U2F authentication library

This is a simple library to register and check signatures provided by U2F clients/devices. It's intended to be used in Relying Parties - websites that want to add U2F 2-factor authentication for their users.

To use U2F, it is recommended to familiarize yourself with FIDO Alliance Specifications, although basic usage is shown below.

U2F Overview/properties

U2F provides hardware-based 2-nd factor authentication system. Public/private key infrastructure is used to ensure good security.

Provides proof of posession of hardware key, plus user presence flag.

Public/private key pairs are specific to website origin and 'application id'. Keys are useless if used from other origins.

Needs to be stored on server for each user: Key handle and public key (both strings).

Cannot be used as main authentication system because server needs to provide unique key handle to the user to get the signature.

Basic usage

User Registration Flow

Server endpoints:

const u2f = require ( 'u2f' ); const APP_ID = ... function registrationChallengeHandler(req, res) { const registrationRequest = u2f.request(APP_ID); req.session.registrationRequest = registrationRequest; return res.send(registrationRequest); } function registrationVerificationHandler ( req, res ) { const result = u2f.checkRegistration(req.session.registrationRequest, req.body.registrationResponse); if (result.successful) { return res.sendStatus( 200 ); } return res.send({result}); }

Client logic:

Note that the window.u2f object is defined in the official Javascript U2F API, for which a polyfill is available as an npm module.

const registrationRequest = ... window .u2f.register(registrationRequest.appId, [registrationRequest], [], (registrationResponse) => { });

User Authentication Flow

Server endpoints:

const u2f = require ( 'u2f' ); function authenticationChallengeHandler ( req, res ) { const keyHandle = ... const authRequest = u2f.request(APP_ID, keyHandle); req.session.authRequest = authRequest; return res.send(authRequest); } function authenticationVerificationHandler ( req, res ) { const publicKey = ... const result = u2f.checkSignature(req.session.authRequest, req.body.authResponse, publicKey); if (result.successful) { return res.sendStatus( 200 ); } return res.send({result}); }

Client logic:

const authRequest = ...; window .u2f.sign(authRequest.appId, authRequest.challenge, [authRequest], (authResponse) => { });

http://demo.yubico.com/u2f

https://github.com/Yubico/python-u2flib-server

TODO

Provide instructions for client-side. How to get the 'u2f' namespace, what browsers are supported.

Change API to enable multiple keyhandle/publickey pairs for a single user.

Unpack registration certificate and check its own signature and time constraints.

License

MIT