Discover the power of FIDO strong authentication.
SKFS supports the following capabilities:
- Register and authenticate Universal 2nd Factor (U2F) and FIDO2 keys from FIDO Certified® Authenticators
- Register, Authenticate, and Authorize (in support of transaction confirmation with a digital signature) when using a mobile app built using the StrongKey Android Client Library (SACL)
- Accessing SKFS capabilities through Representational State Transfer (REST) or Simple Object Access Protocol (SOAP) web services from web/mobile applications. It is important to recognize that the client application—whether executing within a mobile device or in a browser on any computing platform—does not interact with SKFS directly; all FIDO interactions are intended to be available through the application’s back-end services
- SKFS deploys in a variety of configurations to address customer risk management requirements:
- Leveraging the StrongKey Tellaro appliance with a FIPS 140-2 Level-2 or Level-3 cryptographic hardware module (to offer the highest level of security), in a single-tenant deployment either on customer premises or in the StrongKey Cloud
- Leveraging the StrongKey Tellaro appliance with a FIPS 140-2 Level-2 or Level-3 cryptographic hardware module (to offer high levels of security), in a multi-tenant deployment in the StrongKey Cloud
- As a software-only deployment within a Docker container in private or public clouds—review Hybrid Cloud Security Architecture for an overview of security risks of deploying cryptographic key management systems in a multi-tenant public cloud
- HA/DR through the deployment of multiple SKFS instances within a cluster of peer nodes. Each node in the cluster supports all operations of SKFS and asynchronously replicates its objects to all other peer nodes of the cluster across a local or wide area network
- Lightweight directory access protocol (LDAP) directory server—such as OpenLDAP or Active Directory (AD)—integration to enable registering existing users with their FIDO keys after they are authenticated to the Directory Server
- Public key infrastructure (PKI) integration to enable registering existing users with their FIDO keys after they are strongly authenticated with their X.509 digital certificates
- Digitally signing all FIDO objects upon persistence and verifying object digital signatures upon read to assert the integrity of FIDO objects—this prevents attackers from substituting public key handles of users within a FIDO database to attack other users’ accounts without the need for their FIDO Authenticator
- Site and application-specific policy management to tailor SKFS deployments to customers’ risk management profiles
- Bundled software FIDO Authenticator to support testing web/mobile applications within continuous integration (CI) and continuous deployment (CD) environments
- Bundled command line interface (CLI) tool to test SKFS deployment and configuration
- Bundled JMeter plan to support customers testing web/mobile applications for performance bottlenecks and HA/DR capabilities
All features referenced in this manual are available with StrongKey support—whether SKFS is downloaded from public repositories such as GitHub or SourceForge, or acquired through the StrongKey Cloud or StrongKey Tellaro appliances; the only difference in support is that a contract with StrongKey guarantees a service level agreement (SLA) on which the customer can depend for a response to the support request. StrongKey supports all other uses of SKFS through the forums on GitHub and SourceForge on a best-efforts basis.