Two-factor Authentication Tutorial
What is Two-factor authentication?
Two-factor authentication (also known as 2FA or two-step verification) is a method to confirm a user’s claimed online identity by using a combination of two different types of factors. A password is typically considered one factor (something you know). With FIDO2, you can use a security key (something you have) or biometrics (something you are) as the second factor.
1. Registration
-
1
Enter user information
2. Authentication
The login scenario of two-factor authentication is:
- Step 1: enter username + password.
- Verify username and password. If they are correct, then Step 2: verify authenticator.
-
1
Authenticate password - the first authentication factor
Parameters explanation
The parameters have been used when registering a credential:
<script>
// possible values: none (default), direct, indirect
let attestation = "none"; // means that the Replying Party (RP) is not interested in authenticator attestation
let authenticatorSelection = {
// possible values: <empty> (default), platform, cross-platform
'authenticatorAttachment': "", // means that the RP does not specify authenticator type. User can choose what they want.
// possible values: preferred, required, discouraged (default)
'userVerification': "discouraged", // means that the Relying Party does not want user verification employed during the operation
// possible values: true, false (default)
'requireResidentKey': false // means that the authenticator does not have to create a client-side-resident public key credential source when creating a public key credential.
};
</script>
RPs can specify their preference regarding attestation conveyance during credential generation. The Attestation parameter has 3 possible values:
- none: RP is not interested in authenticator attestation.
- indirect: RP prefers an attestation, but allows the client to decide how to obtain the attestation statements.
- direct: RP wants to receive the attestation statement as generated by the authenticator.
In this demo, the default value is using. If your RP server needs more security, you should use "direct" to force client to return full attestation.
More on UserVerification in the
Multi-factor authentication scenario.
And the use of RequireResidentKey will be explain in
Usernameless authentication.
The parameters have been used when authenticating registered credential:
<script>
// possible values: preferred, required, discouraged (default)
let userVerification = "discouraged"; // means that the Relying Party does not want user verification employed during the operation
</script>
In case RP does not specify these parameters, FIDO2 authentication server will set these as default values.