IAM Concept of the Week: FIDO 2.0
Concept of the Week blog series – Each week we define and explain the significance of a concept in the world of Identity and Access Management (IAM).
We addressed FIDO (Fast IDentity Online) last year in this series. If you remember FIDO is an authentication technology developed back in 2013 with the stated goal of replacing passwords. FIDO was founded to develop technical specifications to improve the interoperability and adoption of various hardware-based authentication techniques. The original standard was made up of two sets of specifications or “user experiences” for authentication – UAF (Universal Authentication Framework) and U2F (Universal Second Factor). UAF deals with passwordless authentication, while U2F addresses the second factor authentication, typically with a Yubico type of token.
FIDO2 is new for 2018 and it is quite exciting. The term is a shorthand for the combination of two developing standards, W3C’s WebAuthn and FIDO’s CTAP (Client to Authenticator Protocol) standard. These new standard would not be very useful if they did not come with platform support, and since this one intends to bridge the desktop world with the mobile world, browsers and operating systems are both critical. Luckily, this one had extra time in the standards oven (more than 2 years) and it came out fairly fully-baked with Chrome, Edge, Firefox, Android & Windows 10 supporting the standard now or later in 2018. Apple is now part of the WebAuthN working group, so there are high hopes they will join the party, but mums the word at this moment.
So why is this important, and why does Resilient care? We’ve been implementing the newest authentication techniques for our clients for years (most recently adding U2F tokens for admins for a healthcare cloud company) but we don’t like to limit customers to only certain supporting browsers. Standards are cumbersome and slow, but excellent when a good design is adopted widely. In this case FIDO2 is just better multi-factor than other options because it removes many of the common security threats including phishing, man-in-the-middle attacks and misuse of credentials, and since a user’s credential never leaves the user’s authenticator it is much more difficult to steal the credential.
That being said, it has not been entirely smooth sailing for FIDO. Microsoft skipped the original FIDO standard (but now they support WebAuthN), Apple is a big question mark, and many implementers in the industry have been on the sidelines waiting for more clarity on the communication options for U2F (NFC, BLE) and migration from USB-A to USB-C. Also, the industry has seen a lot of adoption of other MFA in the past five years and “good enough” MFA (though still vulnerable to intercept or carrier hacks) has become an impediment to the “better” FIDO2 approach. Cost and complexity are the final, and most important, drag on adoption. FIDO2 & WebAuthN is a big stride in the right direction. It is targeting a broader scope of authentication problems and doing so with a longer list of compatible platforms. We believe that the tipping point for FIDO2 will happen, but exactly when is anyone’s guess. We expect more announcements on FIDO2 in 2018 (a free mobile authenticator from Google, perhaps) so watch our blog for the latest.
- WSJ Cybersecurity – As Passwords Become a Security Vulnerability, Companies Add Other Options
- Techcrunch: FIDO Alliance and W3C have a plan to kill the passwords
- Google and Microsoft Debut: Replacing Passwords with FIDO2 Authentication (video)
Other popular blogs in the IAM Concept of the Week series: