Logging into a website or service using the traditional username and password combination isn’t the best or safest way of going about it anymore. As cybercriminals become more technologically advanced, data protection methods must also move forward. This is where new authentication standards such as FIDO2 can become a useful tool in battling the issue.
But, what are FIDO2 specifications and requirements? Moreover, how do FIDO2 websites even work? We’ll answer these and many other essential questions pertaining to this passwordless authentication standard in this detailed overview. Continue reading to learn everything about the FIDO2 standard.
FIDO2: The New Passwordless Standard
Before we dig deeper into how it works, its pros and cons, let’s start with a simple question - what does it stand for? FIDO stands for Fast Identity Online. With an added number two at the end, this acronym is based upon previous work done by the FIDO Alliance, particularly in terms of developing the Universal 2nd Factor (U2F) authentication standard. It is the third standard to emerge from the FIDO Alliance, following the FIDO Universal Second Factor and the FIDO Universal Authentication Framework.
The main objective of FIDO2 is to eliminate the use of passwords over the Internet. It was developed to introduce open and license-free standards for secure, worldwide authentication over the Internet. The FIDO2 authentication process eliminates the traditional threats that come with using a login username and password, replacing it with the FIDO2 passwordless login standard. As such, it protects against common online attacks such as phishing and man-in-the-middle attacks.
How Does FIDO2 Work?
This standard uses public-key cryptography to guarantee a secure and convenient authentication system. The FIDO2 standard uses a private and public key to validate each user’s identity to achieve this. To use FIDO2 authentication, you’ll first have to sign up for it at FIDO2 supported sites. To do so, you have to go through a few setup steps:
- You have to fill the appropriate registration form and choose a FIDO2 security key (either a FIDO2 webauthn or trusted platform module).
- The service will generate a FIDO2 authentication key pair.
- Your FIDO2 device sends the public key to the service, while the private key containing sensitive information stays on your device.
Once the secure communication path is enabled, the setup credentials are stored permanently, allowing for later logins. The next time you want to log in to a FIDO2 service, you have to follow these steps:
- Provide your username and email.
- The service will give you a cryptographic challenge.
- You use your FIDO2 key to sign the challenge.
- The service’s server verifies your response and gives you access to your account.
What’s especially important to remember for this secure web log-in process is that you don’t exchange any secrets with the servers. The crucial piece of information, which is your FIDO2 security key, always remains on your device.
FIDO2 vs. U2F - What is the Difference?
Now that we understand how FIDO2 authentication works, it’s also useful to do a FIDO2 vs. U2F comparison to determine the difference. In simple terms, the most significant difference between the two is that the former was created to allow all authentication to become passwordless. On the contrary, U2F was designed to serve as a second factor for passwords.
FIDO2 Advantages and Disadvantages
As we discussed in one of the above sections, the most significant advantage of FIDO2 authentication is that it creates a much smaller attack window for cybercriminals. To access your sensitive private information, attackers will need a FIDO2 token, which is physically always by your side in the form of your device.
If you use several FIDO2 supported sites, you’ll enjoy another advantage in the form of a more streamlined experience, as you won’t have to remember multiple login details and passwords for each of your accounts. The FIDO2 U2F security key will work across the board for all supported platforms, offering maximum security and user comfort.
Of course, like any other security method in the world, the FIDO2 standard does have certain disadvantages. These drawbacks aren’t deal-breakers but are something you should be aware of if you plan on implementing the FIDO2 passwordless login as a security practice.
Most notably, this standard requires an additional security step compared to traditional password login standards if you use it as a regular component of two-factor authentication. With that in mind, such a system isn’t the most practical one if you log into more FIDO2 enabled websites several times each day. Additionally, since this authentication method still isn’t well spread-out, there are not many FIDO2 supported sites at the moment, though the number of FIDO-enabled platforms and browsers is constantly growing.
FIDO Platform/ Browser Support from FIDO Alliance
FIDO2 Use Cases
With all of the information above in mind, how does this affect the overall user experience through real-life examples? Even more important for the average user, in what form can you implement it in your day to day life? To better understand this, let’s take a closer look at how you can implement FIDO2 passwordless login in different forms:
- Authentication via email - Authentication via email can be done with a magic link or a one-time code. Once you click the link or enter the code, the server verifies your identity and lets you access the desired location or service.
- Authentication via SMS - To use SMS authentication, you have to enter a valid phone number when prompted. A unique one-time code is sent to that number, which you type in the FIDO2 website to access.
- Authentication with Fingerprint - Likely the safest of the three involving FIDO2 devices, this form of secure web log-in requires you to place your finger on your device. This initiates the creation of a unique key, and a new user is automatically created on the FIDO2 enabled site.
- Hardware authenticators - In this case, authentication relies on a dedicated physical USB, NFC, or Bluetooth token that allows you to log in to services by inserting your key into the USB slot of your device or with the touch of a button on the authenticator.
Getting started with FIDO authentication
Cyber-attacks have shown us that the human risk factor is a significant aspect of cybersecurity breaches. With FIDO2 implementation and passwordless authentication, the human risk factor is eliminated, allowing for a much safer user experience. Big tech companies such as Microsoft, Google, and Apple are already supporting FIDO2 devices. Although this form of secure log-in is still in its relatively early stages, one thing is sure - passwordless authentication is the future.
For the highest levels of security and convenience, Hideez offers passwordless authentication and MFA with its multifunctional Bluetooth tokens. They are compliant with the FIDO2 standard and can provide a passwordless experience for both individual users and enterprises.
Hideez FIDO Key 3 and Hideez Key 4 are multifunctional security tokens that provide FIDO authentication for all browsers, and compatible applications, while you don't need to even think about passwords, MFA, and preventing security threats. Within Hideez Enterprise Solution, Hideez keys can store passwords, lock/unlock PCs with a proximity sensor, and open RFID-enabled office or other doors. It goes well beyond FIDO authentication technology, providing an all-in-one digital key for enterprises which can help increase employee productivity, lower IT overhead costs, eliminate the risks of data breaches and take your identity and access management to a new level of convenience.
If you want to learn more about Hideez Solution, do not hesitate to schedule a free demo and get a 15% discount for Hideez keys as a small gift for reading this article. The offer applies to Hidedez Keys for personal use as well - all you have to do is apply a promo code "fido15" at the checkout :)