Out-of-Band and FIDO2 Authentication
FIDO Works Everywhere
Recent FIDO2 announcements from the FIDO Alliance, Google, and Microsoft signal the arrival of strong authentication on mainstream browsers. The secure hardware present in contemporary desktops, laptops, and mobile devices will be pressed into service to bring passwordless login to browsers. By extending web authentication to the browsers, FIDO2 partially closes the gap in natively supported platforms.
For all other devices that do not directly support FIDO, including the 70% installed base of “legacy” Windows 7 machines, and set-top boxes, there’s Out-of-Band (OOB) FIDO authentication. OOB leverages the ubiquitous smartphones people carry with them, allowing the phone to be used to authenticate on the desktop. This approach allows older devices to still work in a FIDO-secured world.
What is Out-of-Band (OOB) Authentication?
OOB is a feature that Nok Nok provides to extend the FIDO authentication on your mobile device to other devices that don't directly support FIDO2 authentication. "Out-of-Band" simply means that authentication happens using a signal transmitted over an alternate communication channel; in this case, the signal is a Push Notification or QR code.
OOB uses well-established methods of binding the phone to another device, thereby bringing legacy devices into the FIDO fold. Per NIST recommendations, OOB does not use SMS-based messaging for its secondary channel, but instead employs Push Notifications, via APNs, GCM, and FCM.
OOB doesn't require users to have a laptop with a built-in fingerprint reader or a hardware key store, such as a TPM chip: it works with any old device that has a browser. And besides bringing legacy and non-FIDO devices into a FIDO context, OOB enables innovative uses that might not be immediately obvious: OOB can be used for provisioning a new device from an existing one; and OOB can be set as the guaranteed fallback method for authentication when a situation warrants it.
The OOB User Experience
Suppose you've already registered with a FIDO-enabled site using your Android phone, and now want to access that same site from your laptop. From your laptop's browser, you begin by clicking a sign-in button. OOB kicks in and signals the Nok Nok Server, which in turn sends a Push Notification to your phone. Alternately, the Server could send a QR code back to your laptop's browser.
The sequence of interactions with the user are shown here:
On your phone, the Push Notification triggers the Nok Nok Passport App to prompt you for your fingerprint. Your response is sent back to the Nok Nok Server (this is the "Out-of-Band" signal), which in turn grants you access to the website in your laptop's browser session.
If the system is configured to use QR codes, you'd launch the Nok Nok Passport App on your phone and manually scan the QR code displayed on the laptop screen. This "Out-of-Band" response would be sent to the Nok Nok Server, which in turn would grant you access to the website on your laptop.
Implementing OOB in your Web app
Consistent with the rest of the Nok Nok App SDK, using OOB to extend security to legacy devices is easy. As a developer, you don't need to craft a special case for each authentication scenario: you simply write to a single API, and the App SDK does the right thing based on the platform you're connecting to.
For example, to start authentication, there is one call to make:
With OOB, your older devices continue to be useful in the modern era of strong FIDO authentication. To see just how easy OOB, FIDO2, and other FIDO protocols are to use, sign up for a demo now.