The FIDO registration is part of the Loginapp REST API and its web UI. The registration process is implemented as a protected self-service flow. This allows great flexibility in combining the FIDO registration with other steps and for any authorization and access conditions.
Great care should be taken especially regarding authorization and access conditions:
If FIDO should be used for strong authentication, it is mandatory to authenticate the end-user in a strong way before FIDO registration, because the authenticity of the registered FIDO Authenticators is based on the security prevalent during the registration self-service.
While it is possible to enroll FIDO Authenticators just based on username and password, the security risks of such a setup must be considered thoroughly.
Thus, we strongly recommended protecting the FIDO registration self-service flow with an access condition that guarantees sufficient end-user authentication. This is especially useful if different levels of authentication are allowed (or might be configured in the future).
In all cases, Airlock IAM acts as FIDO relying party.