<img src="https://ws.zoominfo.com/pixel/6169bf9791429100154fc0a2" width="1" height="1" style="display: none;">
Curious about how StrongDM works? 🤔 Learn more here!
Search
Close icon
Search bar icon
Search
Close icon
Search bar icon
Blog / Authentication

The Definitive Guide to FIDO2 Web Authentication

Andrew Magnusson
by
Customer Engineering Expert
StrongDM
5 min read
Last updated on: July 15, 2024
Get The Definitive Guide to Authentication eBook PDF Get The Definitive Guide to Authentication eBook
Found in: Authentication Passwordless
StrongDM manages and audits access to infrastructure.
  • Role-based, attribute-based, & just-in-time access to infrastructure
  • Connect any person or service to any infrastructure, anywhere
  • Logging like you've never seen
Get a demo
What is FIDO2? FIDO2 Web Authentication Explained

Summary: In this article, we will take a big-picture look at FIDO2 and how it applies to passwordless authentication. You’ll learn about the origins of FIDO2, its advantages and disadvantages, the differences between FIDO2, FIDO, and WebAuthn, and how UAF and U2F differ. By the end of this article, you’ll have a clear understanding of how FIDO2 works, what problems it solves, whether you need FIDO2 certification, and what that certification entails.

What Is FIDO2?

FIDO2 is the newest set of specifications from the FIDO Alliance. It enables the use of common devices to authenticate to online services on both mobile and desktop environments, using unique cryptographic login credentials for every site. Essentially, FIDO2 is passwordless authentication.

Also spelled as “FIDO 2,” FIDO2 is an overarching term for the FIDO Alliance specifications. These are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s Client-to-Authenticator Protocol (CTAP).

FIDO2 provides a passwordless way to authenticate users and addresses security, convenience, privacy, and scalability issues that passwords do not. Online services can be accessed through a standard web API, which can be built into web platform infrastructure.

Security Advantages of FIDO2

FIDO2 does not store credentials on a server and uses unique cryptographic login credentials, which helps reduce the likelihood of phishing, password theft, and replay attacks. Cybercrime has dramatically risen; 880,418 complaints were filed in 2023, a 10% increase over the previous year. Reported losses were over $12.5 billion. FIDO2 authentication could help stem the tide of attacks.

Enhanced Privacy

Additionally, FIDO2 is convenient for users because they can leverage fingerprint readers or cameras on their mobile devices or simple FIDO2 security keys to log in. Because the keys are unique for every website, users can’t be tracked across sites.

Ease of Use

In fact, it’s fairly straightforward to use a FIDO2 security key on a mobile device. Apple and other major device manufacturers have invested heavily in FIDO2, so implementing multi-factor authentication (MFA) with a mobile device can be done without changing the device itself. Organizations that need to enforce strict authentication standards, such as using only NIST-certified FIDO2 devices, can use FIDO2 Attestation to ensure the device is approved for MFA before allowing it.

Additionally, websites use a JavaScript API call to enable FIDO2. Most major browsers and platforms support it, making it easy to scale with passwordless authentication across websites.

Disadvantages and Challenges of FIDO2

FIDO2 can be cost-prohibitive —in terms of time and money—and it is also cumbersome to integrate into legacy production environments, remote workforces, and account recovery solutions. 

Additionally, FIDO2 does not safeguard against timing vulnerability attacks (an attack that links stored user accounts in vulnerable authenticators). Since FIDO2 relies on a computer or system’s authenticators,  there is a lack of physical protection.

How Does FIDO2 Work?

FIDO2 passwordless authentication uses public-key cryptography for security and convenience. Both a private and public key are used to validate who the user is. To take advantage of FIDO2, a user needs to sign up at a FIDO2-supported site to choose a security key, such as FIDO2 Webauthn or a platform module. The site generates a FIDO2 authentication key pair, and the user’s device sends the public key to the service. The private key is stored on the user’s device.

Then, when the user is ready to log in to a FIDO2 service, they follow a few steps. They provide their username and email, and the service gives them a cryptographic challenge. The FIDO2 key is used to sign the challenge, and they are granted access. No secrets are exchanged with servers; the FIDO2 key is always on the user’s device.

FIDO2 vs FIDO vs WebAuthn

While they sound alike, FIDO2 differs from its predecessor, FIDO. It also differs from WebAuthn.  

FIDO2 vs FIDO

FIDO is an overarching term that typically refers to the FIDO Alliance or all FIDO standards. FIDO2 is the most recent FIDO Alliance standard, which allows for passwordless authentication for both mobile and desktop applications through mobile devices.

FIDO2 vs WebAuthn

FIDO2 and WebAuthn are not interchangeable terms. WebAuthn is the main component of FIDO2. The set of standards and APIs allows the browser to communicate with the operating system and deal with using cryptographic keys. WebAuthn falls under FIDO2 standards, but it was developed by the W3C.

U2F and UAF FIDO Protocols: What’s the Difference?

The original FIDO was created to foster stronger authentication standards for passwords and logins. The first passwordless protocol, called FIDO Universal Authentication Framework (FIDO UAF), and the second, FIDO Universal Second Factor (FIDO U2F), were released at the same time in 2014.  FIDO UAF and FIDO U2F are the two protocols, but they are different. 

FIDO UAF

FIDO UAF is for online services that want to add multi-factor authentication and passwordless authentication. UAF allows for methods like fingerprint scanning, facial recognition, or entering a PIN for authentication purposes. 

FIDO U2F

FIDO U2F is for augmenting password-based authorization with two-factor authentication and initially required a physical key, such as a YubiKey, for verification. Near-field communication (NFC) and Bluetooth Low Energy (BLE) devices can also be used.

FIDO2 is considered the successor to FIDO UAF since it allows for passwordless authentication on top of existing identity verification. In the wake of FIDO2, U2F was relabeled at Client to Authenticator Protocol (CTAP1).

Meeting FIDO2 Security with StrongDM

Each organization and industry has their own requirements as it relates to identity authorization and authentication. If FIDO2 is right for your organization, you might want to explore solutions, such as StrongDM’s privilege credential management, which can help you eliminate security gaps by never exposing credentials to the end-user. 

Conclusion

FIDO2 has become a standard adopted by major device manufacturers and web platforms alike with ease of use, privacy, and security as its main advantages. It allows for passwordless authentication without cryptography keys being stored on a server, making it much more difficult to compromise credentials.

The FIDO Alliance has been working on standards since 2012. With this newest iteration, users can leverage their mobile devices to authenticate instead of needing a hardware key.

Using FIDO2 can help improve access management. It will be even more convenient for passwordless authentication as it becomes more widely adopted.

Ready to take control of access? Try StrongDM for free for 14 days.

FIDO2: Good to Know

History of FIDO2

The FIDO (Fast IDentity Online) Alliance was founded in 2012 by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnito to find a way to create a passwordless authentication protocol. Google, Yubico, and NXP joined the alliance in 2013. In 2014, PayPal and Samsung collaborated to launch the first FIDO authentication protocol for the Samsung Galaxy S5, allowing users to log in and shop with a finger swipe and pay with PayPal. In December 2014, the first full FIDO passwordless protocol was released.

In February 2016, W3C took the FIDO2 2.0 web APIs submitted by the FIDO Alliance and launched a new standards effort. The goal behind this effort was for the FIDO Alliance to work with the W3C to standardize FIDO authentication across browsers and web platform infrastructure. FIDO2 officially launched in April 2018, and it was implemented in Google Chrome, Mozilla Firefox, and Microsoft Edge. In 2020, Safari on iOS, MacOS BigSur, and iPad OS 14 expanded support for FIDO2.

In the past year, spending on multi-factor authentication (MFA) has risen. More modern authentication standards, such as FIDO2, and the realization that phishing attacks and stolen credentials are at fault for a lot of security breaches, has led 74 percent of organizations to plan for increased investment in the technology. In particular, FIDO2 and passwordless authentication are gaining steam as ways to address gaps in MFA strategies, as 61 percent of surveyed organizations have either deployed or plan to deploy them.

How to Assess Whether You Need a FIDO2 Certification

The FIDO Alliance has a FIDO certification program that verifies how compliant and secure different services and applications are. There are various levels of certifications to determine how interoperable organizations and their products are with FIDO specifications. There is a specific certification for FIDO2, and a FIDO2 Certified Server can accept any FIDO2 Certified authenticator, even if they’re made by different companies. FIDO certifications include:

· Functional Certification, a comprehensive program

· Authenticator Level 1 (L1), the minimum required for FIDO2 certification

· Authenticator Level 1+

· Authenticator Level 2

· Authenticator Level 3

· Authenticator Level 3+

Organizations do not have to be FIDO Alliance members to get FIDO2 certifications. All organizations that apply for certification have to undergo self-validation, interoperability testing, and certification for their authenticators for at least Level 1 (L1). They also must submit required documents. If an organization wishes to use the FIDO Certified trademark and logo on their product, packaging, or marketing materials, they will also need to execute a Trademark License Agreement. Finally, FIDO authenticator vendors are encouraged to use the FIDO Alliance Metadata Service (MDS) to publish metadata statements for FIDO servers.

FIDO Certifications for Professionals

In addition to product certifications, the FIDO Alliance also has a FIDO Certified Professional program. It evaluates how well a candidate can deploy FIDO authentication solutions, analyze business requirements, design and implement technical requirements, validate business and technical requirements for implementation, and educate others about authentication.

This certification is not specific to FIDO2 but assesses someone’s overarching knowledge of FIDO standards. Technology architects, security professionals, identity and access management professionals, and systems and operations engineers are all good candidates for the FIDO Certified Professional program.

About the Author

, Customer Engineering Expert, has worked in the information security industry for 20 years on tasks ranging from firewall administration to network security monitoring. His obsession with getting people access to answers led him to publish Practical Vulnerability Management with No Starch Press in 2020. He holds a B.A. in Philosophy from Clark University, an M.A. in Philosophy from the University of Connecticut, and an M.S. in Information Management from the University of Washington. To contact Andy, visit him on LinkedIn.

StrongDM logo
💙 this post?
Then get all that StrongDM goodness, right in your inbox.

You May Also Like

MFA: The Brave New World of Authentication (Infographic)
Get ready to secure everything and anything with MFA. Easily combine security checks such as device trust and geo-location. With StrongDM you can MFA all resources (e.g., multiple clouds, diverse databases, or critical applications, etc.) without changing your applications’ code or infrastructure.
MFA Fatigue Attack: Meaning, Types, Examples, and More
MFA Fatigue Attack: Meaning, Types, Examples, and More
This article investigates MFA fatigue attacks. We'll explain how they work, why they're effective, and who they typically target. We'll also provide real-life examples to help your team detect and prevent these threats. You'll leave with a clear understanding of MFA fatigue attacks and tips on how to shore up your cloud security to defend against them.
Snowflake's Security Warning Is Why Enterprises Need MFA Across All Their Resources
Snowflake's Security Warning Is Why Enterprises Need MFA Across All Their Resources
Recently, cloud computing company Snowflake issued a warning to its customers: hackers are actively targeting accounts that lack Multi-Factor Authentication (MFA). This warning comes amidst a rapidly unfolding saga that includes the high-profile Ticketmaster breach.
7 Reasons for Enterprises to Adopt Multi-Factor Authentication (MFA)
7 Reasons for Enterprises to Adopt Multi-Factor Authentication (MFA)
The world we operate in today is far different than it was even a couple years ago. More employees work from remote locations (as of late 2023, more than 12% of U.S. workers are fully remote), and more companies engage the services of freelancers and other outside workers. Organizations must recognize that the traditional physical boundaries no longer apply. They now need to secure a vast array of devices used by employees spread across various locations.
The Importance of Multi-Factor Authentication (How It Works)
The Importance of Multi-Factor Authentication (How It Works)
Getting users' passwords isn’t really that hard anymore. In fact, bad actors employ advanced technology that allows them to snowshoe (test billions of password combinations per second), rendering 90% of user-generated passwords susceptible to attacks. MFA significantly enhances security by requiring a second piece of information to verify a user’s identity. The additional 20 seconds a user spends receiving a code via SMS provides a level of protection that a password alone cannot offer.