More secure login with FIDO2?
The traditional password is still the most commonly used authentication method. At the same time, we know that such a password is far from secure. They are often too easy to guess, steal, or crack, especially when they are reused. That is why we increasingly combine passwords with Multi-Factor Authentication (MFA). That is an extra verification, for example with a one-time password generated on the user's smartphone. This significantly reduces the risk of intruders.
Even so, it remains problematic. Passwords are inconvenient, and many common MFA methods can now be bypassed. We therefore look for smarter authentication methods. There is light on the horizon, and in this blog we examine several promising, innovative developments.
FIDO2: passwordless login
Since 2018, under the FIDO2 umbrella, a set of standards has been available to let users sign in without passwords. FIDO stands for Fast IDentity Online and is a consortium of companies and organizations that promotes passwordless authentication and develops standards for it. FIDO2 uses two mechanisms: asymmetric encryption and origin binding.
Asymmetric encryption and verification
With regular symmetric encryption you use one key to encrypt and to decrypt data. With such encryption it is critical that the key never ends up with unauthorized parties. Therefore, when setting up such an encrypted connection, a more secure method is usually used to send the key information. That is asymmetric encryption, in which two keys are used. Information encrypted with one key can be decrypted only with the other key, and vice versa. One of those keys is the private key and is never shared by its owner. The other key can be provided to others without risk and is therefore called the public key.
This asymmetric mechanism is applied within FIDO2 for user authentication. You create a private key on a person's personal device, such as a laptop. The corresponding public key is then shared with the application. When the user wants to sign in, the application generates a so-called challenge. Such a challenge is a random string of data that is sent to the user. On the user's laptop the challenge is automatically given the correct response, the signature. This is encrypted with the private key and returned.
This provides a conclusive authentication process without passwords. The received signature proves that the private key was used and that you are dealing with the legitimate user. Because a different challenge is sent for every sign-in attempt, it is pointless for attackers to intercept data. The WebAuthn standard, part of the FIDO2 specifications, is used for this secure handshake between the application and the user.
Origin binding
Asymmetric authentication does not prevent people from unintentionally signing in to a phishing site. For that, another mechanism is built in, called origin binding. When a private key is created on a device, the domain, the origin, of the application or website is stored as well. During every sign-in attempt it is then automatically checked whether the challenge comes from that domain. If not, no response is generated. This makes FIDO2 phishing resistant.
FIDO2 use cases
Under the name passkey, this FIDO2 mechanism has now been built into the major operating systems, and more and more websites and applications support passkeys. You need to configure a passkey once on your laptop or smartphone, after which the user can sign in easily. During sign-in you only need to unlock the passkey, which can typically be done with facial recognition, your fingerprint, or a PIN code. Depending on the exact implementation you can also synchronize passkeys between your laptop and smartphone, for example. You then do not have to manage separate passkeys per device.
If you are using a public or borrowed computer without your passkeys, but your passkeys are on your smartphone, you can scan a QR code on the application's sign-in screen with your smartphone and sign in with your smartphone. In addition, hardware keys are available that you can pair with a computer wirelessly or via the USB port and use as an external FIDO2 authenticator. For the communication between such an external authenticator and a computer or laptop the Client To Authenticator Protocol, CTAP, is used. CTAP is one of the FIDO2 standards.
We already mentioned the origin binding mechanism in FIDO2. This prevents advanced Adversary-in-The-Middle, AiTM, attacks. In these attacks the hacker places themselves as a man in the middle between a user and the application in order to copy the session data and, in parallel with the regular user, establish their own session. Traditional MFA methods do not prevent this, but FIDO2 authentication does.
Biometric authentication
Many people say that passkeys also involve biometric authentication. That is logical, when users use a passkey to sign in to an application, they must first verify themselves on their smartphone or computer. On Apple devices this can be done with Face ID and Touch ID, and comparable fingerprint and facial recognition exist in Windows and Android. This biometric verification is built into modern operating systems to unlock devices and is also used with passkeys. The exact verification options depend on the device, and a PIN code can also be used as a fallback.
It is important to understand that this biometric recognition is used purely locally on the computer or smartphone in question. The authentication of a user to an application therefore essentially consists of two separate verification steps. First the local biometric scan to verify the user and activate the passkey. Then the passwordless authentication between the device and the application.
There is no end-to-end biometric authentication. For that you would have to send encrypted biometric data to a remote application to have it verified there. This is very complex and introduces many new security and privacy issues. For mainstream business applications that is not feasible yet.
Impact on your IAM environment
Passkeys are ideal replacements for passwords. There are important considerations for your Identity and Access Management. For issuing and managing accounts and permissions, the Provisioning and Service Automation modules within HelloID, the authentication method used is less important. There are changes, however, in your access management.
Access management provides and manages user authentication. Usernames and password data, the so-called hash codes, are often stored centrally in an Identity Provider, IdP. To set such a password, for example, an initial password is sent first. The user signs in once with it, after which the password must be reset to a personal password. This enrollment becomes more complex when MFA and/or passkeys are used. An MFA method must be configured on a person's smartphone, and passkeys must be created on a person's personal computer or laptop. Any synchronization of passkeys between multiple personal devices is another consideration.
The end result is much more secure and user-friendly authentication, but enrollment and management require careful planning. If you use an Identity Provider and Single Sign-On, SSO, one passkey is usually sufficient. You sign in securely to the IdP, access to connected applications then goes through SSO.
Want to learn more about passwordless login?
Passwordless standards such as FIDO2 offer many options to improve access security and the user experience. As a starting point you can extend your existing MFA methods with FIDO2-based MFA. This prepares you better for AiTM phishing, among other things. The HelloID Access Management module supports multiple MFA methods, including FIDO2 hardware keys. We provide more information on the HelloID MFA page.