FIDO2

With passwordless authentication becoming more commonplace, there is a need for standardization. One effort, called FIDO, is doing just that. Short for “Fast IDentity Online,” it aims to eliminate passwords by developing a set of standards to govern how passwordless authentication should work.

What is FIDO2

FIDO2 builds on the FIDO Alliance’s previous work and includes two components, ​​the W3C Web Authentication specification, WebAuthn API, and the Client to Authenticator Protocol (CTAP).

WebAuthn is an API that allows companies to build FIDO authentication in web applications. Initially developed by the FIDO Alliance, it became a W3C standard in March 2019. Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari web browsers, and the Windows 10 and Android platforms support FIDO2.

CTAP is an extension of the original functionality of FIDO. It allows communication between an external authenticator (like Beyond Identity’s) or a device with a WebAuthn-compatible browser or platform.

How FIDO2 works

Using public and private keys, FIDO2 helps provide certainty of identity. A FIDO2-compatible device generates these keys: the public key to the service you’re logging into and the private key that stays on the device. A password is no longer necessary.

The next time you log in, the process is seamless. The user can either authenticate via biometrics on a compatible device or use a FIDO security key to access the private key. During the authentication process, the server looks for a match for your private key with its database of public keys.

While FIDO2 is a standard, these keys are unique to each website and can’t be removed or transferred from the device. This prevents the misuse of these keys with other FIDO2-compatible services and eliminates any chance of password-based attack or device misuse.

FIDO2 is by nature multi-factor authentication (MFA). The first factor is the requirement of initial authentication to access the device, like a fingerprint. Once that is provided, only the user and that specific device will have the second factor, which is the FIDO2 token.

Pros and cons of FIDO2

Pros

FIDO2 eliminates the password from the authentication process. Most cybercrime occurs through password-based attacks, and replacing it with an immutable cryptographic token removes that attack vector. You also know who and what is logging into your servers, thanks to the FIDO2 token.

Passwordless authentication benefits organizations and users alike. After the initial registration to generate the public and private keys, logging in is as simple as a click. There is none of the friction that passwords cause.

Another advantage is the open nature of FIDO2. Anyone can deploy or develop for FIDO, and it’s all done transparently. This makes it extremely easy for developers to adopt and deploy FIDO2 into their applications and platforms.

Cons

While FIDO2 suffered from a lack of compatibility early on, it is currently compatible with every major web browser, and two of the three major platforms: Windows 10 and Android. Apple does not natively support FIDO2 in iOS or Mac, but its Safari web browser does support the standard.

Also, while not an issue for most modern computing devices, FIDO2 does use more computer resources than traditional password-based systems. This makes it unsuitable for use in low-power devices, so it is unlikely to be used in any IoT (smart home) devices any time soon.

How FIDO2 and Beyond Identity work together

Beyond Identity has been a member of the FIDO Alliance since July 2020. The goals of the FIDO Alliance and Beyond Identity are the same: eliminating the password. Beyond Identity also participates in the development of the FIDO2 standard.

Organizations looking to adopt FIDO2 can use Beyond Identity’s authentication platform through the CTAP protocol. Above and beyond the cryptographic keys themselves, Beyond Identity’s platform goes even further by combining passwordless authentication with risk-based authentication, using more than two dozen user and device security signals to control access.

Our platform brings passwordless authentication to both your customers, employees, and developers. Secure Customers offers passwordless authentication to your end-users, while Secure Work allows you to quickly integrate our platform with most SSO providers. Secure DevOps lets you verify the author each commit and stop software supply chain attacks.  And as a member of the FIDO Alliance, you can rest assured our solution is compliant with industry best practices regarding passwordless authentication.

With password-based attacks becoming more frequent than ever, the longer your organization relies on the password to authenticate, the higher your risk of being a victim of an attack becomes. Request a demo today to see how Beyond Identity and FIDO2 can make passwords a thing of the past.