FIDO2 authentication goes beyond simply being an extension of FIDO or the FIDO alliance and adds in new protocols for passwordless authentication.
What does FIDO2 stand for? FIDO2 stands for Fast Identity Online 2 and is also referred to as “The New Passwordless Standard.” The original FIDO was created by the FIDO Alliance to require better authentication standards for passwords and logins.
What Is FIDO2?
Fast Identity Online is an open and license-free security standard for authentication on the web. More specifically, FIDO2 is the third iteration of the standard, following two previous specifications:
- FIDO Universal Second Factor (FIDO U2F): An open specification to help online services augment their password-based authentication with two-factor authentication capabilities.
- FIDO Universal Authentication Framework (FIDO UAF): An open specification that allows online services to augment their existing services with multi-factor authentication and passwordless security.
As a successor to FIDO UAF, FIDO2 essentially represents a universal way to implement passwordless identity on top of existing identity verification infrastructure. A passwordless system is a new approach to verification that removes passwords as a weak point both for security and for social engineering attacks like phishing.
How does this standard provide passwordless identity verification? At its core, the standard consists of two requirements for using FIDO2:
- The W3C Web Authentication Standard: WebAuthn is an open standard created by the World Wide Web Consortium to support verification across web applications with public-key cryptography.
- The Client Authenticator Protocol 2 (CTAP2): A standard developed by the FIDO Alliance to continue U2F.
FIDO2 can provide secure, passwordless access with these two protocols in place.
How Does FIDO2 Work?
The entire goal of FIDO2 is to allow organizations to implement passwordless login capabilities with or without MFA. To accomplish this, FIDO2 protocols uses both cryptography and traditional authentication in the following process:
- The user registers with an identity management service as a FIDO2 user, and the service generates a cryptographic key pair.
- The private key is stored on a device, and the public key is registered with the service.
- Authentication is mapped onto one or more services. These approaches could include any biometrics, PINs, or physical keys. Most importantly, these forms of identity verification aren’t sent to the service itself. Instead, authentication remains on the device, and the device authenticates the user with the secret key.
What makes this standard secure is that verification information never leaves the phone. The key remains on the device, and authentication can only occur through physical possession of that device.
What Is the FIDO Alliance?
FIDO U2F, FIDO UAF, and FIDO2 are all products of the FIDO Alliance. This open-industry association strives to develop open resources and protocols to support authentication and, especially, interoperability between systems to strengthen security.
To accomplish a goal of better, more stable, and interoperable authentication standards, the Alliance and the subsequent FIDO standards support several modern authentication technologies, including the following:
- Biometrics: Standards support multiple forms of biometric authentication, including iris scanning, fingerprint scanning, voice recognition, and facial recognition.
- Trusted Platform Modules: TPM is an International Organization for Standardization (ISO)/International Electrotechnical Commission (IEC) standard for crypto processing or microprocessors to handle cryptographic keys and licenses.
- Embedded Secure Elements: eSE are tamper-proof chips embedded into mobile devices for device-centric identification.
- Near-Field Communication: NFC covers communication between devices less than four centimeters apart–namely, contactless identification with mobile devices, keycards, and other physical media.
What Are the Differences Between FIDO2 and WebAuthn?
WebAuthn, developed by the W3C, is a standard for using cryptographic keys. However, FIDO2 is an umbrella standard that includes WebAuthn while adding additional capabilities.
For example, the CTAP part of FIDO2 supports the interoperability capabilities of the standard, including its use with NFC, TPM, and eSE. While WebAuthn provides the cryptographic functions for authentication, CTAP delivers the ability to embed identification into devices and physical media, and together they form the larger FIDO standard.
What Are the Benefits and Costs of FIDO2 Compliance?
As with any other technology, there are costs and benefits associated with FIDO2.
Some of the benefits include the following:
- Narrowing Attack Vectors: Hackers have much less real estate to use as part of an attack with passwordless authentication. Devices can provide higher levels of security for enterprise-level identity verification.
- Minimizing User Error and Improving User Experience: FIDO2 can minimize user interaction because it relies on devices. That means no passwords to remember and no password managers to implement.
An employee can simply scan a fingerprint or provide a PIN and access a system. An easy-to-use, simple interface reduces the opportunity for attackers to leverage weak passwords or identical passwords across multiple accounts.
FIDO2 can also eliminate phishing issues. A hacker would need access to devices or enabled URLs tied to encryption keys to compromise a system.
- Usability Among FIDO2 Websites: Using this standard will allow for a secure, streamlined experience across any site or service.
Additionally, there are some disadvantages:
- Costs: FIDO2 can cost more than traditional methods, especially when using them simultaneously. While this seems like a major problem, good security may often cost more than a lack thereof, and that’s a risk trade-off that most organizations shouldn’t gamble on.
- Efficiency: Onboarding can sometimes take more time than simple username/password systems.
- Cross-Site Support: If engaging with multiple sites and services, they all must implement authentication for maximum usefulness. If not, then you may find your organization having to map different methods to different access points, defeating much of the purpose of using it in the first place.
Strong Identity-Based, FIDO2-Compliant Authentication with 1Kosmos
When it comes to modern distributed systems for modern distributed workforces, security is not a space to compromise. Most security solutions don’t think about usability, security, and flexibility in the long term—but 1Kosmos does.
With 1Kosmos BlockID, your organization gets a solution that promotes identity-first authentication with compliant technology and user-focused identity management. We accomplish this with the following features:
- Identity Proofing: BlockID includes Identity Assurance Level 2 (NIST 800-63A IAL2), detects fraudulent or duplicate identities, and establishes or reestablishes credential verification.
- Identity-Based Authentication Orchestration: We push biometrics and authentication into a new “who you are” paradigm. BlockID uses biometrics to identify individuals, not devices, through identity credential triangulation and validation.
- Integration with Secure MFA: BlockID readily integrates with a standard-based API to operating systems, applications, and MFA infrastructure at AAL2. BlockID is also FIDO2 certified, protecting against attacks that attempt to circumvent multi-factor authentication.
- Cloud-Native Architecture: Flexible and scalable cloud architecture makes it simple to build applications using our standard API, including private blockchains.
- Privacy by Design: 1Kosmos protects personally identifiable information in a private blockchain and encrypts digital identities in secure enclaves only accessible through advanced biometric verification.
Read more about how 1Kosmos can support your authentication needs with our Strong, Identity-Based Authentication whitepaper. Also, make sure to sign up for our newsletter to stay up to date on 1Kosmos products and events.