December 07, 2022
The benefits of multi-factor authentication (MFA) have been long proven, with the recent move by tech giants towards a passwordless future cementing these benefits. The major one? Security. It takes less than an hour to crack a complex, 8 character password. The truth about passwords is that they are a weak link in the cybersecurity chain, and are the root cause of many breaches and vulnerabilities. Another major drawback of passwords is user experience; according to a study by the FIDO Alliance, nearly 60% of users abandon shopping carts because of login frustrations.
Although companies are aware of these concerns, they are still hesitant to implement passwordless authentication solutions, citing costs and implementation concerns. Cue the FIDO Alliance and its vendors, who have made passwordless security highly attainable.
The FIDO open standard
FIDO, short for Fast Identity Online, was formed in 2013 with the aim of using a set of open technical specifications to change the nature of authentication.
FIDO is an open standard, which means that it is openly accessible and usable by anyone. This open standard plays an important role in its adoption rate; open standards are much more appealing to developers, who are more receptive to using open standard, easily scalable solutions.
FIDO’s main protocols are:
The U2F protocol, short for Universal Second Factor, was the first FIDO protocol created. It was intended to operate as a second authentication factor, along with the traditional password (i.e. the first factor).
The UAF, or the Universal Authentication Framework, was the second FIDO protocol created. Born out of the growing passwordless authentication demand, it was built to support mobile devices only.
Webauthn + CTAP
Also called the Client to Authenticator Protocol, this FIDO protocol enables users to authenticate themselves on their desktops and mobile devices using inbuilt biometric sensors like fingerprint readers or facial recognition as opposed to using a password.
FIDO2: A new standard for authentication
FIDO was born from a very real need - to rid the world of insecure legacy authentication methods like passwords. The latest Webauthn + CTAP protocol forms the FIDO2 authentication standard, which addresses the privacy, convenience, scalability and security issues that traditional authentication methods like passwords severely lack.
By utilizing biometric sensors inbuilt into over 4bn devices globally, FIDO2 ensures a smooth user experience along with high security. The marriage of security and usability with FIDO2 addresses a major doubt enterprises have when shifting to biometric authentication - how do we shift to passwordless strong customer authentication without compromising our user experience? Or in other words, what is the solution to the passwordless authentication ux problem?
How FIDO2 works
FIDO2 passwordless authentication utilizes a user’s device’s biometric scanners in order to authenticate them. This could be Face ID on an iPhone, a fingerprint or facial scan on an Android device, or even a non-biometric PIN on a Windows device. Users are already attuned to scanning their biometrics to unlock their phones or laptops and making payments through Apple Pay, Google Pay and Samsung Pay (among others), so the action is already familiar to users.
FIDO2 authenticates the user using public key cryptography - a public/private FIDO2 key pair is automatically created upon registration. The private key is stored securely in the device - it never leaves. Think of the secure enclave on the iPhone.
On the other hand, the public key is what goes ahead for attestation - in other words, a FIDO2 credential registration. The public key registers the user with the particular online service and signs an attestation certificate. This attestation certificate is unique to the user’s particular device that they use to authenticate themselves.
Once a user registers, they can then use their device to login. The application authenticates the user using FIDO2 principles, which causes the server to issue a ‘challenge’ which is signed using the authenticator key pair initially created during registration. FIDO2 authentication is also called “assertion”.
What are FIDO2’s keys to success?
- Fraud prevention: FIDO2’s protocols provide strong protection against fraud, protecting against man-in-the-middle and phishing attacks, along with almost eliminating account takeover risks.
FIDO2 passwordless authentication, upon registration, creates a unique public/private FIDO2 key combination for every site, meaning a compromise on one will not affect the others, unlike a password breach.
- Multi-factor authentication (MFA): As simple an action as FIDO2 passwordless authentication seems to be, it is in essence two authentication factors. The first factor is the PIN entry or biometric scan, and the second factor is the FIDO2 assertion that happens on the user’s device.
- Device-bound biometrics: While FIDO2 passwordless authentication protocols do not require biometrics, it is common practice. FIDO2 does not store any biometrics on the server side; the only thing stored on the server is the public FIDO2 key.
FIDO2 does not only address service-side biometric authentication problems, but also ensures that biometrics are used for on-device assertion and verification only.
- Unique credentials: FIDO2 passwordless authentication, upon registering with a particular domain, credentials that are registered are bound to that particular domain only. That means, if a credential is created on loginid.io, you cannot use the same credential on loginid-example.io.
LoginID’s FIDO2-certified passwordless authentication solution can be easily integrated into any website or app in a few lines of code. Created with developers and enterprises in mind, LoginID can enhance your website or app fraud prevention methods using FIDO2 strong customer authentication, while adhering to PSD2 regulations.