With the number of options provided by the W3C WebAuthentication (WebAuthn) API, it can be confusing to sometimes understand how to implement a specific policy that meets business requirements.
For example, how do you enforce a policy that a high-risk business app might wish to choose where only users with Android mobile devices may register and use FIDO authentication, and use biometric verification of the user, before the FIDO key is unlocked to digitally sign the challenge? Or, how do you support a policy that only accepts a specific brand of Security Key—say, a Yubikey or a TrustKey?
While your web and/or mobile application back end could program this detail into the code, this becomes a security and compliance nightmare. What happens if there is a change in policy and you need to add three more security key brands? Or, there is a vulnerability discovered in a specific authenticator type and you want to exclude it from being registered on your site?
SKFS simplifies managing such security policies with its Policy Module (PM) - a demonstration can be seen on the StrongKey FIDO Policy demo.
The SKFS-PM works by reading the signed, base64-encoded JSON policy object that was configured for the FIDO cryptographic domain, and enforcing that for all FIDO transactions: registrations, authentications, and transaction authorizations. On the Tellaro appliance, it is even feasible to segment FIDO cryptographic domains to enforce unique FIDO policies for different applications.
While it may be possible to create numerous policies, we recommend starting with these four examples and customizing them to suit your needs. The policies are defined as:
RESTRICTED—A very secure policy that limits many options, such as using specific:
ECC curve(s)
Signing algorithm(s)
Attestation(s)
User verification
Platform
STRICT—A secure policy that limits many options, such as using specific:
Signing algorithm(s)
Attestation(s)
User verification
AAGUID(s)
MODERATE—A reasonable policy that limits some options such as using specific:
Signing algorithm(s)
Attestation(s)
AAGUID(s) and/or platforms
MINIMAL—A policy that accepts any authenticator:
You don't specify any constraints and accept any FIDO authenticator