The FIDO2 Project – a step into a secure future
The explosive advancement of information technologies and their implementation in almost all spheres of human life requires software development companies to be responsible for the quality and reliability of applications. One of the oldest security tools in the world – passwords – can no longer fully cope with this task. Statistics show that over 80% of hacks are associated with unreliable or stolen passwords. That’s why cyber security experts are nowadays counting on FIDO2 passwordless authentication. Let’s try to figure out whether a future without passwords is on the horizon.
Why passwords are a burden for both users and IT professionals
There are always a great many passwords. A single user can be registered in dozens of different applications and services: forums, social networks, online stores, messenger apps, and so on. Ideally, you should generate, remember, and save a unique and complex password for each of them. After all, it is extremely unpleasant to lose access to your personal email or be left without money due to a compromised bank card, right? For large enterprises, these losses increase significantly when a criminal gains access to their corporate databases or vital systems.
Passwords are the main way to authenticate users today, but they have a number of serious flaws and vulnerabilities. This is evidenced by the following facts:
Employees use the same password on different resources.
According to Verizon’s data breach report, over 70% of employees use their personal passwords at work to log into corporate accounts. This increases the risk that a hacker who has stolen access to a user’s personal data in one application (Facebook, LinkedIn) can easily break into the company’s system by entering the same password.
Users create weak passwords.
People often choose passwords that are easy to crack. A simple combination is easy to remember but even easier to steal. According to estimates by SplashData, nearly 10% of users have chosen one of the 25 weak passwords, and about 3% have used “123456” – the worst one. Security firm Preempt found that approximately 19% of employees come up with low-quality passwords, and general weak combinations like “password” or “123456” are preferred by 7%.
Users are bad at storing passwords.
Another reason that undermines the reliability of authentication via passwords is storing data in insecure places. Sometimes employees gather information in spreadsheets and write it in notebooks or other personal documents. This creates vulnerability to hackers and jeopardizes personal data or company information. In addition, resetting the password if the user has forgotten it entails additional costs for businesses.
Hacking can destroy a business.
Compromising corporate information can cost a company a loss of customers, intellectual property, credibility, and money. The average cost of a data breach for 2020 was $148 per record and $3.96 million worldwide.
Overcoming the consequences of cyber attacks is difficult for organizations – it takes years. According to data by the National Cyber Security Alliance, 60% of hacked SMEs shut down within six months of being phished.
As we can see, in the cloud era, password-based authentication is becoming less efficient and less secure for users and businesses. Even if a company has installed a strong firewall and powerful IDS and IPS systems, people, as said by computer security expert Kevin Mitnick, will always be the weakest link in cyber security.
The FIDO2 Project: a little background
In 2013, Google became a member of the FIDO (Fast ID Online) Alliance and, together with Yubico and NXP, began to work on an open standard for two-factor authentication (2FA). Google made a significant contribution to this project: introduced the specification, provided built-in support for the FIDO standard for Google Chrome and Android OS, and tested this technology among its employees in 2017.
Over the past four years of fruitful work, the FIDO Alliance has expanded and is continuing to grow every month. Alibaba Group, Amazon, American Express, Intel, and many other tech giants have become members of this organization.
The next step in the project advancement was the introduction of a phishing-protected authentication protocol without a password, which is called FIDO2. The goal of the technology’s creators – the FIDO Alliance and the World Wide Web Consortium (W3C) – was to develop a secure standard for passwordless login on the Internet.
FIDO2 includes the WebAuthn standard and CTAP. The WebAuthn API is embedded in the Chrome, Edge, Mozilla, and WebKit browsers. CTAP provides communication between the device and authenticators via NFC, USB, or Bluetooth Low Energy.
This technology allows for the use of secure biometric authentication methods across multiple devices (Windows Hello and Android) and the use of Yubikey hardware tokens. Thus, users can work passwordless, conveniently, and confidentially.
How the FIDO2 passwordless authentication works
There are two types of workflow in FIDO2: registration and authentication. During registration, a new key for the user account is created. Authentication uses this key to verify identity upon re-login.
Let’s take a look at the authentication process. For the success of this process, three important participants are needed:
- WebAuthn relying party (the website where authentication takes place);
- intermediary (client or browser);
- FIDO2 authenticator (Yubikey, USB token, or smartphone).
To begin with, the user visits a website and clicks on the login button. The server creates a request and sends the credentials registered for the user and information about the authentication device (for example, whether the device connects via USB or in some other way) to the browser. Then, the browser asks the authenticator to sign the request. The authenticator offers the user to click on a button, enter biometric data, or other verification methods. A signed assertion is generated using a private key and sent to the relying party for verification.
The website checks if the assertion has the expected source and request. When all this is verified, authentication will be successful, and the user will enter their personal account. Otherwise, entrance to the website will be denied.
The user’s biometric information or the private key stored in the FIDO2 token never leaves the device. Therefore, this authentication method is considered resistant to phishing and attacks on the server.
Advantages of FIDO2
WebAuthn standardization allows online services to use the FIDO authentication via a standard web API and is supported in major web browsers (Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari). FIDO2 is built on three pillars: security, privacy, and convenience.
With traditional authentication, the user enters their credentials on the device, and then the browser sends the information to the server to verify the user. In the case of authentication without a password, everything happens differently. As soon as the assertion generated by the authenticator is sent to the server, the identification itself is performed at the authenticator level using a PIN, biometric data, and so on. With FIDO2, a malefactor has nothing to steal because the owner’s consent is constantly needed to continue the procedure.
FIDO eliminates the possibility of tracking users across different services. Therefore, it’s okay to use the same key or biometric authenticator to log into social networks or work-related applications. A single physical FIDO token can contain security keys for different types of programs and websites. Moreover, the user has the right to choose a more convenient way of local authentication: voice or photo recognition, fingerprint, or PIN entry. The improved user interface mitigates the risk of threats and protects the owner’s data.
With FIDO, you no longer need to remember long and complex passwords, and in the event of a lost ID, there are many options for secure restoration. For example, you can register two U2F devices with each service provider they work with or use 2FA by sending a 2FA code to the backup number. FIDO can also provide recovery tokens for users who have lost access to their accounts. In addition, the owner is able to choose from factors: USB smart keys, NFC smart cards, mobile phones, and so on.
Should everyone abandon passwords?
Advisory CISO at Duo Security Wolfgang Goerlich supports a passwordless future, seeing FIDO as a great solution to strengthen information security while making it easier for users. The specialist notes that it’s not necessary to change everything in the company’s work at once. You can start with granting passwordless access to key representatives or employees who work with a large number of authentications and password changes. Also, you need to gradually introduce applications that will support FIDO2.
However, it’s not all as easy as it sounds. Not every company has budgets allocated for cyber security services. And not all organizations can afford to redesign programs to meet the FIDO2 standard. A traditional established business can have dozens or even hundreds of web applications and admin panels that are not easy to update. Nevertheless, this situation is fixable. Recently, the IT community has been talking about new technologies that enable MFA, WebAuthn, and micro-authorization on transfer. So there is no need to mess with the application code at all, and the implementation of the standard takes place in a matter of minutes.
If a company wants to use FIDO tokens, it’s not going to be cheap. One key cost is between $30-50, and if the organization’s staff exceeds 100 people, the total cost will be huge.
The introduction of passwordless technology also implies additional training for specialists. According to a research study conducted in a small company by the Ruhr-University Bochum, not everyone views the FIDO2 passwordless authentication unambiguously. Although most of the experiment participants found FIDO convenient, some of them stopped using the key, as it turned out to be slower than the browser’s built-in password manager. Plus, the security benefits were largely intangible or perceived by the firm’s specialists as unnecessary.
A small obstacle to the implementation of FIDO may be the fact that different employees share the same equipment. A passwordless solution binds a person to their device. Moreover, not all companies are able to implement FIDO passwordless authentication due to legal requirements. In some cases, especially for accessing banking applications, entering a password is a mandatory step.
As the above suggests, there is a lot of work to be done by companies to fully implement FIDO2. They have to update applications, think through plans for backing up code, train employees, and so on. This is a long process that will take not a single day or even a single year.
However, most of the leading companies have already seen the reliability of FIDO2. A survey by ThumbSignIn has shown that 64% of respondents consider passwordless technology a necessary or useful standard.
FIDO2 has great potential to become the protégé of cyber security services. This technology eliminates the risks of phishing attacks and password theft and releases users from the need to memorize complex combinations. Therefore, FIDO is a big step forward in the development of simpler and more reliable authentication that will protect your privacy and secure the work of companies.