Updating FIDO U2F to WebAuthn

Back in 2018 I published a post on adding support for FIDO U2F second factor authentication to a flask application. At the time, FIDO U2F was a relatively new technology and, based in part on its development, work had already begun on a new standard. The Web Authentication (WebAuthn) proposal had been published as a draft in 2016 and reached the recommendation standard by 2019.

I recently revisited a project that included FIDO U2F support and realised that the packages I used in the original post were no longer supported with WebAuthn recommended as the successor.

When first searching for alternative packages I found this site and the associated python package. I then paired this with SimpleWebAuthn on the frontend. Unfortunately I was only able to get registering the device to work with this combination and the actual authentication failed.

A major driver between the switch from FIDO U2F to WebAuthn has been a desire to support alternative devices such as the fingerprint scanners on many laptops and phones. Although the demo on webauthn.io works with my device I was unable to create a working implementation. I suspect I may simply have some incompatible settings but I switched to the FIDO2 server implementation from Yubico and quickly had a working solution.

The code created in the original blog post has now been updated and can be found in the github repository.

Post a comment ...

Adding second factor authentication with FIDO U2F

This is the first semester since the Fall of 2015 that I have not taught a course with the Foundation for Advanced Education in the Sciences. It was a pleasure teaching and I was lucky enough to spend most of my time on a course I had designed. For the Spring 2016 semester I designed the syllabus and began teaching a course on machine learning and object oriented python. I chose to include a web application as I felt it exposed the students to some unfamiliar ideas.

Most of the students were fellow scientists. Many only had previous experience writing scripts for use in their own research. Not trusting user input was often a novel concept. During the course I only had a couple of hours to introduce web applications. This meant I skipped over many important topics. I intend this post to be the first in a collection moving beyond the basics for anyone still new to these concepts. I will start with a basic background but the actual implementation will hopefully be new for most. If implementing web application authentication is familiar to you then skip ahead to the implementation.

Let me know if there are topics you think I should cover moving forward.

In this post I will cover authentication, specifically adding a second authentication factor for additional security.

Continue reading ...