When it comes to online authentication, passwords are still used everywhere. There are a variety of two-factor authentication (2FA) technologies out there, which attempt to counterbalance the insecurity of using only passwords for authentication. Nevertheless, 2FA is still not widely adopted. Moreover, one of the most prevalent password theft techniques, phishing, still remains unsolved by most 2FA technologies.

The Fido Alliance has set their goal to solve the password problem once and for all, by simplifying and standardizing strong online authentication. Their most recent standard, called FIDO2, has gained support by the majority of tech industry leaders and the demand for integrating FIDO2 authentication in online services has been on the rise ever since.

How does FIDO2 work?

The FIDO2 standard consists of the World Wide Web Consortium’s (W3C) WebAuthn specification and the Client to Authenticator Protocol (CTAP). The former is a JavaScript API that is, as of writing this post, supported by all major and modern browsers. The latter specifies how a client (for example, a browser) can communicate with a FIDO authenticator using various channels, such as USB, NFC, and Bluetooth.

To strengthen online authentication, FIDO2 credentials rely on public key cryptography. These credentials are either stored in external hardware tokens such as USB/NFC keys, called external (or roaming) authenticators, or they can be stored internally in a user’s device, in so called platform authenticators. The latter have the advantage that no external device needs to be carried with the user all the time. The private key which is needed for the authentication is securely stored, either on the hardware token or in a secure storage on the user device, such as for instance a TPM accessible only following a biometric test (such as a fingerprint scan).

How does the login process with FIDO2 work?

Let’s assume an online service with an existing username/password login mechanism. The operator of the online service integrates the FIDO2 authentication method as a second factor. After the usual login the user can register his cryptographic credentials. This is either possible by inserting an external hardware token or by creating and storing the credentials on his device. This process is neither complex nor time consuming for the user to accomplish. After this initial registration, and following every successful login attempt using username and password, the user will be prompted to insert the same hardware token (or have the private key read from the device’s secure storage). Through this mechanism, it is ensured that the user logging in is also in possession of the right private key.

What’s even better, is that FIDO2 authentication can be used as a stand alone solution as well, eliminating passwords altogether, and making the authentication experience passwordless.

Why does FIDO2 stand out?

FIDO2 is an open authentication standard which tries to harmonize and simplify the user online authentication experience, while still maintaining a high level of security. This is ensured through the use of credentials based on public key cryptography. Additionally, due to the way the FIDO credentials are created uniquely for each online service and can only be used in the context of that particular service, FIDO can prevent phishing attacks.

Usability is also at the heart of FIDO2. For developers and operators of online services, FIDO2 authentication can be integrated in any web application via the WebAuthn APIs. Ease of use also applies to the end users, since registering FIDO tokens with online services and using them for authentication is accomplished with very simple and easy to follow steps.

An added value for your company?

As Airlock supports FIDO tokens as part of its IAM offering, we would be pleased to assist you in finding the best way to integrate and use them for your specific use cases. As we often say, the devil lies in the details: activation, revocation, migration. Working with Airlock helps you and your team address these issues. Drop us a note at info@airlock.com, specifically mentioning your interest in using the FIDO2 technology, and we will make sure to assist your company in the best possible way.

This is a guest post by Futurae.

To the original post

Blognews directly to your inbox

The Airlock Newsletter informs you continuously about new blog articles.

Subscribe blognews

Information for you

-Our whitepapers-

Executive View: KuppingerCole - Airlock Secure Access Hub for applications and APIs

This KuppingerCole Executive View report provides an architectural and functional overview of the Airlock Secure Access Hub, an integrated platform for secure access management - a multicloud-native security tool for web applications, APIs and beyond.

 

Fill out the form now and receive Executive View!

Whitepaper: Security for cloud-native applications

You can read about how companies can ensure the security of web applications and APIs in Kubernetes in the white paper "Security for cloud-native applications", which was created in collaboration between heise and Airlock.

 

Request whitepaper

Whitepaper: Zero Trust is a journey

The ongoing digital transformation of the world is progressing and having a profound impact on our personal and professional lives in ways that were difficult to imagine just a few years ago.


This white paper discusses the effects of continuous digitalization and its impact.

Request free of charge

Off to DevSecOps

In this white paper, you will learn the most important insights into how you can implement DevSecOps successfully and efficiently, which security components are required for this and the advantages of a microgateway architecture.

 

Request free of charge

Airlock 2FA - Strong authentication. Simple.

Double security - this is what two-factor authentication offers in the field of IT security.


Find out more about strong authentication and the possibilities offered by Airlock in our white paper.

Download for free

Further whitepapers

We provide you with free white papers on these and other topics:

 

  • Successful IAM projects
  • compliance
  • Data protection (DSGVO)
  • Introduction of PSD2
  • PCI DSS requirementsPCI DSS requirements
Request free of charge