2021
Bring Your Own FIDO2 Extensions
The FIDO2 standards for strong authentication on the Internet are now well-established in all major web browsers, allowing users to securely log in to websites without memorizing a password. But how can developers customize FIDO2 for their own use cases? Currently, there exists almost no information on custom FIDO2 deployments.
We documented the process of designing and implementing custom extensions for the FIDO2 web authentication protocol. Our open-source implementation targets the full FIDO2 stack, such as the Chromium web browser and hardware tokens. To give an overview of existing extensions, we survey all published FIDO2 extensions by manually inspecting the source code of major web browsers and authenticators. We propose methods to make it easier for developers to deploy custom FIDO2 extensions.