How Does FIDO2 Try to Solve the World’s Password Problem?
What is FIDO2 Banner

Multi-Factor Authentication (MFA) – Blog Series – Part #02

In the previous blog post on Multi-Factor Authentication (MFA), we compared the five most commonly used possession factors. FIDO2 — the winner of that comparison — is a holistic solution for MFA and it can even be used for secure passwordless authentication without the need for additional factors. FIDO2 is billed as “the industry’s answer to the password problem” [1]. But how does FIDO2 work and what are its advantages over passwords and other MFA methods?

 

FIDO(2), U2F, UAF, CTAP(1/2), Webauthn, Passkeys... What Does It All Mean?

There are many terms and abbreviations used in connection with FIDO that may seem obscure and confusing at first. Therefore, we will first introduce these commonly used terms and abbreviations in order to provide more clarity.

  • FIDO, which stands for Fast IDentity Online, is an open standard designed to change the way authentication is done today. It currently consists of three specifications: UAF, U2F, and FIDO2. FIDO was created by the FIDO Alliance — a non-commercial open industry association.
  • U2F stands for Universal Second Factor and was the first FIDO specification to be created. It enables the use of a second authentication factor in addition to the password as the first factor.
  • UAF is the second FIDO specification created and allows general purpose authentication without passwords. However, it was only created to support mobile devices.
  • FIDO2 is the third FIDO specification and is based on the WebAuthn and CTAP protocols. It provides both passwordless authentication and the use of a second factor.
  • WebAuthn is a browser-based API that standardizes an interface that allows a user to authenticate to a relying party using public key cryptography.
  • Relying Party is the web application or service which wants to use the authentication information.
  • CTAP stands for Client to Authenticator Protocol and refers to the two versions CTAP1 and CTAP2.
  • CTAP1 is the protocol used by U2F that allows a browser to communicate with a FIDO device. It enables the use of existing FIDO U2F devices to authenticate to FIDO2-enabled browsers and operating systems via USB, NFC, or BLE for two-factor authentication.
  • CTAP2 enables passwordless two- or multi-factor authentication — in comparison to CTAP1, which only enables the use as a second- or multi-factor.
    Passkeys are also called multi-device FIDO credentials and are a joint effort between Apple, Google, and Microsoft based on the FIDO standard. They differ from FIDO2 in the way that key pairs are synchronized, making them available on multiple devices without additional effort. This increases the ease of use for the end user, and in the event of the loss of a device, the FIDO credentials for accessing the accounts will not be lost.


How Does FIDO2 Work?

As described above, FIDO2 is based on the CTAP and WebAuthn protocols. The CTAP protocol allows a browser or operating system to communicate with an authenticator, such as a security key. There are two versions of CTAP that do not differ in protocol flow, but have different purposes. In CTAP1, the authenticator is used only as a second- or multi-factor, while in CTAP2 it is used for passwordless authentication. Furthermore, CTAP1 only supports external authenticators, while CTAP2 can also utilize an internal authenticator such as the fingerprint sensor of a mobile phone or laptop. The WebAuthn protocol allows the web application and browser to communicate and authenticate the user based on public key cryptography.

Registering an Authenticator 

To use passwordless authentication with FIDO2, one needs to register an authenticator first. The registration of an authenticator as a multi-factor or for passwordless authentication proceeds as follows (see Figure 1):

In the client (the browser), the user initiates the registration of an authenticator. The relying party (the web application) then sends information about the relying party, the user, and the type of credentials requested. The client passes this information to the authenticator using CTAP. The authenticator now requests confirmation from the user. The user confirms by touching the security key or by using the fingerprint sensor, for example. Upon successful confirmation, the authenticator generates a private/public key pair and sends the public key to the client, which forwards it to the relying party. 

Registration Flow for a FIDO2 Authenticator. (Figure 1)

 

Authentication

Once the key pair was generated, it can be used to authenticate the user at a relying party. The authentication using a FIDO2 key as a multi-factor or for passwordless authentication proceeds as follows (see Figure 2):

In the client, the user initiates an authentication process. The relying party sends a challenge to the client, which is forwarded to the authenticator. The authenticator then requests confirmation from the user. The user confirms by touching the security key or using the fingerprint sensor, for example. Upon successful confirmation, the authenticator signs the challenge using the requested private key. The signed challenge is sent to the client, which forwards it to the relying party. The relying party can now use the public key registered earlier to verify that the challenge was indeed signed with the correct private key. If so, the authentication is successful. Authentication Flow with a FIDO2 DeviceAuthentication Flow with a FIDO2 Authenticator. (Figure 2)

 

What Are the Advantages of FIDO2?

Many large companies have already introduced optional FIDO support for their web applications and services, or have even made FIDO mandatory for all employees. A selection of these companies and their experiences with FIDO as a multi-factor or passwordless login are listed on the FIDO Alliance website [2]. We have summarized the key takeaways below.

Quick and Easy Authentication

Authentication with FIDO2 is quick and easy. There is no need to remember complicated passwords, wait for an SMS, or log in to your email provider. Many companies have found this to be the case. Yahoo reported a 2.6x reduction in login time and an increase in successful logins using FIDO2 [3], and other companies such as Ebay and Intuit have reported similar results.

Cost Efficiency

Both for companies that use FIDO internally and for operators of applications that offer FIDO to their users, a lot of working time can be saved, allowing the employees to spend more time on primary tasks. The time saved through quick and easy authentication adds up to significant time savings for a large number of employees. Furthermore, the experience of Yahoo shows that the number of support requests due to forgotten credentials have dropped by 25% [4]. At the National Health Service, supporting FIDO has reduced the number of SMS OTPs by two-thirds, resulting in significant cost savings [5].

Security and Resistance to Phishing Attacks

FIDO2 also has many strengths from a security perspective. For example, it uses public-key cryptography and a zero-trust model, which means, among other things, that it does not use a shared secret like TOTP generators. It also leverages trusted computing so that secret keys are stored securely and never leave the user's device/security key. Perhaps one of the strongest arguments is that it is resistant to phishing and man-in-the-middle attacks, since the client and the authenticator verify the relying party, and the relying party verifies the client. Yahoo has seen a significant reduction in unauthorized access [4], while a 2-year study at Google has shown that there has not been a single successful phishing attack since FIDO security keys were made mandatory for all employees [6].

 

Increasing the Adoption of Passwordless Logins With Passkeys

Passkeys are a joint effort between Apple, Google, and Microsoft to extend the FIDO standard to further increase the adoption of passwordless logins [7]. Passkeys utilize two new features to make passwordless logins more seamless.

  1. Without passkeys, each authenticator must be registered separately. For example, if you want to use three different authenticators for a service, you have to go through the authenticator registration process three times. However, passkeys, as FIDO credentials, are automatically synchronized with multiple user devices (such as a mobile phone, laptop, or computer). This means that a service registration process only needs to be performed once in order to use multiple authenticators for authentication.
  2. Users' devices should allow them to authenticate to a web application or app, regardless of the operating system or browser they are using.

One downside of this approach is that the private keys leave the user’s device and are stored on the vendor’s server.

 

Conclusion

In fact, FIDO has the potential to make passwords increasingly obsolete in the future and to make authentication both more secure and easier. It will take some time for the majority of web applications to support FIDO. However, many companies have already realized the enormous benefits of making FIDO authentication mandatory for their employees. Passkeys will make the use of FIDO more popular among the masses and help to spread the use of FIDO outside of the corporate field. It will be exciting to see how the adoption of FIDO develops in the future and whether it will allow to get rid of passwords once and for all.

 


[1https://fidoalliance.org/fido2/

[2https://fidoalliance.org/content/case-study/

[3https://web.dev/yahoo-japan-identity-case-study/

[4https://fidoalliance.org/yahoo-japans-password-free-authentication-reduced-inquiries-by-25-sped-up-sign-in-time-by-2-6x/

[5https://fidoalliance.org/national-health-service-uses-fido-authentication-for-enhanced-login/

[6https://krebsonsecurity.com/2018/07/google-security-keys-neutralized-employee-phishing/

[7https://fidoalliance.org/apple-google-and-microsoft-commit-to-expanded-support-for-fido-standard-to-accelerate-availability-of-passwordless-sign-ins/


 

Our Experts Develop the Optimal Solution for You

Authentication – FIDO2 – Single Sign-On

Are you faced with the decision of how to best implement authentication? Or are you already using OAuth and wondering if your implementation is secure?

We will be glad to advise you; contact us for a no-obligation initial consultation. Thus, we are at your side with the following services and solutions:

IT Security Consulting  |  Training   |  Penetration Tests

Don't hesitate and find your way to secure authentication with us. We look forward to supporting you with your projects.

 

Your Contact for Authentication and Single Sign-On

Dr. Christian Mainka
christian.mainka@hackmanit.de