Home > Uncategorized > U2F API.com – a hosted service for handling hardware two factor authentication #U2F #2FA #API

U2F API.com – a hosted service for handling hardware two factor authentication #U2F #2FA #API

March 4, 2020 Leave a comment Go to comments

U2FAPI

U2FAPI.com is a hosted service for handling hardware two factor authentication, to make it easy for you to implement a secure alternative to SMS as a 2FA option. It requires your users to have a hardware security key such as that from HyperFido – but by using this free API, it greatly simplifies the process by moving the crypto code off your server.

To use U2F Two Factor Authentication you will need a U2F compatible hardware key such as HyperFIDO. Your website must be served via HTTPS, and you will also need to include a script tag to U2F.js as follows;

https://www.u2fapi.com/u2f.js

Then to register, you would use code such as;

let registerRequest = {
	challenge: 'RegisterChallenge',
	version: 'U2F_V2'
}
u2f.register("https://" + window.location.host, [registerRequest], [],
(response) => {				
        fetch('https://www.u2fapi.com/api.aspx', {
            method: 'post',
            body: JSON.stringify{
                action : "REGISTER",
                data : response.registrationData
            })
            }).then(function(response) {
                return response.json();
            }).then(function(data) {
                alert(data.WebSafeKeyHandle);
        });
	}
);

Which registers the U2F device, and returns a KeyHandle, which you need to store for future logins (signing).

Then, when the user logs in, you use the sign method as follows

let registeredKey = {
  keyHandle:  keyHandle,
  version: 'U2F_V2'
}
u2f.sign("https://" + window.location.host, 'SigningChallenge', [registeredKey], 
  (response) => {
    	 fetch('https://www.u2fapi.com/api.aspx', {
            method: 'post',
            body: JSON.stringify({
                action : "SIGN",
                data : response.signatureData
            })
            }).then(function(response) {
                return response.json();
            }).then(function(data) {
                alert(data.userCounter);
        });
  }
);

There is also a web service available that allows you to handle the U2F responses on the server side; This web service is accessible via https://www.u2fapi.com/api.asmx, and the WSDL can be downloaded here; https://www.u2fapi.com/api.asmx?WSDL
It is designed to be consumed via a C# (.NET) client, however, other clients can use
simple HTTPS GET and POST to access this web-service.

The service works only on Chrome, and I welcome feedback on how to improve this API in terms of compatibiliy and security. I’ve been studying U2F for a week now, but I’m no expert. But, this was just a fitting project to complete my academic interest in the device.

Happy signing!

Categories: Uncategorized
  1. No comments yet.
  1. No trackbacks yet.

Leave a comment