Since the latest uptick in attacks against organisations originating in the theft or phishing of credentials, there has been increasing focus on FIDO2, which has been touted in some quarters as a panacea for credentials abuse.
But what is FIDO2? Why should enterprises care about it? Can it really do everything that’s claimed? If it’s that great, why isn’t everyone using it already? And, why are vendors suddenly so keen to talk about it?
While FIDO2 offers a lot of promise, it’s been slow to gain traction. In this article The Stack will attempt to answer the question “what is FIDO2?” and deal with some other common topics around the authentication protocol.
What is FIDO2?
FIDO2 is the name of the latest protocols from the FIDO (Fast Identity Online) Alliance, an industry body with members including Amazon, Intel, Microsoft, RSA, Visa, Google and more. Formed in 2013, the FIDO Alliance has been developing authentication standards to reduce reliance on passwords.
“What we are doing is shifting the world from a way from an approach to user authentication that is centralised in nature, based on shared secrets like passwords, to one that’s a little bit more decentralised and allows users to authenticate locally on devices that they use every day,” says Andrew Shikiar, director of the FIDO Alliance, speaking to The Stack.
“What’s important about FIDO2 is that we’ve worked to have this built into every endpoint that a consumer may touch, or a user may touch. So it’s supported by every modern web browser, every operating system. So virtually every device that’s being unboxed this very second can support Fido authentication.”
Why is FIDO2 different to other MFA approaches?
There are two main differences between the FIDO Alliance’s approach and other common MFA systems.
The first is local authentication.
Instead of a user’s machine transmitting a One Time Password (OTP) to a server for authentication, FIDO uses asymmetric public key cryptography. This is the same cryptographic approach used in TLS and other common security protocols – when these are well-implemented, they are extremely secure.
FIDO’s protocols use unique key pairs for each login: a public key on the remote server, and a private key which only exists on a user’s local device, such as a smartphone, a secure module in a PC, or a hardware token such as those from Yubico or similar vendors.
The second difference is user-initiation.
“We think it’s important for the user to initiate all these logins where you’re going to log in or access a site or access a service – you need to initiate it, you need to validate yourself using a single gesture, at point of login,” says Shikiar.
“MFA prompt fatigue’s a real thing,” he adds. “If you have three screens open and six instant message systems coming to you at once, and then you have this thing beeping on your phone, you’re just going to turn it off.”
What can FIDO2 help with?
Implemented properly, public-key cryptography makes phishing or man-in-the-middle attacks virtually impossible. These attacks rely on gaining access to a shared secret (such as a password or OTP) – but as FIDO2 protocols do not transmit the private key, there is no shared secret to access.
And as noted above, critically, FIDO2 also prevents attempts to authenticate new devices using push-MFA requests, by ensuring the user initiates all authentication attempts.
“Users in the case of attacks against MFA are doing what they are trained to do. The problem is the weak nature of the shared secret. If the user is given a stronger form of authentication control, the problem between the keyboard and chair can be mitigated,” says Jason Soroko, CTO at Sectigo.
What can’t FIDO2 help with?
If an attacker has local access to devices, with authentication which is only protected by a PIN or non-biometric means, then it could be possible for them to gain access to FIDO2-protected systems. But as Shikiar points out, this requires a much greater level of access than is generally available.
“For someone to key log you, or whatever it might be, that means they’re actually shoulder surfing you. They see your PIN, they have your device and take over your device – that needs to be a local attack. So we’re protecting against remote attacks.
Theoretically, even local biometric authentication could be targeted by an attacker – but in this case, as Brian Wagner, CTO at Defense.com says, they would need to be highly motivated: “Both of the factors are actually ‘something you have’ and do not include a ‘something you know’; this means someone impersonating you would have to have both your private key (which is encrypted on the issuing device) and your biometrics, which would be quite tricky (and gruesome) to procure.”
FIDO2 also cannot eliminate all forms of human error – or, worse, an insider willing to work with an attacker. But it does eliminate many attack vectors based on the fallibility of users.
Why has it taken so long for FIDO2 to get attention?
“Probably the same as any technology before it: cost of implementation. Username and password infrastructure have been the dominant primary authenticator for a very long time. FIDO2 would require that to be replaced,” says Wagner.
“In the grand scheme of things, this is relatively new,” says Shikiar. “Large Fortune 100 companies, they’ve been acquiring companies for dozens of years, they might still be on tape drives.
“When you’re talking about FIDO authentication, that’s a mere blip on their timeline.”
Cost and compatibility are also factors, although both of these have improved significantly in recent years. Biometric authentication is increasingly widespread, and the cost of hardware tokens has fallen – and most significantly, FIDO2 is compatible with all major browsers (although, as in the case of applications such as Azure AD, vendors and enterprises still need to choose which combinations of devices to focus their efforts on).
How can I start implementing FIDO2?
The frustrating-but-realistic answer is: it depends.
“There’s not an easy answer there, it but it depends on everyone’s own infrastructure,” says Shikiar. He notes the FIDO Alliance offers a guide for enterprises on how to plan and start their FIDO deployment.
A good starting place is to run a pilot, or to prioritise the most high-risk users, such as network administrators – then roll out FIDO authentication more widely over time.
But there are also alternative approaches to FIDO2, which can also be effective. Many authentication platforms and cloud providers offer number-matching authentication, where a user must have access to the authenticating device and the device to be authenticated – eliminating rogue device enrolment.
“For enterprise users, PKI based client certificates that are centrally managed and provisioned to users with existing technologies can be a better option, optimized for controlled rollouts to privileged users,” says Soroko.