A FIDO2 native framework for iOS.
FIDO2/WebAuthn heavily depends on browsers' implementation. A native lib is significantly usable in providing stable and customizable user experiences.
- a Modern project
- Modern Swift async/await mechanism rather than embedded callbacks.
- Support the latest FIDO spec
-
Use OS native lib as many as possible
-
Keep the external APIs as simple as possible and speak the programers' language
-
Keep source code structure as simple as possible
- registerAuthenticator
- authenticate
- listUserDevices
- delUserDevice
- Fido2Util.getDefaultRegisterOptions
- Fido2Core.reset
- Fido2Core.clearKeys
- Fido2Core.configExcaptionTimeoutWaiting
- Fido2Core.configMultipleCredByMultipleTransports
- Fido2Core.configInsideAuthenticatorResidentStorage
- Fido2Core.enabledInsideAuthenticatorResidentStorage
- Fido2Core.configInsideAuthenticatorSilentCredentialDiscovery
SDK provides device registration by recovery session ID, referer the 'Reg session user' button. The recovery session ID is the rid in the recovery link.
The SDK will use iOS FIDO2 native API (which is known as Passkeys) if set 'passkey_sync' to true on the server. On Passkeys, keys are synchronized around devices with the same user's Apple account. iOS 16 has full support for Passkeys, and 15 needs to be enabled manually in the phone's developer settings.
- Does NOT support discoverable credentials
- Does NOT check to exclude credentials to prevent multiple registrations on the same device. So we provide an extra config 'LibConfig.allowPasskeyMultipleRegistration' to provide the check before calling Passkeys API.
-
fido2-node (https://github.com/dqj1998/fido2-node.git)
-
LINE FIDO2 server (https://github.com/line/line-fido2-server.git).
** Does not support real non-resident credentials ** Requires cookies managemant of client side to manage sessions
One domain can support multiple RPs by set rp.id. Has to work with fido2-node server.
Support aaguid checking for enterprise attestation.
- Register enterpise rpids and aaguids in env file of fido2-node server by ENTERPRISE_RPs and ENTERPRISE_AAGUIDs
- Call setPlatformAuthenticatorAAGUID and addEnterpriseRPIds on SDK side
Cannot auth with a unique device binded key from a different device(another installation of SDK). Usually, this feature is to force disable key synchronization among devices to gain a more robust security level. This feature has to work with fido2-node server.