Two-factor Authentication Tutorial

What is Two-factor authentication?

Two-factor authentication (also known as 2FA or two-step verification) is a method to confirm a user’s claimed online identity by using a combination of two different types of factors. A password is typically considered one factor (something you know). With FIDO2, you can use a security key (something you have) or biometrics (something you are) as the second factor.

1. Registration

  • 1

    Enter user information

    Specific username or e-mail address to identify user.
    A human-palatable name for the user account, intended only for display.
    For demo purpose, the password will not be stored.

2. Authentication

The login scenario of two-factor authentication is:

  • Step 1: enter username + password.
  • Verify username and password. If they are correct, then Step 2: verify authenticator.

  • 1

    Authenticate password - the first authentication factor

    Registered username.
    For demo purpose, the password will not be stored. Please enter "password".

Parameters explanation

The parameters have been used when registering a credential:


<script>
    // possible values: none (default), direct, indirect
    let attestation = "none"; // means that the Replying Party (RP) is not interested in authenticator attestation

    let authenticatorSelection = {
        // possible values: <empty> (default), platform, cross-platform
        'authenticatorAttachment': "", // means that the RP does not specify authenticator type. User can choose what they want.
        // possible values: preferred, required, discouraged (default)
        'userVerification': "discouraged", // means that the Relying Party does not want user verification employed during the operation
        // possible values: true, false (default)
        'requireResidentKey': false // means that the authenticator does not have to create a client-side-resident public key credential source when creating a public key credential.
    };
</script>

RPs can specify their preference regarding attestation conveyance during credential generation. The Attestation parameter has 3 possible values:

  • none: RP is not interested in authenticator attestation.
  • indirect: RP prefers an attestation, but allows the client to decide how to obtain the attestation statements.
  • direct: RP wants to receive the attestation statement as generated by the authenticator.

In this demo, the default value is using. If your RP server needs more security, you should use "direct" to force client to return full attestation.
More on UserVerification in the Multi-factor authentication scenario.
And the use of RequireResidentKey will be explain in Usernameless authentication.

The parameters have been used when authenticating registered credential:


<script>
    // possible values: preferred, required, discouraged (default)
    let userVerification = "discouraged"; // means that the Relying Party does not want user verification employed during the operation
</script>

In case RP does not specify these parameters, FIDO2 authentication server will set these as default values.