$DOCUMENT

Notation

Type names, attribute names and element names are written as code.

String literals are enclosed in “”, e.g. “UAF-TLV”.

In formulas we use “|” to denote byte wise concatenation operations.

DOM APIs are described using the ECMAScript [[!ECMA-262]] bindings for WebIDL [[!WebIDL]].

UAF specific terminology used in this document is defined in [[!FIDOGlossary]].

Key Words

The key words “MUST”, “MUST NOT”, “REQUIRED”, “SHALL”, “SHALL NOT”, “SHOULD”, “SHOULD NOT”, “RECOMMENDED”, “MAY”, and “OPTIONAL” in this document are to be interpreted as described in [[!RFC2119]].

Overview

The FIDO UAF technology replaces traditional username and password-based authentication solutions for online services, with a stronger and simpler alternative. The core UAF protocol consists of four conceptual conversations between a FIDO Client and FIDO Server: Registration, Authentication, Transaction Confirmation, and Deregistration. As specified in the core protocol, these messages do not have a defined network transport, or describe how application software that a user interfaces with can use UAF. This document describes the API surface that a client application can use to communicate with FIDO Client software, and transport patterns and security requirements for delivering UAF Protocol messages to a remote server.

The reader should also be familiar with the FIDO Glossary of Terms [[!FIDOGlossary]] and the UAF Protocol specification [[!UAFProtocol]].

Audience

This document is of interest to client-side application authors that wish to utilize FIDO UAF, as well as implementers of web browsers, browser plugins and FIDO clients, in that it describes the API surface they need to expose to application authors.

Scope

This document describes:

The local ECMAScript [[!ECMA-262]] API exposed by a FIDO UAF-enabled web browser to client-side web applications.
The mechanisms and APIs for Android [[ANDROID]] applications to discover and utilize a shared FIDO Client service.
The general security requirements for applications initiating and transporting UAF protocol exchanges.
An interoperability profile for transporting UAF messages over HTTPS [[!RFC2818]].

The following are out of scope for this document:

The format and details of the underlying UAF Protocol messages
APIs for, and any details of interactions between FIDO Server software and the server-side application stack.

The goal of describing standard APIs and an interoperability profile for the transport of UAF messages here is to provide an example of how to develop a FIDO-enabled application and to promote the ease of integrating interoperable layers from different vendors to build a complete FIDO UAF solution. For any given application instance, these particular patterns may not be ideal and are not mandatory. Applications may use alternate transports, bundle UAF Protocol messages with other network data, or discover and utilize alternative APIs as they see fit.