Article

FIDO2: Passwordless authentication

Security
Time to read: 6 minutes

What is FIDO2?

FIDO2 (Fast IDentity Online 2) is an open authentication standard that aims to eliminate passwords and reduce the complexity of online authentication by enabling users to leverage common devices to authenticate to online services. This approach not only enhances security but also improves user convenience by allowing individuals to access online services and applications without remembering complex passwords.

How FIDO2 works

A FIDO2 security mechanism is employed to create a cryptographic key pair (i.e., a private key and a public key). In contrast to systems based on passwords, where both the user and the website know a common secret, only the user has the private key.

To authenticate themselves to the website, the user generates a signed message using their private key. The website then verifies this signature with the public key, which it received from the user at the time of registration. This process is made even more secure by the requirement that the FIDO2 device authenticate the user through either a personal identification number (PIN) or biometric verification before any private keys are created or utilized.

Core elements of FIDO2

FIDO2 consists of two main components that provide secure, passwordless access:

  1. Client to Authenticator Protocol 2 (CTAP2), a standard also developed by the FIDO Alliance, allows devices (e.g., smartphones or hardware security keys) to communicate with each other and serve as an authenticator.
  2. WebAuthn, an open standard created by the World Wide Web Consortium (3WC), supports verification across web applications with public-key cryptography to allow web browsers to interface with these authenticators, facilitating a seamless and secure authentication process on the web.

FIDO2 authentication options

Several devices or software mechanisms facilitate the secure and user-friendly authentication process outlined by the FIDO2 standard. These authenticators play a critical role in verifying the identity of users without relying on traditional passwords.

There are several types of FIDO2 authenticators, each offering different methods of verification to cater to diverse user needs and preferences.

Biometrics

The measurement and statistical analysis of a person’s unique physical characteristics (e.g., fingerprint, voice print, and iris) or behavioral characteristics, such as mouse usage, gait, or typing patterns.

Mobile

Applications or features on mobile devices (e.g., smartphones and tablets) allow authentication through mechanisms, such as push notifications, QR (quick response) code scanning, on-device biometrics, security keys, or by generating a unique code or notification approval via an authentication app.

Platform

Built-in device features, such as Windows Hello or Apple’s Touch ID and Face ID, allow users to authenticate to applications and websites without needing additional external devices.

Security keys

Physical hardware devices (e.g., USB tokens) that generate a unique, often time-sensitive code or contain cryptographic keys that verify the user’s identity to computers, networks, and online services.

FIDO2 authenticators

FIDO2 authenticators use cryptographic keys to verify a user’s identity. Before the device can generate a unique FIDO2 set of passkeys, it confirms the user’s identity with an authenticator.

There are two types of FIDO2 authenticators.

  1. Roaming (cross-platform) authenticators are portable hardware devices that are separate from users’ client devices. Roaming authenticators include security keys, smartphones, tablets, wearables, and other devices that connect with client devices through the USB protocol or near-field communication (NFC) and Bluetooth wireless technology.

    Users verify their identities in a variety of ways, such as by plugging in a FIDO key and pressing a button or by providing a biometric, such as a fingerprint, on their smartphone. Roaming authenticators are also known as cross-platform authenticators because they allow users to authenticate on multiple computers, anytime, anywhere.
  2. Bound (platform) authenticators are embedded in users’ client devices (e.g., a desktop, laptop, tablet, or smartphone). They have biometric capabilities and hardware chips for protecting passkeys.

    Platform authenticators require the user to sign in to FIDO-supported services with their client device and then authenticate through the same device.

What is the FIDO Alliance?

Founded in 2023 by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio, the FIDO Alliance was launched in 2013. The mission of this open industry association is to develop and promote authentication standards that help reduce the world’s reliance on passwords for online security.

The FIDO Alliance brings together companies, organizations, and government agencies from around the world to collaborate on the development of these universal standards. Its members include some of the world’s most influential companies and organizations, which are collectively working to integrate FIDO’s standards into their products and services.

The group’s work has produced a number of standards, including FIDO UAF (Universal Authentication Framework), FIDO U2F (Universal 2nd Factor), and FIDO2, which includes WebAuthn and CTAP (Client to Authenticator Protocol). These standards are designed to offer a range of authentication methods, from biometrics to hardware tokens, that provide passwordless security and ease of use.

Benefits of FIDO2

  1. Enhanced security
    By using cryptographic keys and biometrics, FIDO2 authenticators significantly reduce the risk of phishing, man-in-the-middle attacks, and password theft.
  2. Interoperability
    FIDO2 is supported by a wide range of devices and platforms, allowing users to choose their preferred authentication method across different services.
  3. Phishing resistant
    By design, FIDO2 authentication mechanisms are resistant to phishing attacks because authentication requests are domain-specific, meaning the credentials cannot be tricked into being used for a fraudulent site pretending to be a legitimate one.
  4. Privacy protection
    Biometric data, when used, is processed locally on the user’s device and is not shared with the service provider.
  5. Reduced costs for organizations
    Organizations can reduce the costs associated with password resets, support calls, and security breaches by adopting FIDO2.
  6. User convenience
    FIDO2 authentication methods are designed to be more user-friendly than remembering and typing passwords, often requiring just a touch or a glance.

FIDO U2F

FIDO2 and FIDO U2F are both standards developed by the FIDO Alliance to provide enhanced online security through stronger authentication methods. Both standards are aimed at reducing reliance on passwords, but they differ in scope and capabilities.

Why FIDO2 vs FIDO U2F

  1. FIDO2 offers a broader range of authentication methods than U2F, including passwordless authentication and the use of biometrics, making it more versatile and user-friendly.
  2. FIDO2 is backward compatible with U2F, meaning that devices and services that support U2F can also support FIDO2.
  3. FIDO2 is designed to make authentication more secure and convenient across a broader range of devices and platforms.

Industry-led FIDO2 offers a different approach to authentication

FIDO2 continues the FIDO Alliance’s commitment to passwordless authentication with the support of a wide range of industry leaders. This alternative to traditional password-based authentication has been incorporated into various platforms and browsers, making it increasingly accessible to businesses and consumers alike.

Unleash the power of unified identity security

Mitigate cyber risk across the spectrum of access

Mark and Sumit

S1 : E2

Identity Matters with Sumit Dhawan, Proofpoint CEO

Join Mark McClain and Sumit Dhawan to understand the future of cybersecurity and how security teams can support CISO customers in the midst of uncertainty.

Play podcast
Mark and Ron

S1 : E1

Identity Matters with Ron Green, cybersecurity fellow at Mastercard

Join Mark McClain and Ron Green to understand the future of cybersecurity and the critical role identity security plays in safeguarding our digital world.

Play podcast
Dynamic Access Roles

Dynamic Access Roles

Build the next generation role and access model with dramatically fewer role and flexibility

View the solution brief