Authentication Model
Auth-svc with duo-server uses three authentication mechanisms depending on the operation:
| Mechanism | Used for |
|---|---|
| JWT | All standard endpoints — user registration, device registration, key listing, backup storage |
| Device Signature | MPC operations (keygen, sign) — proves the requesting device holds the registered private key in the TEE |
| JWT + Face (step-up) | Sensitive operations — device re-registration (when face is already enrolled), keyshare recovery |
JWT
All endpoints require a Bearer token issued by your identity provider (Auth0, Firebase, or any OIDC provider). Auth-svc extracts the user identity from the sub claim.
Authorization: Bearer <access_token>
Device Signature
For MPC operations, the device signs the request body with its ECDSA P-256 private key (held in the device's Secure Enclave / TEE). Duo-server verifies this signature before calling the auth-svc hooks.
TODO : point to detailed section on how auth svc hooks work.
Face Step-Up
Once a user has registered their face, sensitive operations require a live FaceTec scan matched against the stored biometric. The FaceTec session data is passed as fields in the request body alongside the JWT.
Operations requiring face step-up:
- Device re-registration — adding a new device after face is enrolled
- Keyshare recovery — fetching the encrypted backup