Enterprise Deployment of FIDO2 Passwordless Authentication


cybersecurity hot takes


Subscribe on Spotify and Apple

Today's episode brings you a presentation from Jing Gu. Jing takes a deeper look at FIDO standards and, using Beyond Identity as an example, she discusses the steps an organization must take to achieve Zero Trust Authentication.



Hello and welcome to another episode of "Cybersecurity Hot Takes." It is once again your producer, Joshua, coming at you today with a very, very special episode. Our podcast crew is on their way to the RSA Conference to meet and speak with all of you. And so, on today's episode, we are bringing you a very special presentation by our very own Jing Gu. 

In this presentation, Jing Gu goes over how the strongest authentication solutions build upon the FIDO gold standards of authentication. Using Beyond Identity as an example, Jing takes us through all of these steps that these strongest authentication solutions must take to become Zero Trust Authentication. We hope you enjoy. 


Hi, my name is Jing Gu. I work at Beyond Identity. And today, we're going to talk about enterprise-ready deployments of passwordless authentication. We'll go through what all of that means, but when we speak of passwordless, we cannot talk of it without mentioning the fundamental standards that undergird passwordless authentication today, which is the FIDO Alliance. So, FIDO stands for Fast Identity Online, and it is both a certification agency. 

You know, they have FIDO WebAuthn, CTAP, UAF. They assess for security and interoperability as part of their certification, as well as an industry alliance of like-minded companies who care about bettering digital access for all. 

Some of these companies in the alliance you may have heard of before, like Google, Apple, and Microsoft. So, this is the foundational building block of passwordless, right? So, Beyond Identity has been part of the FIDO Alliance since 2020, and we were officially FIDO2 certified in 2023. How does Beyond Identity make passwordless enterprise deployable? Well, passwordless authentication also needs to be easy to use. 

So, this is the first part of how we support and extend FIDO. And this is within the category of passwordless authentication. So, how do we extend and support FIDO specifically? Well, passwordless authentication should be zero friction, and the way to achieve zero friction is to make sure that the user is only using one singular device to authenticate. 

That there's no second device involved, which also, you know, when there's second devices involved, there's also a security risk involved with that. Additionally, there's a component that is really important to deployment, which is universality. And what this is referring to is currently FIDO support, so WebAuthn support is uneven across different browsers, different devices, and what we do is we say we are going to abstract all of the complexities of compatibility issues and allow you to deploy passwordless authentication that is consistent across any device, OS, and using any identity protocols such as OIDC, OAuth, SAML, and SCIM. 

Great. So, once you complete this passwordless authentication story, authentication is the front door to your products and services, so you better be thinking about security. 

And this is where the security piece comes into play. With Beyond Identity, we offer a phishing-resistant... This is a phishing hook, so there's no phishing allowed. We offer phishing-resistant multi-factor authentication. And what we mean by that is there is no phishable factors. In fact, we only use local device biometrics. 

This is my poor attempt at a fingerprint. As well as a passkey, which is a public-private key pair. So, I'll draw a little key here. What's unique about our pass key is the private key is secured in the TPM or the trusted computing environment of modern devices. 

This private key is never synced to the cloud. This private key cannot be tampered with, modified, or otherwise copied off of the device. And this gives you the assurance that it is an authorized and trusted device that is trying to gain access to your services. So, I'll just label this as a device bound. Great. So, at this point you got FIDO at the foundations, you have passwordless authentication that makes your users really happy, and you have phishing-resistant MFA. 

The work is still not done because we now have this concept of zero trust in which you should never trust and always verify. So, in the context of zero trust, what does authentication look like? Let me just write out zero trust auth here. All right. 

Well, the first thing that it means is you need to have visibility and control over all of the end-points in your fleet, including bringing your own devices. So, every authentication request that Beyond Identity does, we're also performing a security check. So, is the firewall turned on? Is the biometric enabled? 

Are the MDMs configured and active on this device? Every device that authenticates must pass these real-time device security checks in order to gain access. And, of course, we give you the logs that are immutable to prove this. So, once you have all of this, right, Zero Trust Authentication, never trust, always verify, also involves a time element. 

Because just because you authenticate a user once and their device passes the initial checkpoint does not mean that that device stays in compliance forever. So, for example, a user may turn off their firewall by accident or otherwise compromises their device security posture. And that is where continuous authentication comes in. And continuous authentication means that even during authenticated sessions, you can verify that it is still the correct user using a trusted device trying to gain access to your critical services and data. 

All right. So, that is the final strata of the authentication stack that we offer. One important note about zero trust authentication, it takes a village, right? So, we also provide out-of-box integrations with MDMs. So, your end-point protection tools, EDRs, next-generation EDRs, XDRs, your zero trust network access tools, as well as your SIEMs and your logging tools. 

And in the SIAM scenario, maybe you have a CRM, your fraud tooling, etc. So, all of this feeds into, and we push data out of our platform into these tools. So, this is how Beyond Identity supports and extends FIDO authentication, and we make sure that this is really easy to deploy by giving you a...and this is my attempt at a cloud. 

Here it goes. All right. That looks like a cloud, right? This is a cloud-native SaaS platform and we make it easy to deploy secure frictionless zero trust authentication across your entire user base, including your workforce, and contractors, and partners, your customers. 

So this is your end users. And within the workforce, you might want to protect your crown jewels, aka your code repository so we also offer a solution to protect your developers. And that is how Beyond Identity enables enterprise-ready deployments of passwordless authentication that is secure and aligned with zero trust. 

Thanks for tuning in.