FIDO2: The New Standard for Passwordless Authentication
4th May 2023
Businesses have relied on passwords to authenticate users for years, but username and password-based authentication is outdated and insecure. Passwords are often difficult to remember and can be easily stolen by hackers, potentially exposing valuable and confidential user data in the event of a data breach. As more businesses begin to recognize the need for stronger, more-secure authentication methods, companies are looking to move towards a more standardized approach, and ‘Fast Identity Online,’ or FIDO, is the secure standard being adopted by companies around the world.
What makes FIDO2 unique is its use of public-key cryptography to authenticate users, which eliminates the need for passwords and provides stronger protection against phishing, man-in-the-middle attacks, and hacking.
With FIDO2, users can authenticate themselves using biometrics, such as facial recognition or fingerprint scanning, or by using a physical security key. This makes it more convenient for users, as they don't need to remember complex passwords or worry about their passwords being stolen or hacked.
Developed by the FIDO Alliance, FIDO is an open authentication standard that governs how passwordless authentication operates. All communications are encrypted, and private keys never leave users' devices.
The FIDO Alliance is an industry association whose mission is to reduce the world’s reliance on passwords by promoting the development of authentication technology which is easier to use and more secure than passwords. The global non-profit organization was formed in 2012 by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio. Many of the world’s leading companies have also joined or contributed over the years including Google, Yubico, NXP, Google, Microsoft, and ARM Holdings.
FIDO2 is the passwordless evolution of earlier authentication standards, also created by the FIDO Alliance. It combines the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and the FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP).
Different FIDO Protocols: FIDO UAF, FIDO U2F and FIDO2?
FIDO2 is widely considered to be an update to FIDO UAF or U2F, providing a passwordless experience which also uses MFA.
- FIDO U2F was created to act as a form of two factor authentication (2FA). It relies on the use of a physical token or key as an additional step in authentication. This is a superior method of secure authentication compared to theusername and password experience.
- FIDO UAF functions as a multi-factor form of authentication (MFA) but is also a passwordless experience, relying on cryptographic keys to keep its users safe. Unlike FIDO U2F, UAF does not require a physical token to be present. Instead, it uses biometric data or a PIN to authenticate users.
What Are the Differences Between FIDO2 and WebAuthn?
WebAuthn is a browser-based API and a standard for passwordless login which was developed by the World Wide Web Consortium (W3C). While it also relates to the implementation and use of cryptographic keys,it is not interchangeable with FIDO2. FIDO2 is recognised as the broader standard and WebAuthn is included as an integral part of this. It works alongside FIDO’s Client to Authenticator Protocol or CTAPto enable a service to authenticate its clients using biometric authentication.
How FIDO2 Works
FIDO2 helps to authenticate users by providing proof of identity via public and private key pairs.
To start, a FIDO2-enabled device begins by generating your own personal login keys, known as a cryptographic key pair.The private key is only stored on your individual hardware device, and the public key exists on the server the user is attempting to access.
After this initial set-up process, standard login protocols can take place. The user is given the opportunity to choose how they authenticate; this is typically through biometrics or through a hardware security token (such as an Arculus-powered card or Yubikey)which is enabled with FIDO2. This allows them to access their private keys and authenticate themselves.
We all heard about hacks where passwords are compromised, and using cryptographic keys with the FIDO2 standard mitigates risk of password hacks, as the keys themselves are unique to each website, and cannot be compromised. FIDO2 helps protect you from that by allowing you to keep control of your private keys. The key lives exclusively on the device, and authentication only works when the user has possession of the FIDO2-enabled device itself.
What are the Benefits of FIDO2?
Better User Experience:
- Individuals can use straightforward authentications methods which they have experience using and are intuitive to them, such as biometric login or the use of a hardware token.
Improved Data Privacy:
- Each key pair is unique and not linked to the individual’s private data. As a result, users’ movements cannot be tracked across different websites.
More Secure for Users:
- FIDO provides a greater level of security. There is no risk of hackers exploiting user’s weak or reused passwords as passwords are not needed. It can also reduce the risk of phishing as a hacker would needto have the physical device in their possession to gain access to accounts.
Reduction in User Error:
- The simplified authentication process and the lack of passwords to remember helps to minimize user error.