When it comes to online authentication, passwords are still used everywhere. There are a variety of two-factor authentication (2FA) technologies out there, which attempt to counterbalance the insecurity of using only passwords for authentication. Nevertheless, 2FA is still not widely adopted. Moreover, one of the most prevalent password theft techniques, phishing, still remains unsolved by most 2FA technologies.
The Fido Alliance has set their goal to solve the password problem once and for all, by simplifying and standardizing strong online authentication. Their most recent standard, called FIDO2, has gained support by the majority of tech industry leaders and the demand for integrating FIDO2 authentication in online services has been on the rise ever since.
How does FIDO2 work?
The FIDO2 standard consists of the World Wide Web Consortium’s (W3C) WebAuthn specification and the Client to Authenticator Protocol (CTAP). The former is a JavaScript API that is, as of writing this post, supported by all major and modern browsers. The latter specifies how a client (for example, a browser) can communicate with a FIDO authenticator using various channels, such as USB, NFC, and Bluetooth.
To strengthen online authentication, FIDO2 credentials rely on public key cryptography. These credentials are either stored in external hardware tokens such as USB/NFC keys, called external (or roaming) authenticators, or they can be stored internally in a user’s device, in so called platform authenticators. The latter have the advantage that no external device needs to be carried with the user all the time. The private key which is needed for the authentication is securely stored, either on the hardware token or in a secure storage on the user device, such as for instance a TPM accessible only following a biometric test (such as a fingerprint scan).
How does the login process with FIDO2 work?
Let’s assume an online service with an existing username/password login mechanism. The operator of the online service integrates the FIDO2 authentication method as a second factor. After the usual login the user can register his cryptographic credentials. This is either possible by inserting an external hardware token or by creating and storing the credentials on his device. This process is neither complex nor time consuming for the user to accomplish. After this initial registration, and following every successful login attempt using username and password, the user will be prompted to insert the same hardware token (or have the private key read from the device’s secure storage). Through this mechanism, it is ensured that the user logging in is also in possession of the right private key.
What’s even better, is that FIDO2 authentication can be used as a stand alone solution as well, eliminating passwords altogether, and making the authentication experience passwordless.
Why does FIDO2 stand out?
FIDO2 is an open authentication standard which tries to harmonize and simplify the user online authentication experience, while still maintaining a high level of security. This is ensured through the use of credentials based on public key cryptography. Additionally, due to the way the FIDO credentials are created uniquely for each online service and can only be used in the context of that particular service, FIDO can prevent phishing attacks.
Usability is also at the heart of FIDO2. For developers and operators of online services, FIDO2 authentication can be integrated in any web application via the WebAuthn APIs. Ease of use also applies to the end users, since registering FIDO tokens with online services and using them for authentication is accomplished with very simple and easy to follow steps.
An added value for your company?
As Airlock supports FIDO tokens as part of its IAM offering, we would be pleased to assist you in finding the best way to integrate and use them for your specific use cases. As we often say, the devil lies in the details: activation, revocation, migration. Working with Airlock helps you and your team address these issues. Drop us a note at info@airlock.com, specifically mentioning your interest in using the FIDO2 technology, and we will make sure to assist your company in the best possible way.
This is a guest post by Futurae.
Blognews directly to your inbox
The Airlock Newsletter informs you continuously about new blog articles.