BiDi Virtual Authenticator

A BiDi Virtual Authenticator simulates a hardware security key for testing web applications with Web Authentication (WebAuthn). It allows developers to test authentication flows without needing physical security keys, streamlining the development and testing process for passwordless authentication.

Detailed explanation

The BiDi Virtual Authenticator is a powerful tool for developers and QA engineers working with Web Authentication (WebAuthn). WebAuthn is a modern web standard that enables strong, passwordless authentication using cryptographic keys. While WebAuthn offers significant security advantages, testing its implementation can be challenging due to the need for physical security keys (like YubiKeys or Titan Security Keys). The BiDi Virtual Authenticator addresses this challenge by providing a software-based alternative that mimics the behavior of a real hardware authenticator.

Why Use a Virtual Authenticator?

  • Simplified Testing: Eliminates the need for physical security keys during development and testing. This makes it easier to automate tests and integrate WebAuthn into CI/CD pipelines.
  • Cost-Effective: Reduces the cost associated with purchasing and managing multiple physical security keys, especially for large development teams.
  • Flexibility: Allows developers to simulate various authenticator behaviors and test different scenarios, such as key registration, authentication, and key management.
  • Automation: Enables automated testing of WebAuthn flows, which is crucial for ensuring the reliability and security of passwordless authentication.

How it Works

The BiDi Virtual Authenticator typically integrates with a web browser or testing framework. It intercepts WebAuthn API calls and simulates the responses that a real hardware authenticator would provide. This allows developers to test their WebAuthn implementation without needing to interact with a physical device.

Practical Implementation

Several tools and libraries provide virtual authenticator functionality. One popular option is the "Web Authentication Testing Framework" (WATF), which is often integrated into browser automation tools like Selenium or Playwright.

Here's a simplified example using Playwright and a hypothetical virtual authenticator library:

const { chromium } = require('playwright');
 
async function testWebAuthn() {
  const browser = await chromium.launch();
  const page = await browser.newPage();
 
  // Navigate to the WebAuthn-enabled application
  await page.goto('https://example.com/login');
 
  // Initialize the virtual authenticator
  const virtualAuthenticator = await page.context().createVirtualAuthenticator({
    protocol: 'ctap2', // Communication protocol (e.g., CTAP2)
    transport: 'usb',   // Transport method (e.g., USB)
    isResidentKey: true, // Supports resident keys (user verification not required)
    isUserVerificationSupported: false, // User verification is not supported
  });
 
  // Register a new credential
  await page.locator('#register-button').click();
 
  // Wait for the WebAuthn registration process to complete
  await page.waitForSelector('#registration-success');
 
  // Authenticate with the registered credential
  await page.locator('#login-button').click();
 
  // Wait for the WebAuthn authentication process to complete
  await page.waitForSelector('#authentication-success');
 
  console.log('WebAuthn test successful!');
 
  await browser.close();
}
 
testWebAuthn();

In this example:

  1. We launch a Chromium browser using Playwright.
  2. We navigate to a web application that uses WebAuthn.
  3. We create a virtual authenticator using page.context().createVirtualAuthenticator(). The configuration options (protocol, transport, isResidentKey, isUserVerificationSupported) allow us to simulate different types of authenticators.
  4. We simulate the registration and authentication processes by clicking buttons and waiting for success messages.

Best Practices

  • Choose the Right Tool: Select a virtual authenticator tool that is compatible with your testing framework and browser.
  • Configure the Authenticator: Carefully configure the virtual authenticator to match the characteristics of the hardware authenticators you expect your users to use. Consider factors like transport method (USB, NFC, Bluetooth), supported protocols (CTAP1, CTAP2), and user verification requirements.
  • Test Different Scenarios: Test various WebAuthn scenarios, including registration, authentication, key management, and error handling.
  • Automate Your Tests: Integrate virtual authenticators into your automated testing suite to ensure continuous testing of your WebAuthn implementation.
  • Secure Your Testing Environment: Ensure that your testing environment is secure to prevent unauthorized access to the virtual authenticator and the cryptographic keys it manages.

Common Tools

  • Web Authentication Testing Framework (WATF): A framework for testing WebAuthn implementations, often used with Selenium and Playwright.
  • Browser Developer Tools: Some browsers, like Chrome, offer built-in virtual authenticator functionality in their developer tools. This can be useful for manual testing and debugging.
  • Custom Implementations: Developers can also create their own virtual authenticators using libraries like fido2-lib (a JavaScript library for working with FIDO2/WebAuthn).

By using a BiDi Virtual Authenticator, developers and QA engineers can streamline the testing process for WebAuthn and ensure the security and reliability of passwordless authentication. It is a crucial tool for building modern, secure web applications.

Further reading

Related Terms

A/B Testing

Acceptance Testing

Accessibility Tester