FIDO UAF

Updated May 31st 2018

How to implement PixelPin as a FIDO UAF Authentication option

Before you get started

PixelPin is now available as a FIDO Certified Client/ Authenticator Combo for Android devices and soon for iOS devices.

New to FIDO? Find out what FIDO is over on the FIDO Alliance’s website.

New to FIDO UAF? Check out the UAF User Experience over on the FIDO Alliance’s Website.

New to the FIDO UAF Specification? Check out the FIDO UAF specification over on the FIDO Alliance specifications page.

PixelPin’s FIDO UAF Level 1 Certified Client/ Authenticator Combo App

Users will need to install the PixelPin iOS and Android app for them to use PixelPin as a FIDO UAF authentication option.

The PixelPin Client/ Authenticator Combo App is available from the App & Play store:

  1. PixelPin for Android
  2. PixelPin for iOS (Awaiting Certification)

PixelPin and Nok Nok Labs

PixelPin are planning an integration with Nok Nok Labs Authenticator SDK to provide a more generic way of embedding authenticators securely. Making integrating PixelPin as a FIDO authentication option even more secure and easier.

This guide will:

  1. Supply you with information to help you integrate the FIDO UAF protocol into your iOS and Android application, allowing your application to use the PixelPin as a FIDO UAF Authenticator option.
  2. Provide you with PixelPin’s Metadata to upload to your FIDO Server.

Prerequisites

  1. You have or will have a Web Server that can process FIDO UAF Protocols.
  2. You have or will have a FIDO UAF Certified Server that can process PixelPin’s authenticator metadata.
  3. You, the integrator, are familiar with the FIDO Glossary of Terms and the UAF protocol specification.

FIDO UAF Architecture

Below is the FIDO UAF Architecture from the integrator’s, point of view.

Implementing FIDO UAF into your architecture to use PixelPin

There are two major tasks you will need to complete to implement FIDO UAF into your architecture:

  1. Upload PixelPin’s metadata statement to your FIDO server and process the metadata during Registration and Authentication operations, this will allow your system to verify that it is using PixelPin as an authenticator.
  2. Implement the FIDO UAF API into your mobile app to allow communication between your mobile app and the PixelPin mobile app.

PixelPin’s Metadata Statement

Architecture areas of interest

The architecture areas covered in this section is the FIDO Server, FIDO Metadata Service and Authenticator Metadata Store.

PixelPin’s metadata statement will need to be added to your FIDO server to be used to compare each assertion in the Authenticator responses by looking up the metadata statement for the authenticator using the authenticator’s AAID.

See the FIDO UAF Authenticator Metadata statements architecture for more information on metadata statements.

Adding PixelPin’s Metadata Statement to your FIDO server

  1. Simply download and upload the required metadata statement to your FIDO server:

    1. Download PixelPin Metadata for Android
    2. Download PixelPin Metadata for iOS
  2. If you already have a FIDO server:

    1. Update FIDO server registration policy to include relevant data contained in the downloaded PixelPin Metadata. See 3.1.11, 3.1.12 and 3.2 in FIDO UAF Protocol Specification.
    2. Refer to Registration Response Processing Rules for FIDO Server and implement/modify code following the listed steps, taking extra care for steps containing Metadata(AAID), for which Metadata(AAID) refers to the lookup of PixelPin metadata statements located on your FIDO server.
    3. Refer to Authentication Response Processing Rules for FIDO Server and implement/modify code following the listed steps, taking extra care for steps containing Metadata(AAID), for which Metadata(AAID) refers to the lookup of PixelPin metadata statements located on your FIDO server.

    If you DO NOT have a FIDO server:

    1. If you don’t have a FIDO server, see the list of FIDO UAF certified servers or consider implementing your own FIDO server using the FIDO specifications. Once you've done that, you'll be able to complete the steps above.

Implementing FIDO UAF API into your mobile app

If you have already implemented the FIDO UAF API into your mobile app and have uploaded the PixelPin metadata to your FIDO server, you have finished the integration. PixelPin should be available as an authentication option.

Architecture areas of interest

The architecture areas covered in this section is your Mobile Application, UAF API, FIDO Client (PixelPin), TLS protocol, UAF Protocol and Your Web Server.

For this section you, the integrator, needs to be familiar with the FIDO Glossary of Terms and the UAF protocol specification.

The FIDO UAF API will need to be implemented to allow your mobile application to locate and communicate with FIDO Clients (Including the PixelPin App).

Before implementing the FIDO UAF API into your mobile application, read the Overview, Common Definitions and Shared Definitions sections of the FIDO UAF Application and Transport Binding Specification.

FIDO UAF API for Android

Read and implement the Android Intent API and Transport Binding Profile sections of the FIDO UAF Application API and Transport Binding Specification.

FIDO UAF API for Android

Read and implement to the iOS Custom URL API and Transport Binding Profile sections of the FIDO UAF Application API and Transport Binding Specification.

Key points you need to know before using PixelPin FIDO UAF

PixelPin accounts

When using PixelPin FIDO UAF, your users will be using a local PixelPin account that is stored on their mobile device and not in the cloud. This means they cannot use their existing Cloud stored PixelPin accounts that they may use on other websites. Your users will need to create a new PixelPin account to use during FIDO UAF registration.

With the PixelPin account being stored on their device and not in the cloud:

  1. In the event of the user needing to format their device, they will lose their local PixelPin account and will need to create a new one during FIDO UAF registration.
  2. They cannot use their PixelPin FIDO UAF account to sign into other sites or apps.
  3. They cannot use a PixelPin FIDO UAF account to sign into your app on another device, they will need to create another PixelPin FIDO UAF account on the other device during FIDO UAF registration.

All data related to the PixelPin FIDO UAF Account is encrypted on their device.

Different reset journey

When a user needs to reset their passpoints for their PixelPin FIDO UAF account, they will have a different reset journey from the way it works on the cloud. A normal non-FIDO reset journey consists of the user being sent a reset email to their email address, from which they click on the link in the email to start resetting their passpoints.

When the user forgets their passpoints for their PixelPin FIDO UAF account and selects ‘I’ve Forgotten’, they will be prompted with their device lock screen. On Android they may be prompted with their set pin, password, pattern or fingerprint, depending on the Android device and version. On iOS, they may be prompted with their set pin, password, face id or fingerprint, depending on the iOS device and version. Once they unlock the lock screen, they will be able to reset their passpoints for their PixelPin FIDO UAF account.

If no lock screen is set, the user will not be allowed to reset their passpoints until one is set.

Existing FIDO UAF Integrations examples

eBay has a GitHub project that has a demo FIDO UAF server and FIDO UAF Android client app. The repo can be found following this link.

FIDO Dev Google Group

The FIDO Alliance has a Google Group for developers that are working with FIDO. The group allows FIDO developers to ask and answer questions about the FIDO protocol. The group can be found following this link.