Product Documentation

This section explains the SKFS Policy Module and how it enables you to define and manage FIDO security policy independent of web applications.

Why do you need this?

The W3C Web Authentication (WebAuthn) application programming interface (API) provides a daunting number of options to web developers that makes it confusing to understand how to implement a security policy to meet business and/or compliance requirements.

For example, how to define and enforce a policy where users with Android mobile devices may register FIDO credentials, and must verify their identity with biometric authentication (to the mobile device) before their FIDO key is unlocked to authenticate to the application? Or, how to support a policy that only accepts a specific type of security key?

While your application could program this detail into its software, this becomes a security and compliance nightmare. What if there is a change in policy and you need to support two additional Security Key models? Or, a vulnerability is discovered in a specific Authenticator and you want to exclude it from being registered on your site? The application will not only have to be modified and undergo its software development life cycle (SDLC) processes, but it will also have to be audited for compliance in regulated environments.

The SKFS Policy Module (SKFS-PM) eliminates the need to modify applications in these situations.

Without modifying the application, the SKFS-PM allows you to add rules, modify and/or delete rules to a policy and load the updated policy to the SKFS. Applications using the updated policy will immediately support the policy enforced by the SKFS: a revoked Authenticator will no longer be accepted; a newly configured Authenticator will now be acceptable; a FIPS-certified Authenticator may now be the only acceptable device for a high-risk application, etc. All this can be configured, documented, managed, and audited independent of applications that use SKFS.

 

NOTE: On the StrongKey Tellaro appliance, a single SKFS instance is capable of managing hundreds of policies simultaneously. While SKFS Cloud can also support multiple applications with a single instance, it can only manage one policy at a time within such an instance.

 

Check out the SKFS PM Demo.

 

General Configuration

  • name: The name of the FIDO2 policy

  • copyright: A plain language name of the copyright

  • version: The policy format version

  • startDate: The policy effective start date in milliseconds; when the FIDO2 Server should start using this policy

  • endDate: The policy effective end date in milliseconds; when the FIDO2 Server should stop using this policy