
Id = cid
});
CredentialChallenge.cshtml > JavaScript:
let createOptions = @@Html.Raw(Model.CreateOptions);
CredentialChallenge.cshtml > createCredential:
// Update byte string to expected Uint8Array
try {
if (typeof (createOptions.challenge) != Uint8Array)
createOptions.challenge = getUint8Array(createOptions.challenge);
if (typeof (createOptions.user.id) != Uint8Array)
createOptions.user.id = getUint8Array(createOptions.user.id);
let l = createOptions.excludeCredentials.length;
for (let i = 0; i < l; i++)
if (typeof (createOptions.excludeCredentials[i].id) != Uint8Array)
createOptions.excludeCredentials[i].id = getUint8Array(createOptions.excludeCredentials[i].id);
} catch (e) {
showMessageModal(e, 'alert-warning');
return;
}
The UWPP implements credential management with a primary credential and editable credential name.
The user can delete non primary credentials.
Administrators can manage credentials by user.
Ken Haggerty
Created 08/16/21
Updated 08/16/21 04:02 GMT
Log In or Reset Quota to read more.
Successfully completed. Thank you for contributing.
Processing...
Something went wrong. Please try again.
Contribute to enjoy content without advertisments.
You can contribute without registering.
Not accepting new comments.
Your comment has been submitted.
You will be emailed when approved.
Submit your comment. Comments are moderated.
Comments(0)