Jerrod Chong, SVP Solutions at YubiKey explained that FIDO2 evolved from interest in a new use case: “Can we eliminate the password?” YubiKey spent the last two years working with Microsoft and others to create the FIDO2 protocol standard. In many ways, FIDO2 is to Microsoft what FIDO U2F is to Google. FIDO2 has three primary use cases: Tap and Go, Web Authentication, and backward compatibility with Fido U2F.
Microsoft Windows 10 RS5, released in October, adds FIDO2 login support. Instead of Windows Hello or a password, users can tap a FIDO2-compatible hardware token to authenticate to their PC. While similar smartcard-based systems have been on the market for years targeting verticals such as health care, FIDO2 is the first open standard.
FIDO2 devices can support NFC, Bluetooth, and USB, but the sweet spot is definitely NFC. Chong described it as “bringing an Apple Pay sort of experience to Windows login.” Microsoft’s adoption of the FIDO2 standard will drive NFC integration into laptops and Windows tablets, as well as keyboards and other peripherals.
Tap and go will undoubtedly be welcomed by hospitals, doctor’s offices, manufacturing plants, and other environments where biometrics are not a good fit. The open standard creates additional possibilities, such as integration with physical security and building access systems. But perhaps more exciting, FIDO2 promises to bring passwordless authentication to the web.
FIDO2 consists of two main components: Client to Authenticator Protocol (CTAP), and the W3C Web Authentication Specifications (WebAuthn). The earlier FIDO U2F protocol has been renamed CTAP1 in the WebAuthn specifications. This flexibility, and W3C involvement, suggests a strong future for this new technology.
Chong says, “With Chrome and Firefox announcing WebAuthn API and CTAP1 support as the client, and Dropbox now integrating with the WebAuthn API, this has kicked off a flurry of integration activities by other services. Most recently, Microsoft Edge released support for WebAuthn API, CTAP1 and CTAP2, making it the browser with the widest authentication support.”
From a security perspective, FIDO2 single factor authentication beats passwords hands-down. It uses the same strong public key cryptography with origin checking to prevent phishing like FIDO U2F, with the additional convenience of not needing usernames and passwords as the first factor to identify the user.
For higher-risk applications, FIDO2 hardware authenticators that support CTAP2 can require a PIN or biometric to unlock the hardware authenticator. “For example,” explained Chong, “a large banking institution may want to consider the use of a PIN in conjunction with a security key for a higher level of assurance, while a warehouse-based shared kiosk environment may not.”
Passwords are the achilles heel of web authentication. Strong hardware-based authentication, instead of passwords that are too frequently reused and compromised, represents a giant leap forward. One adoption barrier is that while NFC is commonplace in mobile phones, it is rare in laptop and desktop computers. Another obstacle is Apple. Progress has been made toward obtaining access to iPhone NFC capabilities, but Apple is conspicuously absent from the FIDO2 table. These obstacles must be overcome for FIDO2 to achieve widespread adoption.
Until NFC becomes standard in laptops, many users will need to purchase two different FIDO2 hardware devices. For example, Android phones work best with an NFC-capable device, but owners of laptops with only USB-C ports, including most new Apple laptops and Microsoft products such as the Surface Go, will need to either carry a USB-C to USB-A adapter, or purchase a non-NFC capable USB-C FIDO2 device.
Despite these short-term issues, FIDO2 is an extremely promising technology with the potential to eliminate passwords and seriously improve security for many Internet applications.
Have a security question you’d like answered in a future column? Eric would love to hear from you.
SAMSUNG GALAXY S8 PLUS
The Samsung Galaxy S8 Plus is a beautifully crafted smartphone with nearly no bezel, curvaceous in design and reflects a…
How to: Connect to Exchange Online Using Multi-Factor Authentication
Using PowerShell to manage your Microsoft cloud services like Exchange Online and using multi-factor authentication (MFA) separately is awesome. Using…