- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: In this article, we will take a big-picture look at FIDO2 and how it applies to passwordless authentication. You’ll learn about the origins of FIDO2, its advantages and disadvantages, the differences between FIDO2, FIDO, and WebAuthn, and how UAF and U2F differ. By the end of this article, you’ll have a clear understanding of how FIDO2 works, what problems it solves, whether you need FIDO2 certification, and what that certification entails.
What Is FIDO2?
FIDO2 is the newest set of specifications from the FIDO Alliance. It enables the use of common devices to authenticate to online services on both mobile and desktop environments, using unique cryptographic login credentials for every site. Essentially, FIDO2 is passwordless authentication.
Also spelled as “FIDO 2,” FIDO2 is an overarching term for the FIDO Alliance specifications. These are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s Client-to-Authenticator Protocol (CTAP).
FIDO2 provides a passwordless way to authenticate users and addresses security, convenience, privacy, and scalability issues that passwords do not. Online services can be accessed through a standard web API, which can be built into web platform infrastructure.
History of FIDO2
The FIDO (Fast IDentity Online) Alliance was founded in 2012 by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnito to find a way to create a passwordless authentication protocol. Google, Yubico, and NXP joined the alliance in 2013. In 2014, PayPal and Samsung collaborated to launch the first FIDO authentication protocol for the Samsung Galaxy S5, allowing users to log in and shop with a finger swipe and pay with PayPal. In December 2014, the first full FIDO passwordless protocol was released.
In February 2016, W3C took the FIDO2 2.0 web APIs submitted by the FIDO Alliance and launched a new standards effort. The goal behind this effort was for the FIDO Alliance to work with the W3C to standardize FIDO authentication across browsers and web platform infrastructure. FIDO2 officially launched in April 2018, and it was implemented in Google Chrome, Mozilla Firefox, and Microsoft Edge. In 2020, Safari on iOS, MacOS BigSur, and iPad OS 14 expanded support for FIDO2.
In the past year, spending on multi-factor authentication (MFA) has risen. More modern authentication standards, such as FIDO2, and the realization that phishing attacks and stolen credentials are at fault for a lot of security breaches, has led 74 percent of organizations to plan for increased investment in the technology. In particular, FIDO2 and passwordless authentication are gaining steam as ways to address gaps in MFA strategies, as 61 percent of surveyed organizations have either deployed or plan to deploy them.
Advantages of FIDO2
There are a lot of advantages to FIDO2, primarily around security, convenience, privacy, and scalability. FIDO2 does not store credentials on a server and uses unique cryptographic login credentials, which helps reduce the likelihood of phishing, password theft, and replay attacks. Cybercrime has dramatically risen; 791,790 complaints were filed in 2020, an increase of over 300,000 from the previous year. Reported losses were over $4.2 billion. FIDO2 authentication could help stem the tide of attacks.
Additionally, it’s convenient for users because they leverage fingerprint readers or cameras on their mobile devices or simple FIDO2 security keys to log in. Because the keys are unique for every website, users can’t be tracked across sites.
In fact, it’s fairly straightforward to use a FIDO2 security key on a mobile device. Apple and other major device manufacturers have invested heavily in FIDO2, so implementing multi-factor authentication with a mobile device can be done without changing the device itself. Organizations that need to enforce strict authentication standards, such as using only NIST-certified FIDO2 devices, can use FIDO2 Attestation to ensure the device is approved for MFA before allowing it.
Disadvantages of FIDO2
FIDO2 does have one big drawback, mainly around convenience. Users are required to undergo an additional security step instead of quickly typing in their password (or having it automatically filled in by a browser). While this step enhances security, it can also make logging into multiple FIDO2-enabled websites throughout the day cumbersome.
Another consideration is that, while FIDO2 is supported by major browsers and platforms, it still is not widely supported. There aren’t many FIDO2-supported websites deployed, although that is predicted to grow as FIDO2 gains traction.
How Does FIDO2 Work?
FIDO2 passwordless authentication uses public-key cryptography for security and convenience. Both a private and public key are used to validate who the user is. To take advantage of FIDO2, a user needs to sign up at a FIDO2-supported site to choose a security key, such as FIDO2 Webauthn or a platform module. The site generates a FIDO2 authentication key pair, and the user’s device sends the public key to the service. The private key is stored on the user’s device.
Then, when the user is ready to log in to a FIDO2 service, they follow a few steps. They provide their username and email, and the service gives them a cryptographic challenge. The FIDO2 key is used to sign the challenge, and they are granted access. No secrets are exchanged with servers; the FIDO2 key is always on the user’s device.
FIDO2 vs FIDO vs WebAuthn
While they sound alike, FIDO2 differs from its predecessor, FIDO. It also differs from WebAuthn.
FIDO2 vs FIDO
FIDO is an overarching term that typically refers to the FIDO Alliance or all FIDO standards. FIDO2 is the most recent FIDO Alliance standard, which allows for passwordless authentication for both mobile and desktop applications through mobile devices.
FIDO2 vs WebAuthn
FIDO2 and WebAuthn are not interchangeable terms. WebAuthn is the main component of FIDO2. The set of standards and APIs allows the browser to communicate with the operating system and deal with using cryptographic keys. WebAuthn falls under FIDO2 standards, but it was developed by the W3C.
U2F and UAF FIDO Protocols: What’s the Difference?
The original FIDO was created to foster stronger authentication standards for passwords and logins. The first passwordless protocol, called FIDO Universal Authentication Framework (FIDO UAF), and the second, FIDO Universal Second Factor (FIDO U2F), were released at the same time in 2014.
These two protocols are different. FIDO UAF is for online services that want to add multi-factor authentication and passwordless authentication. UAF allows for methods like fingerprint scanning, facial recognition, or entering in a PIN for authentication purposes. FIDO U2F is for augmenting password-based authorization with two-factor authentication and required initially a physical key, such as a YubiKey, for verification. Near-field communication (NFC) and Bluetooth Low Energy (BLE) devices can also be used.
FIDO2 is considered the successor to FIDO UAF since it allows for passwordless authentication on top of existing identity verification. In the wake of FIDO2, U2F was relabeled at Client to Authenticator Protocol (CTAP1).
How to Assess Whether You Need a FIDO2 Certification
The FIDO Alliance has a FIDO certification program that verifies how compliant and secure different services and applications are. There are various levels of certifications to determine how interoperable organizations and their products are with FIDO specifications. There is a specific certification for FIDO2, and a FIDO2 Certified Server can accept any FIDO2 Certified authenticator, even if they’re made by different companies. FIDO certifications include:
· Functional Certification, a comprehensive program
· Authenticator Level 1 (L1), the minimum required for FIDO2 certification
· Authenticator Level 1+
· Authenticator Level 2
· Authenticator Level 3
· Authenticator Level 3+
Organizations do not have to be FIDO Alliance members to get FIDO2 certifications. All organizations that apply for certification have to undergo self-validation, interoperability testing, and certification for their authenticators for at least Level 1 (L1). They also must submit required documents. If an organization wishes to use the FIDO Certified trademark and logo on their product, packaging, or marketing materials, they will also need to execute a Trademark License Agreement. Finally, FIDO authenticator vendors are encouraged to use the FIDO Alliance Metadata Service (MDS) to publish metadata statements for FIDO servers.
FIDO Certifications for Professionals
In addition to product certifications, the FIDO Alliance also has a FIDO Certified Professional program. It evaluates how well a candidate can deploy FIDO authentication solutions, analyze business requirements, design and implement technical requirements, validate business and technical requirements for implementation, and educate others about authentication.
This certification is not specific to FIDO2 but assesses someone’s overarching knowledge of FIDO standards. Technology architects, security professionals, identity and access management professionals, and systems and operations engineers are all good candidates for the FIDO Certified Professional program.
FIDO2 has become a standard adopted by major device manufacturers and web platforms alike with ease of use, privacy, and security as its main advantages. It allows for passwordless authentication without cryptography keys being stored on a server, making it much more difficult to compromise credentials.
The FIDO Alliance has been working on standards since 2012. With this newest iteration, users can leverage their mobile devices to authenticate instead of needing a hardware key.
Using FIDO2 can help improve access management. It will be even more convenient for passwordless authentication as it becomes more widely adopted.
Ready to take control of access? Try StrongDM for free for 14 days.
About the Author
Andrew Magnusson, Director, Global Customer Engineering, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.