HUAWEI FIDO2 Fingerprint and 3D Facial Sign-in Technology

Search This thread

Jack Wu Shenzhen

Senior Member
Feb 11, 2020
65
7
shenzhen
Overview
Users have come to prioritize data security and privacy issues, in the wake of the full-scale digitalization of society, and have thus placed more stringent requirements on apps. To provide for top-notch security, many apps, in particular finance and payment apps, have incorporated biometric safeguards, such as fingerprint and 3D facial sign-in mechanisms. Fingerprint and 3D facial sign-in methods free users from the considerable hassle associated with repeatedly entering the account number, password, and verification code, delivering enhanced convenience alongside bolstered security.
You might have assumed that fingerprint and 3D sign-in are too costly or time-intensive to integrate into your app, but it’s actually remarkably easy. All you need to do is to integrate HMS Core FIDO into your app, and you'll be good to go!
What Is HMS Core FIDO2?
Fast Identity Online (FIDO) is an identity authentication framework protocol hosted by the FIDO Alliance. The FIDO Alliance, established in July 2012, has grown to encompass 251 members as of May 2019, including many of the leading vendors in the world. FIDO offers two series of technical specifications, UAF and U2F, and the launch of the FIDO 2.0 project represents a new era of enhanced identity authentication. To learn more about the members of the FIDO Alliance, please visit https://fidoalliance.org/members/.
Select FIDO Alliance Members
The FIDO specification aims to provide a universal, secure, and convenient technical solution for verifying online users' identities, under a multi-faceted, password-free model. It is applicable to a broad range of scenarios, including sign-in, transfer, and payment, in which the user identity needs to be verified. The FIDO2 specification outlines a powerful, comprehensive and versatile identity verification solution.
FIDO2 has three main application scenarios:
1) Fingerprint and 3D facial sign-in
2) Fingerprint and 3D facial transfer and payment
3) Two-factor authentication
This issue will address the first: fingerprint and 3D facial sign-in. Under this scenario, a user can sign in to an app through fingerprint or 3D facial authentication without entering a password, avoiding such risks as password leakage, and credential stuffing.
Demos
The videos below illustrate in detail how FIDO2 fingerprint and 3D facial sign-in are implemented.
(1) Fingerprint sign-in
(Video 1)
(2) 3D facial sign-in
(Video 2)
How Does HMS Core FIDO2 Work?
The FIDO specification outlines a technical framework for online identity verification. This framework encompasses the app and app server, as well as the FIDO authenticator, FIDO client, and FIDO server.
 FIDO authenticator: A mechanism or device used for local authentication. FIDO authenticators are classified into platform authenticators and roaming authenticators. Authenticators are better known as security keys to end users.
- Platform authenticator: An authenticator integrated into a FIDO-enabled device, such as an authenticator based on the fingerprint recognition hardware in a mobile phone or laptop.
- Roaming authenticator: An authenticator connected to a FIDO-enabled device that uses Bluetooth, NFC, or a USB cable, such as an authenticator with a similar shape to a USB key, or a dynamic token.
 FIDO client: A client integrated into the platform, such as Windows, MacOS, or Android with HMS Core (APK), that provides the SDK for apps; or a client integrated into browsers, such as Chrome, Firefox, or Huawei Browser, that provides JavaScript APIs for apps. The FIDO client serves as a bridge for the app in calling the FIDO server and FIDO authenticator to complete authentication.
 FIDO server: A server that generates an authentication request in compliance with FIDO specifications. The request is sent to the app server when it needs to initiate FIDO authentication. Once the FIDO authenticator has completed local authentication, the FIDO server will receive a FIDO authentication response from the app server, and verify the response.
There are two major processes associated with the FIDO specification: registration and authentication. With regard to sign-in scenarios, the registration process involves enabling the fingerprint or 3D facial sign-in function, and the authentication process involves completing sign-in via fingerprint or 3D facial authentication.
During registration, the FIDO authenticator will generate a public-private key pair for the user, which is then used as the authentication credential. The private key is stored in the FIDO authenticator, while the public key is stored on the FIDO server. In addition, the FIDO server will associate the user with the authentication credential.
During authentication, the FIDO authenticator will add a signature to the challenge value using the private key, and the FIDO server will verify the signature using the public key. The user is deemed as valid if the signature passes the verification.
Preparations
Before integrating FIDO2, you will need to configure your app information in AppGallery Connect, Maven repository address, and obfuscation scripts. You will also need to add build dependencies on FIDO2. The sample is as follows:
implementation 'com.huawei.hms:fido-fido2:5.0.0.301'
Development
FIDO2 includes two operations: registration and authentication. The processes are similar for the two operations. Key steps and code are shown below:
1. Initialize a Fido2Client instance.
Fido2Client fido2Client = Fido2.getFido2Client(activity);
2. Call Fido2Client.getRegistrationIntent() to initiate registration, or call Fido2Client.getAuthenticationIntent() to initiate authentication.
Obtain the challenge value and related policy from the FIDO server, and initiate a request. (Only the FIDO client APIs are provided here. For details about the interaction with the FIDO server, please refer to related specifications and contact the FIDO server vendor to obtain the related API reference.)
Call Fido2Client.getRegistrationIntent() to initiate registration, or call Fido2Client.getAuthenticationIntent() to initiate authentication.
Call Fido2Intent.launchFido2Activity() in the callback to start registration (requestCode: Fido2Client.REGISTRATION_REQUEST) or authentication (requestCode: Fido2Client.AUTHENTICATION_REQUEST). The callback will be executed in the main thread.
fido2Client.getRegistrationIntent(registrationRequest, registrationOptions, new Fido2IntentCallback() {
@override
public void onSuccess(Fido2Intent fido2Intent) {
fido2Intent.launchFido2Activity(XXXActivity.this, Fido2Client.REGISTRATION_REQUEST);
}
@override
public void onFailure(int errorCode, CharSequence errString) {
Log.e("errorCode: "+ errorCode + ", errorMsg: " + errString);
}
});
3. Call getFido2RegistrationResponse() or Fido2Client.getFido2AuthenticationResponse() in the callback Activity.onActivityResult() to obtain the registration or authentication result.
Fido2RegistrationResponse fido2RegistrationResponse = fido2Client.getFido2RegistrationResponse(data);
4. Send the registration or authentication result to the FIDO server for verification.
(Only the FIDO client APIs are provided here. For details about the interaction with the FIDO server, please refer to related specifications and contact the FIDO server vendor to obtain the related API reference. Relevant code is omitted here.)

More
Relevant demos, sample code, and development documents are also available on the HUAWEI Developers website.
GitHub demo and sample code:
https://github.com/HMS-Core/hms-FIDO-demo-java
HUAWEI FIDO2 MOOC video:
https://developer.huawei.com/consumer/en/training/detail/101583008688294169
Development guide:
https://developer.huawei.com/consum...re-Guides-V5/introduction-0000001051069988-V5
API reference:
https://developer.huawei.com/consum...ferences-V5/fido2overview-0000001050176660-V5
Coming Next
The next issue will delve into custom development, authenticator selection policies, and UI customization for FIDO2, with revealing firsthand testimony. Stay tuned!