Secure passwordless logins with FIDO2 and LDAP

Access Granted

Article from ADMIN 62/2021
Log in to your account securely without a password with LDAP and a schema to establish the objects and attributes required for FIDO2 authentication.

Recently, FIDO2 and the passwordless authentication that goes with it have been in focus. As long as you base your login on a flexible database system, you can simply add the required fields for one or more public keys. To store the required information in Lightweight Directory Access Protocol (LDAP), as well, you need to extend the schema and define your own object and attribute types.

FIDO2 is a milestone of passwordless authentication. When logging in, the user's browser receives a challenge and has to sign it with the user's private key so that the service provider can validate the signature against the stored public keys. If validation is successful, the login is considered complete.

One advantage of public key procedures such as FIDO2 is that service providers and users no longer have to share a secret, including secrets that are used for two-factor authentication. Therefore, these secrets can no longer be lost on either side. In case of an attack, all the attacker gets is a user's public key, and as the name suggests, this key can be widely known. Logging in to the service itself or to other services in which the user has deposited the same key remains impossible. To make sure a user is not left without access if a private key is lost, most FIDO2 implementations allow the direct storage of several public keys or different security tokens.

Extending the LDAP Schema

The LDAP schemas normally available (e.g., from the OpenLDAP distribution) do not provide the objects needed to store the information required for FIDO2 authentication directly within the directory. Like other database systems, LDAP lets you extend the set of storable objects by adding an appropriate schema. Once you have successfully loaded a schema, you can create the objects to match directly afterward. To prevent confusion, each schema is assigned an individual identification number. Globally unique object

Use Express-Checkout link below to read the full article (PDF).

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy ADMIN Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • Secure authentication with FIDO2
    The FIDO and FIDO2 standard supports passwordless authentication. We discuss the requirements for the use of FIDO2 and show a sample implementation for a web service.
  • Multifactor authentication from FIDO
    The FIDO Alliance is working to build open solutions for the future of authentication.
  • Single sign-on with Keycloak
    Google and Facebook are two of the biggest providers for single sign-on on the web, with OAuth2 and OpenID, but if you don't want to put your customers' or employees' data in their hands, Red Hat's Keycloak software lets you run your own operations with the option of integrating existing Kerberos or LDAP accounts.
  • LDAP integration with popular groupware suites
    Your LDAP directory holds user data for the whole network. Why not save time and avoid duplication by integrating the LDAP directory with your groupware environment?
  • OpenLDAP Workshop
    Centralized user management with LDAP or Active Directory is the standard today, although many prefer to manage user data manually rather than build this kind of infrastructure. In this article, we look at a better approach with OpenLDAP.
comments powered by Disqus