Achieving Strong Authentication at Scale with FIDO2
The FIDO Alliance mission to help the world move beyond passwords with simpler, stronger authentication has always been a somewhat audacious goal. The businesses that came together to form the alliance understood that replacing passwords for online authentication could only ever become commercially viable at scale through a combination of free and open technology standards built against real-world business requirements, a vastly superior user experience and a fundamentally different approach to the security model.
This is why that keyword “scale” was top of mind when we developed our latest standards, known collectively as FIDO2, in partnership with the World Wide Web Consortium (W3C). FIDO2 standards were designed from day one to be built directly into operating systems and web browsers, so we could greatly expand the addressable market for FIDO as browsers and operating systems push out updates to billions of devices.
The adoption of FIDO2 in a short period of time during 2018 was tremendous, setting the stage for 2019 to be a seminal year in the industry’s effort to move the world beyond passwords with simpler, stronger authentication.
Inside FIDO2 Specifications
FIDO2 is made up of the W3C Web Authentication (WebAuthn) specification and Client to Authenticator Protocols (CTAP) from the FIDO Alliance. Like all FIDO standards, the security model for FIDO2 is based on public key cryptography which addresses all forms of password theft and replay attacks.
CTAP expands upon the use case first introduced by FIDO U2F, which has been popularized in dozens of models of security keys from companies such as Yubico, Feitian, OneSpan and more. With FIDO U2F, the external authenticator provides a “second factor” of authentication after the user has provided the “first factor” of authentication the old-fashioned way—a match-on-server password.
[NOTE: Technically speaking, the FIDO U2F specification has been renamed CTAP1 and the “new” CTAP specification is named CTAP2. But for the purposes of this blog, we use “CTAP” in lieu of CTAP2, as does the market at large].
With CTAP, the external authenticator can provide both factors of authentication, not just one. These next-generation external authentication devices are able to accommodate a biometric or PIN unlock mechanism to add a second factor that’s matched on-device, not in the cloud. In this way, a CTAP authenticator removes the previous implicit dependency on legacy passwords.
One example of a CTAP authenticator would be a FIDO2 security key that unlocks via a PIN entered on the computer or phone, or even one with a biometric fingerprint sensor embedded into the device. But CTAP enables a whole new use case where a smartphone can be an external authenticator providing login options to websites from desktops or other devices.
Users that already have external FIDO-compliant devices, such as FIDO U2F security keys, can continue to use these devices with web applications that support FIDO2.
FIDO2 Browser and Platform Adoption, Certified Products in Place
We announced the FIDO2 standards last April, and we’ve seen rapid adoption in the eight months since. FIDO2 technologies are already built into the latest versions of Windows 10, Google Play Services on Android and web browsers including Chrome, Firefox and Edge. WebKit, the technology behind Apple’s Safari web browser, is also previewing support for FIDO2.
To prepare the market to take full advantage of this massive growth in the addressable market of FIDO-enabled devices, we’ve provided testing tools and launched a certification program for FIDO2 specifications. FIDO technology providers have introduced FIDO Certified Universal Servers that support FIDO2 and all prior UAF and U2F devices, enabling full backward compatibility for all previously certified FIDO authenticators. LINE is the first major services provider to announce Universal Server support, and we expect many others to follow suit in 2019.
What’s Next: Deployment at Scale
With all of these pieces in place, 2019 is set to be a year of broad commercial adoption of FIDO2. Microsoft, Yahoo! Japan and Login.gov already have FIDO2 in market. Does this mean the end of passwords as we know it? Not just yet. I expect the first thing websites will do is offer FIDO authentication as a new option in addition to whatever they offer today, such as just passwords and/or passwords plus one-time-passcodes. But over time, as websites evaluate how FIDO authentication is reducing their fraud numbers and user support costs while increasing their checkout conversion rates, I expect we will see websites start to deprecate their password options and rely entirely on device-based FIDO authentication.
For users, FIDO2 will be a natural transition. People everywhere are already using their fingers and faces to unlock their mobile phones and computers, so this will be natural to them—and more convenient. What they use today to unlock will soon allow them to login to all their favorite websites and a growing number of FIDO-based native apps that already includes Bank of America, PayPal, eBay, T-Mobile and Aetna. Some services may follow the lead from Google, Facebook, Dropbox and others and use FIDO2 security keys in addition to passwords to replace their second-factor offerings, allowing their users to touch a button on their new security key vs. typing a vulnerable six-digit SMS code into their browser. A key feature of FIDO is how flexible it is, allowing service providers to improve their authentication flows as they see fit.
The global tech industry has come together through the FIDO Alliance and our partners to provide a shared solution to a shared problem. Not only does this result in a platform that’s well on its way to being ubiquitous across all Internet-connected devices, but it also comes with the security assurance that hundreds of companies from around the world have already reviewed, tested and implemented this critical technology.