FIDO2/WebAuthn Authentication Testing

 

FIDO2_WebAuthn Authentication Testing

preface

Webauthn is a new w3c specifation, used to help users login without input password. First, we need a SSL cert, because Webautn only works under locahost or https.

SSL cert

SSL cert can provide secure data transport. If you use localhost for development, can just skip this. I try to use Let’s encrypt.

Setting your DNS config A/AAAA record as your server’s ip.

install certbot on my ubuntu 18.04 server:

$ sudo apt-get update
$ sudo apt-get install software-properties-common
$ sudo add-apt-repository universe
$ sudo add-apt-repository ppa:certbot/certbot
$ sudo apt-get update
$ sudo apt-get install certbot 

After installed, run sudo certbot certonly. Choose “standalone”.

If successed, you will get cert file at /etc/letsencrypt/live/[your domain]/fullchain.pem, and key file at /etc/letsencrypt/live/[your domain]/privkey.pem. Config these in your webserver’s configuration.

(I met some permission problems here, so I just copy the .pem file out as a temp solution.)

WebAuthn server

The main functions of a FIDO2/WebAuthn server is registring new keys and the login authentication. There we use the elixir implementation: wax_demo, you can find that in github.

You should set metadata_access_token in config file. Details can visit the documents of lib wax.

To host our server at port 443, we need some additional permissions:

1. run ps aux | grep beam to get the path of beam. In my case, it’s /home/ubuntu/.asdf/installs/erlang/21.1.4/erts-10.1.3/bin/beam.smp
2. run sudo setcap 'cap_net_bind_service=+ep' [the path of beam]
3. now your server can run at port 443

try

Open your domain and use your FIDO device to registry.