PKI and FIDO2: The Dynamic Duo of Authentication

May 6, 2021

Peanut butter & jelly. Movies & popcorn. Wine & cheese. Campfire and smores. You know all the great pairings… but have you heard of FIDO2 and PKI?

by Jerome Becquart

We all know how dramatically digital business transformation has altered the way we work and operate our businesses in the last year. The time we spend on mobile devices for work has increased by 11%, the focus on cloud infrastructure is expected to increase by 18%, and 90% of IT leaders have seen an increase in cyberattacks since the transition to remote work.

This digitization has made many businesses reconsider how they authenticate the users on their network. Their security perimeter no longer exists around their office building, it stretches into each home office, shared workspace, or coffee shop that employees are taking their work.

Password-based solutions are not enough to protect these users, which is why businesses are implementing multi-factor authentication. MFA tools enable biometrics, facial recognition, hardware tokens, and YubiKeys to replace passwords. 87% of large organizations already have adopted MFA solutions, and 75% of IT leaders plan to increase MFA spending in the next year. It is essential for transitioning to passwordless – commonly seen by businesses as the largest priority in improving their Identity & Access Management.

FIDO2, the open authentication standard hosted by the FIDO Alliance, is the new standard for multi-factor authentication. Many businesses are now turning to FIDO2 as their singular authentication solution. But does FIDO2 really address all your authentication use cases? Or can it be enhanced with other technology?

FIDO2 Explained

Let’s take a step back and take look at FIDO2. The FIDO2 specifications enable authentication with mobile devices and desktops, offering two-factor, multi-factor, or passwordless authentication. It consists of W3C Web Authentication specification (offers a web API that allows users to log into internet accounts with MFA), and the Client to Authentication Protocol (enables external devices like security keys to authenticate with browsers, applications, and web services).

FIDO2 is commonly seen as the industry’s answer to the global password problem. It has multiple benefits including:

  • Enhanced Security: FIDO2 cryptographic credentials are unique for each use case, never leave the user’s device, and are never stored on a server. This gives them a high level of security that passwords would never provide.

  • Convenient: Many businesses select FIDO2 technology because it’s easy for their employees to adopt and maintain. By using their mobile devices or a single security key to authenticate, users no longer need to keep track of various passwords.

  • Future-thinking: As businesses increasingly transition to the cloud, they need to consider how to authenticate users on each website or platform. Thanks to FIDO2’s WebAuthn specification, businesses can transition to cloud and web-based services without worrying that their authentication will be impacted.

A key reason many businesses are focusing on FIDO2 is its importance to the Microsoft IAM solution. By deploying the Microsoft Authenticator app, Windows Hello for Business, and a FIDO2 security key, businesses can authenticate their mobile devices, cloud applications, and Windows workstations. For many IT leaders, this singular solution covers their top authentication priorities.

What is FIDO2 missing?

However, leaders that deploy just FIDO2 or Microsoft solutions are not covering all their use cases. While FIDO2 ensures streamlined authentication for users, it doesn’t address the machines and interactions that also need to be secured.

  • Machine Identity Management. Machines, such as mobile devices, servers, printers, applications, IoT devices, etc. now outnumber humans by a factor of 3. IT leaders can no longer just focus on authenticating the users on their networks, which is why FIDO2 authentication is not enough.

  • Email signing and encryption. There has been a 350% increase in phishing attacks in the last year. Hackers frequently impersonate the co-workers of a target and get them to share private information via email. This can be prevented with secure email interactions such as email signing and encryption, which are not part of the FIDO2 specifications.

  • Document signing: As our interactions become increasingly digital, the days of exchanging contracts, purchase orders, and other documents in person feel far gone. Digitally signing documents has become essential but can’t be done with FIDO2.

PKI Explained

So if FIDO2 technology and the Microsoft products can’t offer complete authentication, how do you protect all your use cases? PKI is the perfect complement to FIDO2. Public key infrastructure enables the security and private exchange of data through the use of a public and a private cryptographic key pair. This pair is obtained and shared through a trusted Certificate Authority (CA). PKI allows businesses to authenticate users, machines, and interactions, which means that those gaps in FIDO2 can be secured by PKI technology.

  • Machine Identity Management: With PKI, you can issue certificates for all of these types of machines, so you no longer need to worry about unverified devices or applications on your network. This is invaluable as employees bring work- issued and personal IOS and Android devices to your network. Ensuring all of these are verified prevents hackers from gaining access to your system through a single insecure machine.

  • Email Signing and Encryption: PKI offers certificates to sign emails and encrypt them. Signing emails enables employees to recognize a phishing threat when it lacks a digital signature. For industries that deal with confidential information, such as aerospace and defense, email encryption is a key aspect of their security. These industries also tend to be highly regulated, so PKI technology can help them meet required security standards

  • Document Signing: Similarly to email signature, PKI works for securing document signing. This not only ensures that the documents are authorized in a secure manner, but also removes the wet-ink hassle for your employees of printing, signing, and scanning of documents.

So why isn’t PKI used by everyone? With various policies, compliance, and lifecycle management required to deploy and maintain the technology, it can be overwhelming for businesses to take on. Many IT teams simply don’t have the expertise or resources required. PKI also is usually offered as an on-premises solution, which is not ideal for businesses trying to transition their cybersecurity infrastructure to the cloud.

This doesn’t need to be the case. With Axiad, your PKI can be automated and cloud-based. The Axiad solution takes the management requirements away from IT teams, allowing them to instead focus on their core business. PKI can be integrated with the other credential technology the business is using, whether it’s a mobile authenticator, TPM, a YubiKey, or a smart card. All of these are managed on the Axiad Cloud platform, so your business can scale and grow its credential solutions along with its other cloud-based technologies.

How can you integrate PKI and FIDO2?

When PKI is automated and cloud-based, it removes the complexity from the technology and positions it as a perfect complement to FIDO2 credentials. There has already been an effort for businesses to integrate the technologies – the National Institute of Standards and Technology has published 800-171 and 800-63 on the subject and the FIDO Alliance has done its own research in Leveraging FIDO Standards to Extend the PKI Security Model in United States Government Agencies

Utilizing both technologies assures that there are no gaps left in the security perimeter. Mobile and cloud-based authentication is made simple for users with FIDO2, and machines and interactions such as devices, emails, and documents are verified with PKI. This joint solution can be deployed in one unified platform with Axiad SMARTidentity – which supports both PKI and FIDO2 devices. This enables businesses to take the complexity and stress out of authentication. Instead, IT leaders can rest assured they have the dynamic duo protecting all their business use cases.

Ready to learn more?

Check out the Cyberscoop report.

About the Author

Jerome Becquart is Axiad’s COO. Jerome has over 20 years of experience in identity and access management solutions, including 15 years at ActivIdentity. Jerome’s management experience includes roles in operational management, sales management, professional services, product and solution marketing, engineering, and technical support. After the acquisition of ActivIdentity by HID Global in 2010, Jerome served as general manager of the HID Identity Assurance business unit. He chaired the Global Platform Government Task Force for three years, and served on the board of directors of this Industry organization.

About the author
Axiad Demo

See How Axiad Works

See a comprehensive demo of Axiad and envision how it will revolutionize authentication for you!