No content

Who Am I? - Working on FIDO2, UAF since 2015  - Security Engineer 

Agenda - What’s FIDO? - History of FIDO works and activities - Details of LINE FIDO2 Server - How to contribute? - Future works  

What’s FIDO?  

Fast IDentity Online  

Passwords are Risky!  Rainbow table Key logging Phishing Social engineering A A 

FIDO is the Future of Logins More Secure Easier Safer  

How does FIDO work? It’s based on the public key cryptography It’s based on the public key cryptography  Challenge (random number) Response (signature) Success or fail User gesture Prompt user gesture User verification FIDO Protocol Unlock private key Verify signature(/w public key) 

History of FIDO works and activities  

FIDO Alliance Board member Our Journey with FIDO 2020 LINE BK LINE Passwordless 2018 FIDO Universal Server Certification 2021 FIDO Developer Challenge Open source release 2019 FIDO Hackathon LINE Pay 2017  

Board Member X  May, 2017 

FIDO Working Group Korea Working Group Japan Working Group - Vice Chair  2017 - 2021 APAC Marketing Forum 

Universal Server Certification  Dec, 2018 

FIDO Hackathon in Korea https://fidoalliance.org/fido-authentication-developer-support-program-fido-hackathon-in-korea/  April - Dec, 2019 

FIDO Hackathon in Korea  April - Dec, 2019 

LINE Pay X FIDO  Sep, 2019 

LINE BK X FIDO  Oct, 2020 

Passwordless LINE X FIDO Login Push Success Authentication iOS Android Primary LINE App Secondary LINE App iPad Mac Windows  Nov, 2020 

FIDO Developer Challenge Judgement https://fidoalliance.org/fido-developer-challenge/  Jul - Oct, 2021 

Release to Open source  Aug, 2021 

LINE DEVELOPER DAY 2019  https://linedevday.linecorp.com/jp/2019/sessions/D1-1 Strong Customer Authentication & Biometrics Using FIDO 

LINE DEVELOPER DAY 2020  Secure LINE login with biometrics key replacing password https://linedevday.linecorp.com/2020/en/sessions/7365 

LINE DEVELOPER DAY 2020  https://linedevday.linecorp.com/2020/en/sessions/8802 Cross-platform Mobile Security at LINE 

LINE Engineering Blog  https://engineering.linecorp.com/en/blog/fido-at-line/ https://engineering.linecorp.com/en/blog/fido-at-line-fido2-server-opensource/ 

Details of LINE FIDO2 Server  

Three Standards of FIDO UAF (Since 2014 - ) Mobile Support Android/iOS U2F (2014 - ) Using Hardware Key FIDO2 (2018 - ) Mobile/Desktop/Web Support  Passwordless Login 2FA Passwordless Login + 2FA 

Features of FIDO2 Standard  - Consists of two specifications (CTAP + WebAuthn) 

FIDO2 is the Newest set of Specifications FIDO2 FIDO2 CTAP W3C WebAuthn Platform proprietary Server Client Platform Authenticator External Authenticator USB/NFC/Bluetooth 

Features of FIDO2 Standard - Major browser support  - Consists of two specifications (CTAP + WebAuthn) 

 https://fidoalliance.org/fido2/fido2-web-authentication-webauthn Platform/Browser Support Updated Jun, 2020 

Features of FIDO2 Standard - Major browser support - Native API support - Windows10, Android  - Backward compatibility for U2F - Consists of two specifications (CTAP + WebAuthn) 

LINE FIDO2 Server & Client Overview LINE FIDO2 Combo (Android,iOS) Relying Party LINE FIDO2 Server Client Server 

LINE FIDO2 Server & Client Overview Open source LINE FIDO2 Combo (Android,iOS) Relying Party LINE FIDO2 Server Client Server 

Open sourced Server Modules server FIDO2 Server application  spring-boot-starter FIDO2 Server wrapped in a Spring boot starter rp-server Simple RP Implementation with Web page for Test common FIDO2 Common Message classes 

Server stack LINE FIDO2 Server is built on top of Spring Boot Crypto COSE JWT BouncyCastle Security Storage MySQL Redis H2 Jackson Lombok Swagger Utilities/Helpers CBOR Retrofit2 Services Spring Boot Data-Jpa Data-Redis Web Logging Validation JDBC Test Challenge Response Attestation Metadata UserKey Session Mds v2 X.509 

Attestation features Attestation types Basic Self Attestation CA None Anonymization CA Attestation formats Packed TPM Android Key Attestation Android SafetyNet FIDO U2F None Apple Anonymous  

Attestation features Attestation types Basic Self Attestation CA None Anonymization CA Attestation formats Packed TPM Android Key Attestation Android SafetyNet FIDO U2F None Apple Anonymous  

Quickstart Guide - Run rpserver and server or line-fido2-spring-boot-demo - Connect to http://localhost:8080/  

Quickstart Guide - You can Register, Authenticate and check the result. - Username and display name are required when starting registration - You can also test various additional functions by selecting several options.  

Quickstart Guide External Properties - rpserver spring: profiles: active: local config: use-legacy-processing: true server: port: 8080 logbook: write: level: INFO obfuscate: headers: - host - origin - referer - user-agent - accept-encoding exclude: - /health fido2-server: scheme: http host: localhost port: 8081 endpoint: get-reg-challenge: /fido2/reg/challenge get-auth-challenge: /fido2/auth/challenge send-reg-response: /fido2/reg/response send-auth-response: /fido2/auth/response get-delete-credentials: /fido2/credentials spring: profiles: active: local resources: chain: cache: false fido2: rp: id: localhost origin: localhost port: 8080 conformance: url: http://localhost:8080 logging: level: org.springframework.web: DEBUG org.hibernate: DEBUG com.linecorp.line: DEBUG  rpserver/../resources/application.yaml rpserver/../resources/application-local.yaml 

Quickstart Guide External Properties - FIDO2 server … server: port: 8081 fido: … fido2: session-ttl-millis: 180000 accept-unregistered-authenticators: true logbook: write: level: INFO category: http.wire-log obfuscate: headers: … exclude: - /health mds: enable-mds : false sources: # if you want to use mds service please see below # https://fidoalliance.org/metadata/ - name: fido-mds-v2 enabled: true endpoint: https://mds2.fidoalliance.org/ access-token: xxx root-certificates: - xxx spring: profiles: active: local server: port: 8081 redis: host: localhost port: 6379 password: logging: level: com.linecorp.line: DEBUG org.springframework.web: DEBUG org.hibernate: DEBUG h2: console: enabled: true settings: web-allow-others: true  server/../resources/application.yaml server/../resources/application-local.yaml 

Quickstart Guide data.sql -- test rp insert into rp (id, name, description) values('localhost', 'example1', 'example1');  server/../resources/data.sql 

Demo  Registration 

Demo  Registration 

Demo  Authentication 

Demo  Authentication 

FIDO Play service Client architecture  FIDO2 GMS Core LINE Authenticator LTSM Native Authenticator External Authenticator LINE FIDO2 Glue Layer (Abstraction) RP App (Activity) RP App (View) LINE FIDO2 Combo (FIDO2 Client, Authenticator Logic) LTSM (LINE Trusted Security Module) KAL (KeyChain Abstraction Layer) WAL (Whitebox Abstraction Layer) Abstraction layer supporting both Android native authenticator and LINE authenticator Uses Touch ID and Face ID as UV and leverages WBC (Whitebox cryptography) for attestation CTAP2 Single API entry point iOS Android 

How to contribute?  

https://github.com/line/line-fido2-server  

README & CONTRIBUTING  

Wiki  

Find or Create an issues to contribute  

Sign CLA  

PR Review and Merge  

Future Works  

Roadmap As an open source project More Features Tech documents  Library Distribution 

Roadmap Inside LINE More LINE services Other Platforms  Sharing knowledge 

TRY OUR OPEN SOURCE! WELCOME YOUR STAR AND LOVE!