September 17, 2019
Password

Go Passwordless with FIDO2 and Web Authentication

Sumedh headshot
Sumedh Inamdar Director, Product Management

FIDO2 authentication can be used as a single (passwordless) strong authentication method, or in conjunction with a local PIN (to prevent access using a stolen key), or as a secondary authentication factor just like U2F.

Camille slays password

Passwords are a huge pain in the a$$. They have enormous disadvantages:

  1. It’s not practical nor possible to remember complex passwords for all the services one uses, so people routinely use the same password everywhere, or worse, use guessable passwords, such as “password” or “12345”, resulting in easy account breaches.
  2. Some services require their users to change passwords frequently, causing people to create patterns, which are again, easy to guess and subsequently hacked into these accounts.
  3. People forget them and then get locked out of their accounts, which is of course a loss of productivity.
Passwordless1
Source: dilbert.com
​​​​​

Jokes apart, there are solutions like MFA on this, but along with these, strong passwordless authentication is the most convenient solution from user experience standpoint, and an important secular trend every security professional must be tracking closely.

There are several authentication methods beyond passwords that fall on different levels of security-convenience spectrum. In the last few years, smartphones have played a huge role in popularizing biometric methods like fingerprint scanning and facial recognition, but they tend to have inconsistent security profiles across platforms and devices.

For enterprise apps, you need to make sure there is guarantee of strong security for every authentication method used in every employee’s devices for every app. This is especially tricky in today’s perimeter-less and BYOD world with diverse platforms.

This is the purpose with which FIDO alliance was formed in 2013. The first version of FIDO standard called FIDO U2F, as it name suggests, was fundamentally designed as a second factor authentication method, so it can’t be used for a passwordless experience. FIDO2 is the latest set of specifications, including Web Authentication (aka WebAuthn) and CTAP2, that strive to standardize and leverage strong biometric authentication methods on different devices such as Windows Hello and Android biometric, as well as hardware tokens like Yubikey, so that users get passwordless user experience and interoperability between platforms, without losing out on convenience, privacy, and most importantly security.

In FIDO2 authentication, the biometric information from the user device or private key stored in a FIDO2 token never leaves the device, so it’s a very secure authentication method resistant to phishing and server attacks. It can be used as a single (passwordless) strong authentication method, or in conjunction with a local PIN (to prevent access using a stolen key), or as a secondary authentication factor just like U2F.

passwordless2
FIDO2 Authentication Process, Source: FIDO Alliance

It’s a work in progress though, with some platforms still catching up. Apple hasn’t yet announced its support for leveraging Face ID in CTAP2, but Safari now supports FIDO2 compliant USB keys (like Yubikey) on MacOS. Chrome, Firefox, and Edge have supported FIDO2 for a while now.

It’s quite clear that if anyone is going to kill the Thanos of identity world (the password of course), it’s going to be an interoperable and secure standard like FIDO2. Stay tuned for more updates on this soon!