Online password less authentication based on SSI and FIDO2
Self-Sovereign IDentity Online (SSIDO) is an online passwordless solution for SSI users’ authentication through the standard Fast IDentity Online (FIDO2) protocols. SSIDO is aimed at consolidating both two technologies related to the Identity and Access Management (IAM). As a result, emerging SSI-enabled solutions can be seamlessly integrated with the existing FIDO2 applications.
The Web Authentication ceremony begins at the Application Layer between a user (Holder) and a Relying Party (Verifier) and implies an authentication assertion about the presence and consent of that previously registered user using the Public Key Infrastructure (PKI).
SSIDO extends this PKI-based approach by introducing the Decentralized Public Key Infrastructure (DPKI) built upon the concepts of SSI, Distributed Ledger, Agent, DID Record (DID and DID Document), as well as Verifiable Credential (VC) and Verifiable Presentation (VP).
To proceed with the Authentication ceremony at the Agent Layer, SSIDO incorporates the following two components:
- SSIDO Authenticator, an edge-side agent (Holder’s Agent) designed for both mobile devices and desktop environments.
- SSIDO Validator, a server-side or cloud-side agent (Verifier’s Agent).
SSI Authenticator responds to a challenge generated by SSI Validator (VP request) with the assertion signed by the user’s private key (VP). While attesting the received assertion (VP verification), SSI Validator employs the user’s public key retrieved from the DID Document.
The SSIDO solution is compatible with different schemes of verifiable credentials and verifiable presentations, and it can be generalized on Multi-Factor Authentication (MFA).