With FIDO2, there is an industry standard that tackles the problem with passwords at the root. […]
Passwords are the Achilles heel of secure Internet communication because they can be intercepted, spied on, or, in the worst case, leveraged by simple trial and error. Given the large number of password queries that software users face on a daily basis, many of them neglect basic rules about the minimum length of their passwords and thus contribute – whether out of ignorance or convenience – to the endangerment of their user accounts. From the point of view of security experts, there are many reasons to supplement passwords with multi-factor authentication and, ideally, to abolish them altogether. On the way to a password-free future, the industry standards FIDO and FIDO2 are important milestones.
FIDO-short for Fast Online – is an open and license-free industry standard for secure, fast, and easy authentication on the Internet. It was developed by the non-commercial FIDO alliance, which includes hundreds of companies from all over the world. The FIDO standard, now further developed to FIDO2, gives companies the opportunity to use hardware-based authentication such as fingerprint or face recognition in their products. Users can easily log in to online services without having to remember passwords. After FIDO Universal Second Factor (FIDO U2F) and FIDO Universal Authentication Framework (FIDO UAF), FIDO2 is already the third standard that has emerged from the work of the Alliance.
Passwords stolen or guessed by brute force attacks are still the main attack surface. FIDO2 was created to address this vulnerability. The standard includes:
- The specification of the international standardization organization for the World Wide Web, the World Wide Web Consortium (W3C), for web authentication (WebAuthn). As a programming interface, WebAuthn forms the basis for secure online authentication. Web applications and websites that use WebAuthn allow users to authenticate using a public key procedure. In developing WebAuthn, the FIDO Alliance worked closely with the W3C. The FIDO Alliance member companies submitted the specifications to the W3C for formal standardization in 2015. Subsequently, they worked within the W3C on the completion of the API. Finally, in March 2019, WebAuthn was officially recognized as a W3C web standard. A look at the number of browsers installed worldwide that already support WebAuthn shows the success of the standardization: Currently, according to a CanIUse report, it is already 88 percent.
- The communication protocol Client to Authenticator Protocol (CTAP) of the FIDO Alliance. The communication protocol ensures secure data exchange between the WebAuthn application running in the web browser and a device used for authentication-such as a hardware token connected via USB, NFC, or BLE. CTAP is now available in version CTAP2, which in addition to older security tokens-today subsumed under CTAP1 – also supports password-free and multi-factor authentication, as it can usually be implemented with current smartphones (login via FaceID, fingerprint, and the like)
The FIDO2 method combines several decisive advantages: At the forefront is the waiver of passwords, which frees users from an annoying and error-prone obligation. In addition, the encrypted FIDO2 credentials are unique to each website, never leave the user’s device, and are never stored on a server.
This ensures that cybercriminals cannot gain unauthorized access with phishing, stolen passwords or replay attacks. In addition, login data is not sent over the Internet, so that password and personal data can not be skimmed off by hackers. Since the introduction of CTAP2, users no longer have to resort to special security tokens to log in securely: Devices that they already use every day, such as smartphones, laptops, PCs, or smartwatches, are sufficient.
Even the lowest security level of FIDO2, one-factor authentication, is in most cases more secure than pure password authentication. If the highest level of security is required for an application that contains sensitive data, it can be secured with FIDO2 multifactor authentication (biometric or PIN). Dynamic change of security level can be configured per application/user as required (1FA, 2FA, MFA). In addition, FIDO2 offers protection against cloned authenticators – the protocol detects the use of fake security tokens and blocks the access attempt.
But since each standard is only as good as the number of people who use it, broad support is crucial: the FIDO Alliance has brought together global leaders in the tech industry, including Intel, Google, Microsoft, Bank of America, Samsung, and Qualcomm. In the operating systems iOS, Android, Windows, and macOS, FIDO2 is already supported in the latest versions, so that device sensors such as Face ID or fingerprint scanners can be used for authentication.
The fact that FIDO2 is a relatively young standard is also evident from the typical “teething problems”: FIDO2 integrates many components, the development of which numerous companies and organizations are working on – be it authentication services, browsers, operating systems, hardware for processing biometric data or security tokens. This results in a huge number of possible combinations of software and hardware. A few more years will pass before they all work together properly, and providers will have to readjust time and time again in the meantime.
The current weakness is that WebAuthn does not support transaction signatures until further notice. While the future specifications are being discussed, they are still a long way from being included in the standard. Especially the transaction signatures enable many exciting use cases because critical business transactions (e.g. money transfers, GDPR consent, address changes, etc.) can be additionally secured.
The transaction confirmation according to the established standard FIDO-UAF is available as a functioning alternative, which at the same time brings two further advantages: On the one hand, FIDO-UAF was primarily designed for use in the mobile sector and therefore enables a very user-friendly implementation of the “Phone as a Token”principle. Secondly, when using FIDO-UAF, manufacturers have better control over the end-to-end solution, since they have to rely on significantly fewer third-party components.
* Stephan Schweizer looks back on 22 years of professional and management experience in the field of security solutions. During this time, he was in charge of setting up operations and the further development of the Nevis infrastructure. As Chief Executive Officer of the newly founded Nevis Security AG, a spin-off of AdNovum Informatik AG, he has been responsible for the strategic business development of the Nevis Security Suite on the international market since 2020.