Securely Manage User Credentials With A New Admin API

In today's digital landscape, managing end-user enrolled credentials efficiently and securely is paramount. Whether it's dealing with lost devices, compromised security keys, or the need to reset multi-factor authentication methods like TOTP, administrators often face challenges. This is particularly true in business-to-business (B2B) scenarios where robust control over user access and security is non-negotiable. The current systems, including WSO2 Identity Server and Asgardeo, have a gap: they lack a dedicated, secure administrative API specifically designed for managing these end-user credentials. This absence forces administrators into using less-than-ideal, high-privilege manual workarounds. These methods are not only inefficient but also introduce unnecessary security risks. Imagine a scenario where a user’s FIDO2 Passkey, used for secure login, is lost or stolen. Without a streamlined way to revoke that specific credential, the account remains vulnerable. Similarly, if a user’s TOTP authenticator is compromised or they simply need it reset, administrators are left scrambling. This is precisely the problem we aim to solve with the introduction of a new, unified administrative REST API.

Our proposed solution is to create a set of powerful and intuitive administrative REST API endpoints. These new endpoints will be integrated seamlessly into the existing Admin Console, providing administrators with direct and secure control over user credentials. The core of this solution involves two key API operations. First, a GET /api/server/v1/users/{user-id}/credentials endpoint will be introduced. This endpoint is designed to retrieve a comprehensive list of all credentials enrolled by a specific user. This includes a variety of authentication factors such as Passkeys (FIDO2), Push Authentication devices, and TOTP configurations. The response will consolidate this information into a single, easy-to-understand format, giving administrators a clear overview of a user's security footprint. This consolidated view is crucial for understanding the security posture of individual users. Second, and critically, a DELETE /api/server/v1/users/{user-id}/credentials/{type}/{credential-id} endpoint will allow administrators to delete a single, specific credential. To use this endpoint effectively, administrators will first utilize the GET endpoint to identify the unique credential-id and type of the credential they wish to revoke. This granular control ensures that only the compromised or outdated credential is removed, leaving other valid authentication methods intact. This targeted approach minimizes disruption for the user while maximizing security. The integration into the Admin Console means that these powerful API capabilities will be accessible through a user-friendly interface, making credential management accessible to a wider range of administrators without requiring deep technical expertise. This enhancement is a significant step forward in providing robust and flexible identity and access management solutions. We believe this new API will dramatically improve the security and administrative efficiency for organizations using WSO2 Identity Server and Asgardeo.

The Need for a Unified Credential Management API

In the realm of digital identity, managing end-user enrolled credentials is a cornerstone of security and user experience. As organizations increasingly adopt multi-factor authentication (MFA) and advanced security measures like FIDO2 Passkeys and push notifications, the complexity of managing these credentials grows. A user might have multiple devices registered for push authentication, a FIDO2 security key, and a TOTP application. When any of these become compromised, lost, or simply need to be updated, administrators require a swift and secure method to manage them. Currently, the WSO2 Identity Server and Asgardeo platforms, while powerful, do not offer a direct administrative API for this purpose. This oversight necessitates manual interventions, often involving high-level access to the system's backend, which is inefficient, error-prone, and poses significant security risks. Consider a scenario where a remote employee loses their work-issued laptop, which contains a registered FIDO2 Passkey. Without a dedicated API, the IT administrator must navigate complex procedures, potentially involving direct database access or other risky workarounds, to revoke that specific Passkey. This process is not only time-consuming but also increases the likelihood of accidental misconfiguration or security breaches. The lack of a streamlined process directly impacts the organization's ability to respond effectively to security incidents. Furthermore, in B2B environments, where one organization manages identities for users within another, the need for granular and auditable credential management is even more acute. Administrators must be able to demonstrate control over user access and security settings, which is difficult without proper tools. This is why the development of a unified administrative REST API for managing end-user enrolled credentials is not just a feature request; it's a critical security requirement. The proposed API aims to address this gap by providing a clean, secure, and efficient way for administrators to oversee and control all aspects of user-level authentication factors, ensuring a more secure and manageable digital environment.

Revolutionizing Credential Management with a New API

Our proposed solution centers on introducing a modern, unified administrative REST API designed to empower administrators with precise control over end-user credentials. This API will serve as the central nervous system for managing authentication factors associated with user accounts. The API will be designed with security and ease of use as top priorities, ensuring that administrators can perform critical tasks without compromising the integrity of the system. The cornerstone of this new API is its ability to provide a comprehensive view and granular control over a user's enrolled credentials. We are introducing a dedicated endpoint, GET /api/server/v1/users/{user-id}/credentials, which will serve as the primary tool for administrators to query and understand a user's security setup. This endpoint will consolidate information about all registered authentication methods, including but not limited to FIDO2 Passkeys, push notification devices, and Time-based One-Time Password (TOTP) configurations, into a single, coherent response. This unified view eliminates the need to consult multiple interfaces or logs, providing immediate clarity on the user's authentication landscape. Once an administrator has identified a specific credential that needs to be managed, they can leverage the second crucial endpoint: DELETE /api/server/v1/users/{user-id}/credentials/{type}/{credential-id}. This endpoint allows for the targeted removal of a single, specific credential. By using the credential-id and type obtained from the GET request, administrators can confidently revoke a compromised security key or reset a user's TOTP without affecting their other active authentication methods. This level of precision is vital for maintaining security without causing undue inconvenience to the end-user. For instance, if a user reports losing their FIDO2 security key, an administrator can quickly use the API to revoke only that specific key, allowing the user to continue using other registered methods like their TOTP app or a different security key. The integration of these API endpoints into the Admin Console will further enhance their usability. Administrators will have direct access to these powerful credential management tools through a familiar and intuitive graphical interface, eliminating the need for complex command-line operations or direct system access. This makes managing end-user enrolled credentials more accessible, efficient, and secure for a broader range of administrative personnel. This innovative API approach promises to significantly elevate the security posture and operational efficiency for organizations leveraging WSO2 Identity Server and Asgardeo.

Enhancing Security and Efficiency in Credential Management

In the contemporary digital ecosystem, the ability to effectively manage end-user enrolled credentials is not merely a convenience; it's a critical component of a robust security strategy. As organizations evolve and adopt more sophisticated authentication mechanisms, the need for streamlined administrative tools becomes increasingly apparent. The current landscape, particularly within platforms like WSO2 Identity Server and Asgardeo, presents a notable challenge: the absence of a dedicated, secure administrative API for handling user credential revocation and management. This gap forces administrators into inefficient and potentially risky manual processes. When a user loses a device associated with a FIDO2 Passkey, needs their TOTP reset, or a push notification device is compromised, administrators currently lack a direct, programmatic way to address these issues. This often leads to workarounds that involve higher privilege levels than necessary, increasing the attack surface and the potential for human error. This is especially problematic in B2B settings where adherence to strict security policies and auditability are paramount. Our proposed solution addresses this critical need by introducing a unified administrative REST API, designed to provide secure and granular control over user credentials. The introduction of endpoints such as GET /api/server/v1/users/{user-id}/credentials allows administrators to retrieve a comprehensive list of all enrolled credentials for a given user, including Passkeys, push devices, and TOTP setups. This consolidated view is invaluable for understanding a user's authentication profile. Following this, the DELETE /api/server/v1/users/{user-id}/credentials/{type}/{credential-id} endpoint enables the precise revocation of a specific credential. By targeting a credential using its unique ID, administrators can ensure that only the compromised or outdated factor is removed, without impacting other active authentication methods. This level of granularity is essential for maintaining both security and user convenience. Imagine a user having multiple FIDO2 keys registered; the API allows revoking just one without affecting the others. Furthermore, integrating these capabilities directly into the Admin Console makes these powerful tools accessible to administrators through a user-friendly interface. This not only boosts efficiency by reducing the time and effort required for credential management but also significantly enhances security by eliminating the need for insecure manual workarounds and providing clear audit trails for all credential management actions. This enhancement is vital for organizations looking to strengthen their security posture and streamline their identity and access management operations. Embracing this new API will undoubtedly lead to a more secure, efficient, and manageable user credential environment.

Conclusion: A Leap Forward in Credential Security

In conclusion, the introduction of a dedicated administrative API for managing end-user enrolled credentials represents a significant advancement for WSO2 Identity Server and Asgardeo. The current lack of such a tool forces administrators into inefficient and insecure manual processes, posing risks to organizational security and operational efficiency, especially in B2B contexts. The proposed solution, featuring GET /api/server/v1/users/{user-id}/credentials and DELETE /api/server/v1/users/{user-id}/credentials/{type}/{credential-id} endpoints integrated into the Admin Console, offers a secure, granular, and user-friendly approach to credential management. This enhancement will empower administrators to swiftly revoke compromised Passkeys, reset TOTP authenticators, and manage push notification devices, all without resorting to risky workarounds. By providing a clear overview and precise control, this API will bolster security, streamline administrative tasks, and improve the overall user experience. This is a vital step towards maintaining robust identity and access management in an increasingly complex digital world.

For more insights into identity and access management best practices, you can explore resources from OWASP.