Register and deregister a FIDO-based authenticator

Before you can use FIDO-based authentication for OneSpan Cloud Authentication, you must register your FIDO authenticator for either the UAF or FIDO2 protocol.

Prerequisites for registering a FIDO-based authenticator

The following prerequisites have to be met before starting the registration process:

  • The user must exist in OneSpan Cloud Authentication.
  • The user must be authenticated against OneSpan Cloud Authentication and logged in with the app.

FIDO-based authenticator registration flow

Sequence to register a FIDO-based authenticator

  1. The app starts the registration process. This triggers the web server to initiate the registration to the OneSpan Trusted Identity platform API.
  2. The OneSpan Trusted Identity platform API initializes the registration with the FIDO Server.
  3. The FIDO Server proceeds to generate a registration request that is sent to the OneSpan Trusted Identity platform API.
  4. The OneSpan Trusted Identity platform API receives the registration request and sends it to the web server.
  5. The web server forwards the request to the app.
  6. The app communicates with the FIDO authenticator to generate a registration response.
  7. The app forwards the registration response to the web server, which forwards the response to the OneSpan Trusted Identity platform API.
  8. The OneSpan Trusted Identity platform API finalizes the registration with the FIDO Server.
  9. The FIDO Server verifies the registration response that is sent to the OneSpan Trusted Identity platform API.
  10. The OneSpan Trusted Identity platform API receives the success response and sends it to the web server.

  11. To conclude the registration process, the web server sends this verification response to the app.

    The FIDO authenticator is now registered and ready to be used for passwordless authentication.

Authenticator management

Currently it is possible to remove an authenticator only if it has been registered with the UAF protocol.

Prerequisites to remove a previously registered FIDO-based authenticator

The following prerequisites have to be met before you can start with the deregistration process:

  • The user must be authenticated against OneSpan Cloud Authentication and logged in with the app.

Deregister a FIDO UAF authenticator

Sequence to deregister a FIDO UAF authenticator

  1. The app sends a request to the web server. This request is forwarded to the OneSpan Trusted Identity platform API.

  2. The OneSpan Trusted Identity platform API sends the request to the FIDO Server.

  3. The FIDO Server removes the authenticator and sends a deregistration request to the OneSpan Trusted Identity platform API.

  4. The OneSpan Trusted Identity platform API forwards this response to the web server.

  5. The web server forwards the deregistration request to the authenticator. The authenticator then cleans up its internal storage accordingly.