preface

As people pay more and more attention to the security of personal information, users have higher and higher requirements for the security of APPS, especially financial apps, many of which have supported fingerprint and 3D login functions. Compared with traditional login methods, fingerprint and 3D face login can save the input of account, password, verification code and other links, which not only maximizes the convenience of users, but also ensures the privacy of user information. So, how to add fingerprint/face login to your APP?

Just tap into HMS’s Fast Online Verification service (FIDO) to enable fingerprint &3D face login for your APP.

What is HMS Core FIDO2?

Fast Identity Online is an Identity authentication framework protocol. The FIDO Alliance was established in July 2012, and by May 2019, it has grown to 251 leading manufacturers, including UAF and U2F, and launched FIDO 2.0 projects. FIDO fidoalliance.org/members/ alliance members url

Examples of FIDO members

The Fast Identity Online (FIDO) specification aims to provide a universal, secure and convenient solution for password-free and multi-factor Online user authentication. This function applies to scenarios where user identity authentication is required, such as user login, transfer and payment. The FIDO 2 (pronounced “Faiduo rabbit” or “Faid ōu rabbit”) specification defines a powerful authentication solution.

The typical application scenarios of FIDO2 are as follows:

  • Fingerprint /3D face login;
  • Fingerprint /3D face Transfer/payment;
  • Two-factor authentication;

In this issue we will cover the first application scenario: fingerprint /3D face login. When logging in to an account in the application, users do not need to enter a password, but only need to verify their fingerprint /3D face to complete the login, avoiding security risks such as passwords and database collisions.

Scene demonstration

The Gif below shows how FIDO2 performs fingerprint /3D face login.

How does HMS Core FIDO2 do that?

The FIDO specification defines a technical framework for online identity authentication. In addition to the application and application server, there are three components: FIDO authenticator, FIDO client, and FIDO server.

  • FIDO authenticator: mechanism or device used for local authentication, including platform authenticator and roaming authenticator. When facing end users, authenticators are often referred to as security keys.

Platform authenticator: An authenticator that is integrated into devices using FIDO, such as fingerprint hardware based authenticators on mobile phones or laptops.

  • Roaming authenticator: An authenticator that dissociates from FIDO using a device connected via Bluetooth, NFC, or USB, such as an authenticator shaped like a U shield or dynamic token.

  • FIDO client: integrated in platforms such as Windows, MacOS and HMS Core, providing SDK for application integration; Or integrate it into a browser (such as Chrome, Firefox, and Huawei Browser) and provide JavaScript apis for service integration. FIDO client is a bridge between FIDO server and FIDO authenticator.

  • FIDO server: When the application server initiates FIDO authentication, it generates an authentication request conforming to FIDO specifications and sends it to the application server. After FIDO authenticator completes local authentication, it receives FIDO authentication response from application server and performs verification.

The FIDO specification defines two main processes: registration and certification. In terms of the actual application scenario of user login, the registration process corresponds to the process of opening fingerprint /3D face login, and the authentication process corresponds to the process of using fingerprint /3D face login.

In the registration process, FIDO authenticator generates a pair of user public and private keys as authentication credentials. The private key is stored in FIDO authenticator and the public key is sent to FIDO server for storage. At the same time, FIDO server establishes the relationship between the user and the authentication credentials for use in the authentication process.

In the authentication process, FIDO authenticator uses the user private key to sign the challenge value, FIDO server uses the user public key to verify the signature, and considers the user as a legitimate user if the authentication passes.

How to integrate Huawei HMS Core FIDO2?

Pre-development preparation

FIDO2 integration preparation, extremely simple, in addition to access the HMS SDK necessary agC, Maven and obfuscation configuration, just add FIDO2 build dependencies, coordinates are as follows: Implementation ‘com. Huawei. HMS: fido – fido2:5.0.0.301’

Development (tabular, error code, return value, compile dependent reference ML) FIDO2 is split into two operations, registration and authentication, with similar processing flow. The key process code is as follows:

  1. Initialize a Fido2Client instance

Fido2Client fido2Client = Fido2.getFido2Client(activity); 2. Call Fido2Client. GetRegistrationIntent () a registered. A certification or invoke Fido2Client. GetAuthenticationIntent (). Get the challenge value and associated policies from the FIDO server and assemble the request message. (Only FIDO client API is provided here, which involves interaction with FIDO server. Please refer to relevant specifications and contact FIDO server supplier for related interface description.) Then call Fido2Client. GetRegistrationIntent () a registered. A certification or invoke Fido2Client. GetAuthenticationIntent (). In the callback call Fido2Intent. LaunchFido2Activity (), Start the registration (requestCode Fido2Client. REGISTRATION_REQUEST) or certification (for Fido2Client requestCode. AUTHENTICATION_REQUEST). The callback is executed in the main thread.

fido2Client.getRegistrationIntent(registrationRequest, registrationOptions, new Fido2IntentCallback() { @Override public void onSuccess(Fido2Intent fido2Intent) { fido2Intent.launchFido2Activity(XXXActivity.this, Fido2Client.REGISTRATION_REQUEST); } @Override public void onFailure(int errorCode, CharSequence errString) { Log.e("errorCode: "+ errorCode + ", errorMsg: " + errString); }});Copy the code
  1. In the callback Activity. The onActivityResult (), call getFido2RegistrationResponse () or Fido2Client. GetFido2AuthenticationResponse () to obtain the registration or certification results.
Fido2RegistrationResponse fido2RegistrationResponse = fido2Client.getFido2RegistrationResponse(data)
Copy the code
  1. The results of registration or authentication are sent to the FIDO server for validation.

(Only FIDO client API is provided here, which involves interaction with FIDO server. Please refer to relevant specifications and contact FIDO server supplier to obtain relevant interface description. The code is omitted.)

For more information

The huawei developer website also provides relevant demos, sample codes, and development documents. Github Demo and sample code: github.com/HMS-Core/hm…

Huawei FIDO2 longed for video lesson: developer.huawei.com/consumer/cn…

Develop guidelines: developer.huawei.com/consumer/cn…

API reference: developer.huawei.com/consumer/cn…

The late notice

Based on online fast authentication service, next time we will talk about FIDO2 custom development ability, authenticator selection strategy, UI interface customization, and then there will be practical experience sharing, we can continue to pay attention to ~

The original link: developer.huawei.com/consumer/cn…

Don’t eat strawberries