FIDO authenticator

The Onegini SDK supports FIDO UAF authentication through the usage of Samsung's FIDO Client. By its own the SDK will not discover any FIDO authenticators. In order to discover an authenticator your application needs to include one or more biometric modules conforming to the FIDO standard. Those biometric modules can be implemented by any vendor. Onegini does not provide any biometric modules.

Availability

A user can enable FIDO authentication only if all of the following requirements are met:

FIDO authenticator registration

Implementing authenticator registration is described within the Authenticator topic guide.

Authenticate using FIDO

Whenever FIDO authentication is enabled and a FIDO authenticator is set as preferred the user will be prompted to authenticate with the FIDO authenticator instead of PIN. The SDK will call the userClient:didReceiveFIDOChallenge: method on your ONGAuthenticationDelegate. You will be able to choose how to respond to the challenge.

- (void)userClient:(ONGUserClient *)userClient didReceiveFIDOChallenge:(ONGFIDOChallenge *)challenge
{
    // Continue authentication using FIDO authenticator
    [challenge.sender respondWithFIDOForChallenge:challenge];

    // Fallback to pin if needed
    [challenge.sender respondWithPinFallbackForChallenge:challenge];    

    // Or cancel challenge
    [challenge.sender cancelChallenge:challenge];
}

Even if the user encounters issues when authenticating using FIDO (depending on the biometric authenticator, might be wet fingers, hoarseness etc.) the user can always choose to fallback to PIN authentication. Cancelling the FIDO authentication once it is started will result in cancelling the authentication process. Calling the cancelChallenge method on the challenge will also result in cancelling the authentication process.

The SDK will propagete an error in case the FIDO authenticator detects abuse due to too many failed authentication attempts.

FIDO authenticator deregistration

Implementing authenticator deregistration is described in the Authenticator topic guide.