Are You Using a FIDO Certified Authenticator?

Multi-factor authentication (MFA) gets touted as a significant security improvement over traditional “username + password” authentication. However, not all MFA processes are created equal. As the opportunities narrow for cybercriminals to pick off the low-hanging fruit of password-only systems, they’ve turned their focus to weak MFA.

A growing number of organizations have suffered security breaches despite having MFA in place, thanks to expanding digital systems, more advanced phishing tools, and the continued allowance of passwords as an authentication factor. The past year, which saw Microsoft, Uber and Cisco breached by MFA prompt bombing, demonstrates that organizations can’t just deploy any type of MFA and presume they’re safe from breaches.

Read more about this in our blog: How Secure is MFA?

For these reasons, the federal Office of Management and Budget (OMB) and the Cyber and Infrastructure Security Agency (CISA) have emphasized the need for phishing-resistant MFA, specifically passwordless MFA built around FIDO standards. We’ve examined FIDO standards and what they mean for authentication before, but in this post, we look at one of the most critical elements of the process: FIDO Certified authenticators.

What is a FIDO Certified Authenticator?

The Fast IDentity Online (FIDO) Alliance comprises the biggest names in tech, finance and other industries, as well as regulatory bodies such as NIST. Their standards are a set of open, passwordless protocols designed to improve authentication security. The current FIDO2 protocols bring together the W3C Web Authentication standard, known as WebAuthn, and FIDO’s Client to Authenticator Protocol (CTAP2). The latter of these allows engagement between compliant devices (such as smartphones) and an operating system or application to allow secure authentication using public key cryptography.

A FIDO authentication solution, in general, consists of the following:

• The FIDO Certified authenticator, which is a device such as a smartphone app or security key that establishes and verifies the user’s identity and proves possession of the private key
• The FIDO server, which generates the FIDO authentication request, validates identity and allows access to a network, application, or system
• The client, which is the software that controls the communication and authentication process between the authenticator and the server

In order to achieve FIDO certification, an authenticator must pass the FIDO Alliance’s rigorous testing and validation program. This ensures that FIDO Certified authenticators meet strict phishing-resistance standards and can work with any FIDO Certified server. .

As one of the core components of the FIDO protocols,  a FIDO Certified authenticator should feature in any solution calling itself a FIDO product. Unfortunately, this isn’t always the case. There can be a vast difference between solutions staking a FIDO claim.

Are You Sure You’re Using a FIDO Certified Authenticator?

FIDO Compliant vs. FIDO Certified vs. FIDO Certified Authenticator

Although these terms sound roughly the same, they are very different in practice:

• FIDO compliant or “like FIDO”: This means that, in the vendor’s estimation, their solution follows FIDO guidelines and requirements. This is not an official verification from FIDO, but as an open-source standard, vendors can see what the certification program requires without actually becoming certified. Pay attention to the exact language used and make sure you check the listing on the FIDO site.
• FIDO Certified: A further complication is that solutions that are FIDO Certified on only a single component will say that they are FIDO Certified and display the FIDO Certified badge. This does not mean that the entire solution is FIDO Certified. For example, several solutions are FIDO Certified for their server only. In this case, they can guarantee interoperability of their server with third-party FIDO Certified authenticators, such as an external security key, but their authenticator or client doesn’t meet FIDO’s interoperability or security standards.
• FIDO Certified authenticator: This means that the authenticator has passed rigorous testing from the FIDO Alliance and has been found to meet their requirements regarding security and interoperability with other FIDO components.

Why Having a FIDO Certified Authenticator Matters

A core objective of the FIDO standards is eliminating shared secrets from authentication, thus removing them as an avenue for cyberattacks. For any FIDO solution, this means that it cannot simply fall back to a password or one-time password (OTP) if the user can’t provide other factors. However, if the authenticator is not FIDO Certified, the only way to ensure adherence to CISA phishing-resistance requirements and other regulatory guidelines is to use a separate FIDO Certified authenticator. The only other option is using a completely different system, such as the Personal Identity Verification (PIV) smart cards used by governmental organizations.

HYPR Is FIDO Certified End to End

The FIDO Alliance’s certification standards are there for several reasons, primarily to ensure the improvement of global cybersecurity by completely eliminating shared secrets. But, unfortunately, many authentication solutions that claim FIDO certification, FIDO compliance or support for FIDO standards aren’t necessarily delivering FIDO Certified authenticators. This is the situation, for example, with most standard SSO authentication, which does not use FIDO Certified authenticators unless integrated via a partner.

HYPR’s passwordless authentication solution, however, is FIDO Certified end to end. This means that each component, including the HYPR authenticator app, has successfully undergone FIDO’s stringent assessment process. This assures any enterprise deploying our solution that they are using the “gold standard” of phishing-resistant MFA. HYPR seamlessly integrates with existing SSOs, IdPs and applications so you can use FIDO Certified authentication across your enterprise.

To learn more about HYPR’s fully FIDO Certified passwordless MFA solution, read the product brief or request a demo.