Readme ====== This demo contains a Web Application implemented in Node.js (ExternalAuthWeb.zip). To execute it, unzip the file to a directory, execute in it '> npm install' (to download dependencies), and execute '> node server.js'. The application runs on port 3001, and uses an included SQLite database, to store the signed up users. The application was developed with Koa (a simpler replacement of Express from the same team). The HTML pages come from templates (views) written in Pug and integrated with Koa, and a router (middleware) object. The purpose is to demonstrate a registration (Sign Up) and authentication (Sign In) operations without passwords, using a device that the user owns (a smartphone), asymmetric cryptography, and a biometric factor on the device. The two operations are performed from two QR-codes presented on the browser and read by the Authenticator app on the device (Android Studio code on MyAuthenticator.zip). Both the app and the user (the device owner) have associated an asymmetric key pair (in this demo, EC keys with 256 bits). The device should support class-3 (Strong) biometric authentication (usually fingerprint or face recognition), and have installed the My Authenticator app. The first time the app runs, it generates the app key pair and stores the private key in a secure location (AndroidKeyStore). On a sign up operation the user keys are generated and also securely stored, a unique user id is also generated, and a message containing the: (1) user id, (2) user name, (3) authenticator certificate, (4) user certificate, signed by the app private key, is sent to the web app. It verifies the signature and takes note of this info on its sign up database. The user id, associated with the web app, and other information (e.g. user name) is stored on the app. For a sign in operation, the QR-code contains a random unique challenge (nonce), besides the web app identification. The Authenticator app searches for a previous signug using the web app identification, and if found, composes a message to the web app containing: (1) the unique user id, (2) the signature of the challenge with this user private key. The message is signed with the app private key. If the web app is able to verify both signatures, it considers the identified user authenticated ... Both operations, on the authenticator app, require the owner biometric verification. To make the browser to advance automatically to a forward page, after sign up or sign in, when the web app verifies the authenticator messages, it sends a web socket message to the browser, that responds loading a new page ...