A Guide to FIDO and FIDO 2 Passwordless
A recent report from IBM notes that the most popular attack vector for hackers is the use of compromised credentials. On average, businesses lost 4.5 million dollars because of data breaches resulting from stolen IDs and passwords. The need to better protect information led to the development of Fast Identity Online (FIDO) specifications. For those who still have questions about “what is FIDO and FIDO 2 passwordless?” we created this guide to offer more clarity.
What is FIDO?
The FIDO protocols emerged from a joint venture between tech companies like Lenovo, Google, Microsoft, and PayPal. The FIDO alliance focused on reducing how much public and private entities relied on passwords. They felt there needed to be a new authentication standard that any organization could adopt worldwide.
First published in 2014, the first FIDO specification included two protocols. The first, Universal 2nd Factor (U2F), outlined standards for physical security keys used as a secondary check, or the second factor (2F) for online passwords. Most U2F keys connect to computers, although some use Bluetooth Low Energy (BL) or near-field communication (NFC) models. Devices using the U2F protocol rely on public encryption keys to protect user accounts.
The second FIDO specification protocol, Universal Authentication Framework (UAF), outlined how organizations could start using passwordless and multi-factor security for their services. Users register their device with a service, then choose a second authentication mechanism. Options typically include:
PIN sent to a device
UAF also uses key-pair values where a public key gets stored on a service provider’s services while the user receives a private key for matching. Instead of typing in a password, users log in using one of the methods listed above.
Understanding Asymmetric Encryption
FIDO protocols support several authentication mechanisms that can be implemented in technology like facial recognition, fingerprint sensors, or hardware tokens. Asymmetric cryptology is a fundamental protocol found in all versions of FIDO. While symmetrical cryptology uses a single key for encrypting and decrypting data, asymmetric cryptology uses separate keys for each function.
FIDO authentication technology uses asymmetric encryption in public key infrastructure (PKI), which generates a public and private key for every user. While public keys get stored by service providers to verify users, private keys are held by the individual user.
That private key gets matched to the public key whenever a user signs into an application or service. PIK technology helps ensure that hackers can’t gain access to user accounts even if they manage to penetrate a service provider’s servers.
What is FIDO 2 Passwordless?
Seeking to make it easier for companies to shift to passwordless authentication, the FIDO Alliance launched ungraded specifications in April 2018. The biggest change in the new component, called FIDO2, was the introduction of Web Authentication (WebAuthn). The FIDO Alliance worked with the World Wide Web Consortium (W3C) to develop the new protocols.
WebAuthn includes new standards and web application programming interfaces (APIs) capable of adding FIDO-based authentication to various platforms and supported web browsers. Users can log into applications using FIDO keys, mobile apps, or biometrics. Android and Windows 11 offer native support for WebAuthn.
FIDO2 uses a combination of traditional authentication and cryptography to allow organizations to set up passwordless logins with and without multi-factor authentication (MFA). Below is an overview of how the FIDO2 passwordless process works.
A user chooses an identity management service (IMS), then registers with them as a FIDO2 user.
The identity management provider generates a new cryptographic key par.
The public key gets registered with the provider and stores the private key on the user’s device.
Authentication gets mapped onto one or more services like PINs, physical keys, or biometrics.
The key to the process is that no identifying information gets sent to the service. Authentication remains on the user’s device. Because of that, no authentication can occur if the user does not possess that device.
FIDO protocols simplify the authentication process and reduce the need to rely on passwords. They also work on devices people use daily and are compatible with most services. Businesses can standardize processes for connecting to their servers and networks, lowering the risk of a costly data security breach.
With the introduction of FIDO2, companies can reduce the amount of real estate that hackers can use to launch an attack. Devices can offer more security around enterprise-level identity verification. FIDO2 minimizes the amount of user interaction required to log into a system. Employees can scan a fingerprint or enter a PIN instead.
Another reason many companies are turning to FIDO2 for authentication is the potential to eliminate phishing threats. Hackers could no longer gain access to systems by using stolen credentials. They would need access to a user’s device or have URLs tied to encryption keys.
Reasons to Consider Moving to Passwordless Authentication
Some companies have hesitated to switch to FIDO2 because of the upfront costs. They would also need to train users to get used to the new authentication method. In addition, companies must need to update all sites and services that rely on authentication to achieve the desired impact.
However, not doing everything possible to boost security around user access can cost organizations more in the long run. There’s no longer any room to take shortcuts when it comes to protecting company data. Biometric authentication is convenient and more secure for users.
After a company sets up the framework, using a FIDO2 security key is straightforward. Many large companies like Apple believe in the standard to the point where they’ve invested heavily in implementing the protocols.
Improve Your Security Posture with Axiad
It’s more critical than ever for businesses to become proactive about turning away inside and outside security threats. Axiad offers solutions that help companies enable secure authentication policies. Contact us today to learn more about the benefits of our Axiad Cloud solution for credential management.