FIDO2: Finally password-free?

FIDO2: Finally password-free?


FIDO2 gives companies the opportunity to use hardware-based authentication such as fingerprint or face recognition in their products. Users can easily log in to online services without having to remember passwords. […]

Passwords are the Achilles heel of secure Internet communication – because they can be intercepted, spied on or, in the worst case, undermined by simple trial and error. Due to the large number of password queries that software users face on a daily basis, many of them neglect basic rules regarding the minimum length of their passwords and thus contribute – whether out of ignorance or convenience – to the endangerment of their user accounts. From the point of view of security experts, there is much to be said for supplementing passwords with multi-factor authentication and, ideally, abolishing them altogether. On the way to a password-free future, the industry standards FIDO and FIDO2 are important milestones.

FIDO – short for Fast Identity Online – is an open and license-free industry standard for secure, fast and easy authentication on the Internet. It was developed by the non-commercial FIDO alliance, which includes hundreds of companies from all over the world. The FIDO standard, which has since evolved into FIDO2, gives companies the opportunity to use hardware-based authentication such as fingerprint or face recognition in their products. Users can easily log in to online services without having to remember passwords. After FIDO Universal Second Factor (FIDO U2F) and FIDO Universal Authentication Framework (FIDO UAF), FIDO2 is already the third standard that has emerged from the work of the Alliance.

FIDO2 – WebAuthn meets CTAP

Passwords stolen or guessed by brute force attacks are still the main area of attack for hackers. FIDO2 was created to close this vulnerability. The standard includes:

  • The specification of the international standardization organization for the World Wide Web, the World Wide Web Consortium (W3C), for web authentication (WebAuthn). As a programming interface, WebAuthn forms the basis for secure online authentication. Web applications and websites that use WebAuthn allow users to authenticate using a public key process. In the development of WebAuthn, the FIDO alliance worked closely with the W3C. The member companies of the FIDO Alliance submitted the specifications to the W3C for formal standardization in 2015. They then worked within the W3C to finalize the API. In March 2019, WebAuthn was finally officially recognized as a W3C web standard. The success of the standardization is shown by a look at the number of browsers installed worldwide that already support WebAuthn: currently, according to a CanIUse report, it is already 89 percent.
  • The Client-to-Authenticator Protocol (CTAP) of the FIDO Alliance. The communication protocol ensures secure data exchange between the WebAuthn application running in the web browser and a device used for authentication – such as a hardware token connected via USB, NFC or BLE. CTAP is now available in version CTAP2, which in addition to older security tokens – today subsumed under CTAP1 – also supports password–free and multi-factor authentication, as can usually be implemented with current smartphones (login via FaceID, fingerprint and the like).

The FIDO2 procedure combines several decisive advantages: The first priority is the waiver of passwords, which frees users from an annoying and error-prone obligation. In addition, the encrypted FIDO2 credentials are unique to each website, never leave the user’s device and are never stored on a server.

This ensures that cybercriminals cannot gain unauthorized access with phishing, stolen passwords or replay attacks. In addition, login data is not sent over the Internet, so that password and personal data can not be siphoned off by hackers. Since the introduction of CTAP2, users no longer have to resort to special security tokens to log in securely: devices that they already use every day, such as smartphones, laptops, PCs or smartwatch, are sufficient.

FIDO2 increases security

Even FIDO2’s lowest security level, one-factor authentication, is more secure than pure password authentication in most cases. If an application that contains sensitive data requires the highest level of security, it can be secured with FIDO2 multi-factor authentication (biometric or PIN). A dynamic security level change can be configured per application/user as required (1FA, 2FA, MFA). In addition, FIDO2 offers protection against cloned authenticators – the protocol detects the use of fake security tokens and blocks the access attempt.

But since each standard is only as good as the number of people who use it, broad support is crucial: the FIDO alliance has brought together global leaders from the tech industry, including Intel, Google, Microsoft, Bank of America, Samsung and Qualcomm. In the operating systems iOS, Android, Windows and macOS, the support of FIDO2 is already given in the latest versions, so that device sensors such as Face ID or fingerprint scanner can be used for authentication.

FIDO2 – what comes next?

The fact that FIDO2 is a relatively young standard is also reflected in the typical “teething problems”: FIDO2 integrates many components that numerous companies and organizations are working on developing – be it authentication services, browsers, operating systems, hardware for processing biometric data or security tokens. This results in a huge number of possible combinations of software and hardware. A few more years will pass before they all play together flawlessly, and the providers will have to readjust again and again in the meantime.

A current weakness is that WebAuthn does not support transaction signatures until further notice. Although the future specifications are being discussed, they are still far from being included in the standard. Especially the transaction signatures enable many exciting use cases, as critical business transactions (e.g. money transfers, GDPR consent, address changes, etc.) can be additionally secured. As a working alternative, the transaction confirmation according to the established standard FIDO-UAF is available, which at the same time brings two further advantages: On the one hand, FIDO-UAF was primarily designed for use in the mobile sector and therefore enables a very user-friendly implementation of the “Phone as a Token” principle. Secondly, when using FIDO-UAF, manufacturers have better control over the end-to-end solution, as they have to resort to significantly fewer third-party components.

* Stephan Schweizer can look back on 22 years of professional and management experience in the field of security solutions. Since 2020, as Chief Executive Officer of the newly founded Nevis Security AG, he has been responsible for the strategic business development of the Nevis Security Suite on the international market.

Ready to see us in action:

More To Explore
Enable registration in settings - general
Have any project in mind?

Contact us: