What is FIDO2 Authentication?
6 Min. Read | December 8, 2022
FIDO2 has become a prominent touchstone in security conversations, primarily those around Zero Trust authentication. The significant increase in authentication attacks over the last several years, despite many of the breached companies having multi-factor authentication (MFA) in place, make clear that traditional, non-FIDO MFA methods have failed. The Office of Management and Budget (OMB) endorses FIDO, and the Cyber and Infrastructure Security Agency (CISA) describes it as the "gold standard" of phishing-resistant MFA.
FIDO2 authentication expands on the original FIDO protocols, allowing users to authenticate through a standardized interface built on public key cryptography. Google, Microsoft and Apple, with its Passkey, have announced their intent to "kill the password" through expanded support for FIDO2 authentication.
What Is FIDO?
The FIDO (Fast IDentity Online) Alliance is an open industry association committed to removing passwords from all authentication. Some of the biggest tech names (including the three companies mentioned above, Samsung, Meta and Intel) are all members of the alliance. They're joined by regulatory bodies like the National Institute for Standards and Technology (NIST), cybersecurity companies such as HYPR and Yubico, and financial firms including PayPal, Visa, Mastercard and Bank of America.
FIDO-based authentication addresses the major flaws in password-based authentication (and insecure MFA methodologies such as SMS, OTPS and push notifications) by using public key cryptography for authentication and attestation. It also uses multiple modern technologies for proving factors of authentication, such as fingerprint scanning, facial recognition and voice recognition, in tandem with established solutions such as Embedded Secure Elements, smart card authentication and near-field communication (NFC).
The FIDO authentication specifications create an interoperable set of protocols that can be deployed across multiple devices and platforms.
What is FIDO2 Authentication?
FIDO2 authentication is actually the third version of the FIDO standards, building on:
- FIDO Universal Second Factor (FIDO U2F) — a specification geared towards improving security around password-based systems by including strong second factor capabilities.
- FIDO Universal Authentication Framework (FIDO UAF) —a set of open protocols that allows online services to use passwordless security via mobile devices to strengthen IAM processes.
The FIDO2 authentication standards consist of two core elements:
- The WebAuthn API — the W3C Web Authentication Standard incorporated in browsers such as Chrome, Firefox and Edge.
- FIDO's Client-to-Authenticator Protocol (CTAP) — provides an interface that can integrate external authenticators through USB, Bluetooth or NFC on FIDO2-capable devices.
This approach creates several benefits, including:
- Elimination of passwords from authentication
- Compliance with regulations such as NIST 800-63B and PSD2
- Easy to use as users can leverage mechanisms that are already on their smart device
- Open standard guarantees interoperability and avoids vendor lock-in
- Scalable as it doesn't require new equipment to be sent to staff
With its many benefits along with the buy-in from some of the world's biggest companies, FIDO2 authentication provides the answer to many of the world's authentication security issues.
How Does FIDO2 Authentication Work?
FIDO2 authentication uses asymmetric cryptography similar to the public-private key handshake used in the TLS protocols to authenticate websites with a web browser. However, in the case of FIDO2 authentication, when challenged to prove their identity, the user unlocks the private key, which matches the public key held on record and proves the user is who they say they are.
A typical authentication flow will look something like this:
- The FIDO-enabled device is registered with the authentication system. This happens during the set-up phase for a new user, and a public-private key pairing is made.
- The public key is shared with the authentication system, and the private key is kept on the user's device, where it's protected either by a logical keybox or a hardware security module.
- An authentication process will challenge the user to prove possession of the private key.
- A secure local action on the user's device, such as providing a face scan or thumbprint or using a security key, will unlock the private key.
- The private key is used to sign the challenge, proving user possession, and if it matches the public key held by the authentication system, the user is logged in.
This system can satisfy MFA requirements in one action as it simultaneously uses different authentication factors (i.e., possession and inherence), with passwords full removed from the process. To the user, the log-in process can be as simple as looking at their smartphone without remembering or providing any additional information.
What are the Differences Between FIDO2 and WebAuthn?
While often used together or even interchangeably, there are significant differences between WebAuthn and FIDO2 authentication. Web Authentication (WebAuthn) was developed by the World Wide Web Consortium (W3C), the main international standards body for the web, in conjunction with the FIDO Alliance. It is a standardized interface for securely authenticating users for web applications using public key cryptography.
FIDO2 authentication is a broader approach that incorporates WebAuthn and includes the FIDO CTAP standard. This integration means that the cryptographic authentication processes of WebAuthn can be expanded out to even more use cases, including devices, physical media or security keys.
The FIDO Alliance runs a certification program that is critical for maintaining an interoperable ecosystem of products and services deploying FIDO authentication. FIDO2 certification ensures product conformance and interoperability of all FIDO2 authentication implementations across clients, servers and authentication devices. FIDO2 Certified products undergo rigorous testing to validate that user credentials are decentralized, isolated and encrypted on user’s personal devices.
A FIDO2-certified server has gone through a full FIDO certification program and successfully meets all requirements to work with any FIDO2-certified authenticator device. Likewise, a FIDO2 Certified authenticator is able to work with all solutions that maintain a FIDO2 server. Many solutions are certified for a single component, but few are certified across all components like HYPR.
FIDO2 and Apple Passkeys
Apple’s passkeys use Touch ID or Face ID for biometric verification, and iCloud Keychain to sync across iPhone, iPad, Mac, and Apple TV. Passkeys are based on FIDO2 WebAuthn, providing a phishing-resistant login to websites and apps from iOS 16-enabled devices. However, passkey access to apps on a desktop or laptop requires running macOS Ventura — which is not deployed in most enterprises. Apple’s passkeys and other consumer-targeted passwordless options carry other challenges for enterprise deployment, for example it does not meet the possession requirement of SCA requirements and other compliance standards and it’s limited to Apple devices. CISOs also have to consider the feasibility of deployment and cross-platform support, which applies both to those who use non-Apple PCs but also to those whose preferred phone is Android.
Strong, FIDO2-Certified Authentication With HYPR
Unfortunately, despite the FIDO certification program's existence and the FIDO Alliance's good intentions, a "FIDO Certified" authentication solution might not be what it claims to be. They often only support the FIDO2 authentication standards or have a single component certified, such as the server. This means their authentication processes may be less secure and not in compliance with FIDO standards.
HYPR is the only software authentication solution certified by FIDO across all components of its platform: client, authenticator, SDK, and server. As a result, organizations that deploy HYPR can be confident that their authentication processes are fully interoperable and meet strict regulatory and security requirements while providing users with a matchless login experience.