- Role-based, attribute-based, & just-in-time access to infrastructure
- Connect any person or service to any infrastructure, anywhere
- Logging like you've never seen
Summary: In this article, we will take a big-picture look at FIDO2 and how it applies to passwordless authentication. You’ll learn about the origins of FIDO2, its advantages and disadvantages, the differences between FIDO2, FIDO, and WebAuthn, and how UAF and U2F differ. By the end of this article, you’ll have a clear understanding of how FIDO2 works, what problems it solves, whether you need FIDO2 certification, and what that certification entails.
What Is FIDO2?
FIDO2 is the newest set of specifications from the FIDO Alliance. It enables the use of common devices to authenticate to online services on both mobile and desktop environments, using unique cryptographic login credentials for every site. Essentially, FIDO2 is passwordless authentication.
Also spelled as “FIDO 2,” FIDO2 is an overarching term for the FIDO Alliance specifications. These are the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s Client-to-Authenticator Protocol (CTAP).
FIDO2 provides a passwordless way to authenticate users and addresses security, convenience, privacy, and scalability issues that passwords do not. Online services can be accessed through a standard web API, which can be built into web platform infrastructure.
Security Advantages of FIDO2
FIDO2 does not store credentials on a server and uses unique cryptographic login credentials, which helps reduce the likelihood of phishing, password theft, and replay attacks. Cybercrime has dramatically risen; 880,418 complaints were filed in 2023, a 10% increase over the previous year. Reported losses were over $12.5 billion. FIDO2 authentication could help stem the tide of attacks.
Enhanced Privacy
Additionally, FIDO2 is convenient for users because they can leverage fingerprint readers or cameras on their mobile devices or simple FIDO2 security keys to log in. Because the keys are unique for every website, users can’t be tracked across sites.
Ease of Use
In fact, it’s fairly straightforward to use a FIDO2 security key on a mobile device. Apple and other major device manufacturers have invested heavily in FIDO2, so implementing multi-factor authentication (MFA) with a mobile device can be done without changing the device itself. Organizations that need to enforce strict authentication standards, such as using only NIST-certified FIDO2 devices, can use FIDO2 Attestation to ensure the device is approved for MFA before allowing it.
Additionally, websites use a JavaScript API call to enable FIDO2. Most major browsers and platforms support it, making it easy to scale with passwordless authentication across websites.
Disadvantages and Challenges of FIDO2
FIDO2 can be cost-prohibitive —in terms of time and money—and it is also cumbersome to integrate into legacy production environments, remote workforces, and account recovery solutions.
Additionally, FIDO2 does not safeguard against timing vulnerability attacks (an attack that links stored user accounts in vulnerable authenticators). Since FIDO2 relies on a computer or system’s authenticators, there is a lack of physical protection.
How Does FIDO2 Work?
FIDO2 passwordless authentication uses public-key cryptography for security and convenience. Both a private and public key are used to validate who the user is. To take advantage of FIDO2, a user needs to sign up at a FIDO2-supported site to choose a security key, such as FIDO2 Webauthn or a platform module. The site generates a FIDO2 authentication key pair, and the user’s device sends the public key to the service. The private key is stored on the user’s device.
Then, when the user is ready to log in to a FIDO2 service, they follow a few steps. They provide their username and email, and the service gives them a cryptographic challenge. The FIDO2 key is used to sign the challenge, and they are granted access. No secrets are exchanged with servers; the FIDO2 key is always on the user’s device.
FIDO2 vs FIDO vs WebAuthn
While they sound alike, FIDO2 differs from its predecessor, FIDO. It also differs from WebAuthn.
FIDO2 vs FIDO
FIDO is an overarching term that typically refers to the FIDO Alliance or all FIDO standards. FIDO2 is the most recent FIDO Alliance standard, which allows for passwordless authentication for both mobile and desktop applications through mobile devices.
FIDO2 vs WebAuthn
FIDO2 and WebAuthn are not interchangeable terms. WebAuthn is the main component of FIDO2. The set of standards and APIs allows the browser to communicate with the operating system and deal with using cryptographic keys. WebAuthn falls under FIDO2 standards, but it was developed by the W3C.
U2F and UAF FIDO Protocols: What’s the Difference?
The original FIDO was created to foster stronger authentication standards for passwords and logins. The first passwordless protocol, called FIDO Universal Authentication Framework (FIDO UAF), and the second, FIDO Universal Second Factor (FIDO U2F), were released at the same time in 2014. FIDO UAF and FIDO U2F are the two protocols, but they are different.
FIDO UAF
FIDO UAF is for online services that want to add multi-factor authentication and passwordless authentication. UAF allows for methods like fingerprint scanning, facial recognition, or entering a PIN for authentication purposes.
FIDO U2F
FIDO U2F is for augmenting password-based authorization with two-factor authentication and initially required a physical key, such as a YubiKey, for verification. Near-field communication (NFC) and Bluetooth Low Energy (BLE) devices can also be used.
FIDO2 is considered the successor to FIDO UAF since it allows for passwordless authentication on top of existing identity verification. In the wake of FIDO2, U2F was relabeled at Client to Authenticator Protocol (CTAP1).
Meeting FIDO2 Security with StrongDM
Each organization and industry has their own requirements as it relates to identity authorization and authentication. If FIDO2 is right for your organization, you might want to explore solutions, such as StrongDM’s privilege credential management, which can help you eliminate security gaps by never exposing credentials to the end-user.
Conclusion
FIDO2 has become a standard adopted by major device manufacturers and web platforms alike with ease of use, privacy, and security as its main advantages. It allows for passwordless authentication without cryptography keys being stored on a server, making it much more difficult to compromise credentials.
The FIDO Alliance has been working on standards since 2012. With this newest iteration, users can leverage their mobile devices to authenticate instead of needing a hardware key.
Using FIDO2 can help improve access management. It will be even more convenient for passwordless authentication as it becomes more widely adopted.
Ready to take control of access? Try StrongDM for free for 14 days.
FIDO2: Good to Know
History of FIDO2
The FIDO (Fast IDentity Online) Alliance was founded in 2012 by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnito to find a way to create a passwordless authentication protocol. Google, Yubico, and NXP joined the alliance in 2013. In 2014, PayPal and Samsung collaborated to launch the first FIDO authentication protocol for the Samsung Galaxy S5, allowing users to log in and shop with a finger swipe and pay with PayPal. In December 2014, the first full FIDO passwordless protocol was released.
In February 2016, W3C took the FIDO2 2.0 web APIs submitted by the FIDO Alliance and launched a new standards effort. The goal behind this effort was for the FIDO Alliance to work with the W3C to standardize FIDO authentication across browsers and web platform infrastructure. FIDO2 officially launched in April 2018, and it was implemented in Google Chrome, Mozilla Firefox, and Microsoft Edge. In 2020, Safari on iOS, MacOS BigSur, and iPad OS 14 expanded support for FIDO2.
In the past year, spending on multi-factor authentication (MFA) has risen. More modern authentication standards, such as FIDO2, and the realization that phishing attacks and stolen credentials are at fault for a lot of security breaches, has led 74 percent of organizations to plan for increased investment in the technology. In particular, FIDO2 and passwordless authentication are gaining steam as ways to address gaps in MFA strategies, as 61 percent of surveyed organizations have either deployed or plan to deploy them.
How to Assess Whether You Need a FIDO2 Certification
The FIDO Alliance has a FIDO certification program that verifies how compliant and secure different services and applications are. There are various levels of certifications to determine how interoperable organizations and their products are with FIDO specifications. There is a specific certification for FIDO2, and a FIDO2 Certified Server can accept any FIDO2 Certified authenticator, even if they’re made by different companies. FIDO certifications include:
· Functional Certification, a comprehensive program
· Authenticator Level 1 (L1), the minimum required for FIDO2 certification
· Authenticator Level 1+
· Authenticator Level 2
· Authenticator Level 3
· Authenticator Level 3+
Organizations do not have to be FIDO Alliance members to get FIDO2 certifications. All organizations that apply for certification have to undergo self-validation, interoperability testing, and certification for their authenticators for at least Level 1 (L1). They also must submit required documents. If an organization wishes to use the FIDO Certified trademark and logo on their product, packaging, or marketing materials, they will also need to execute a Trademark License Agreement. Finally, FIDO authenticator vendors are encouraged to use the FIDO Alliance Metadata Service (MDS) to publish metadata statements for FIDO servers.
FIDO Certifications for Professionals
In addition to product certifications, the FIDO Alliance also has a FIDO Certified Professional program. It evaluates how well a candidate can deploy FIDO authentication solutions, analyze business requirements, design and implement technical requirements, validate business and technical requirements for implementation, and educate others about authentication.
This certification is not specific to FIDO2 but assesses someone’s overarching knowledge of FIDO standards. Technology architects, security professionals, identity and access management professionals, and systems and operations engineers are all good candidates for the FIDO Certified Professional program.
About the Author
John Martinez, Technical Evangelist, has had a long 30+ year career in systems engineering and architecture, but has spent the last 13+ years working on the Cloud, and specifically, Cloud Security. He's currently the Technical Evangelist at StrongDM, taking the message of Zero Trust Privileged Access Management (PAM) to the world. As a practitioner, he architected and created cloud automation, DevOps, and security and compliance solutions at Netflix and Adobe. He worked closely with customers at Evident.io, where he was telling the world about how cloud security should be done at conferences, meetups and customer sessions. Before coming to StrongDM, he lead an innovations and solutions team at Palo Alto Networks, working across many of the company's security products.