WebAuthn​ (Web Authentication), part of the FIDO2 Project, is a web standard published by the W3C that enables strong authentication with public-key cryptography, passwordless authentication, and secure two-factor authentication. The standard defines a JavaScript API which allows token registration and subsequent authentication. The API is implemented in current versions of all major browsers (​ Edge 18+, Firefox 60+, Chrome 67+, Safari 13+, Opera 54+​ ) and is also backwards-compatible with (legacy) U2F tokens.

This activity implements or extends this API into existing open source community products

The goal of this activity is to contribute to the SimpleSAMLphp Webauthn module as well as to develop a new custom module for SATOSA to support 2FA using the WebAuthn API. Resulted modules would be integrated and tested in eduTEAMS (SATOSA) and ELIXIR AAI (SimpleSAMLphp).

Authentication proxies translate between authentication protocols such as SAML2, OIDC, and OAuth2. A proxy receives authentication requests from SPs or RPs and relays them onto IdPs or OPs. If a service requires two-factor authentication, for example, using the REFEDS assurance framework, and the identity provider does not support it, the proxy may perform the second-factor authentication. Two significant open-source examples are SimpleSAMLphp which can serve as an authentication proxy and Python-based​ SATOSA which was explicitly developed as a proxy.

WebAuthn can be used for passwordless authentication or for second-factor authentication to increase users‘ security. As of October 2019, a​ module for SimpleSAMLphp​ is being developed to bring WebAuthn support.

The implementation of WebAuthN modules for SATOSA and SimpleSAMLphp would enable major parts of the T&I community to use state-of-the-art multi factor authentication without implementing something on their own.

• First time a project was proposed and will be implemented by TIM → unknown outcome
• WebAuthN is a very popular standard with a lot of ongoing activities. It might happen that someone works already on a similar project or publishes before the activity ends.

The product handles highly sensitive authentication data which provide access to user identities. High standards for coding, security and quality control are required.

This activity is done when:

• A prototype of a WebAuthN module for SATOSA and SimpleSAMLphp is implemented
• The prototypes are successfully tested with eduTEAMS and ELIXIR
• The module are provided to the SATOSA/SimpleSAMLphp community

The modules will be submitted to the upstream repositories and later managed by the corresponding communities.

• WebAuthnN module available via CESTNET github repository: https://github.com/CESNET/satosa-module-webauthn
• Example flows (.mp4) available via Sprint Demo results