Disclaimer
This blog is my personal platform. The opinions shared here are solely mine and do not reflect the views of any individuals, institutions, or organisations with which I am affiliated, unless explicitly noted. I am solely responsible for the content presented here.
Introduction
Today, we're diving into an exciting topic that's reshaping online security: passwordless authentication. With data breaches becoming increasingly common, traditional passwords are often seen as a weak link. Regardless of their length, complexity, or frequency of changes, passwords can still be compromised through intentional or unintentional sharing. Even with robust password protection measures, organisations remain vulnerable to phishing, hacking, and other cyberattacks that result in stolen passwords. When passwords fall into the wrong hands, they can be exploited to gain unauthorised access to online accounts, devices, and files. This post marks the beginning of a series where we'll explore how passwordless solutions, particularly physical FIDO2 keys and passkeys, offer a more secure and convenient alternative. We'll look at the technology behind these innovations, discuss my hands-on testing experiences, and examine the pros and cons of various solutions available today.
Background information
Over the past few months, I've been focused on collecting and thoroughly testing various FIDO2 keys. This series aims to explore the world of passwordless authentication and present insights from my research. While I aim to provide factual information about these technologies, I will also be sharing my personal experiences and opinions.
My research has focused on physical hardware security keys - FIDO2. I will share the nuances and details I uncovered during testing across various platforms: Windows, macOS, Android, and iOS.
I would like to extend my sincere appreciation to the teams at Feitian, HID, Hideez, Thales, Token2, and Yubico. Their generous sharing of information and provision of resources were instrumental and truly invaluable throughout this process.
I also want to acknowledge the many other companies and individuals I consulted between January and May 2024. While they are not featured in this series, their contributions were greatly appreciated.
Without further ado, let's dig in!
Table of contents
1.Passwordless Authentication
Passwordless authentication enhances security by removing the need for traditional passwords, which are often vulnerable to poor management and increase attack surfaces. This method also improves user experience by eliminating the frustration of remembering passwords or answers to security questions. Instead, users can securely and conveniently access applications and services using alternative authentication methods.
1.1. Passwordless Authentication Methods
Passwordless authentication provides several secure and user-friendly methods for verifying identities without relying on traditional passwords. These authenticators are essential for enhancing security and streamlining the login process.
Here are the main types of passwordless authenticators:
Biometrics: This method involves measuring and analysing unique physical traits (such as fingerprints, voice prints, or iris patterns) or behavioral patterns (like typing rhythms or gait) to confirm identity.
Mobile: Mobile devices (smartphones and tablets) can use various mechanisms for authentication, including push notifications, QR code scanning, on-device biometrics, security keys, or authentication apps that generate or approve unique codes.
Platform: Integrated device features like Windows Hello, Apple’s Touch ID, and Face ID enable users to authenticate directly to applications and websites without needing additional hardware.
Security Keys: These are physical devices (e.g., USB tokens) that generate unique, often time-sensitive codes or store cryptographic keys to verify user identity across computers, networks, and online services.
1.2. Advantages of Passwordless Authentication
Passwordless authentication offers several functional and business advantages. It enables organisations to:
Increase security by eliminating vulnerable password practices and reducing the risk of credential theft and impersonation.
Enhance user experience by removing the burden of password management and providing streamlined access to all applications and services.
Streamline IT operations by removing the need to issue, secure, rotate, reset, and manage passwords.
2. FIDO Alliance
The FIDO Alliance (Fast Identity Online Alliance) is a global consortium formed in 2012 to develop and promote standards for secure, passwordless authentication. Its key goals are to enhance online security and user convenience by creating open standards that replace passwords with more secure methods like biometric verification and hardware security keys.
2.1. FIDO Alliance's mission
Standards Development: Creates protocols for secure authentication, such as FIDO2, which includes WebAuthn and CTAP.
Interoperability: Ensures solutions work across different platforms and services.
Security and Usability: Aims to reduce risks associated with passwords and improve user experience.
The FIDO Alliance's work helps make online security stronger and easier to use, with support from a diverse range of member organisations.
More here: https://fidoalliance.org/
It was very important to me that the keys I was testing were made by companies and manufacturers that are all part of the FIDO2 Alliance.
3. FIDO
3.1. FIDO2, FIDO U2F and FIDO UAF definitions
3.1.1. FIDO2
FIDO2 is a set of open standards developed by the FIDO Alliance (Fast Identity Online) and the World Wide Web Consortium (W3C) designed to enhance online authentication security while providing a seamless user experience. It aims to replace traditional passwords with more secure and user-friendly methods.
FIDO2 emerged from FIDO 1.0, the initial authentication standards released by the alliance in 2014. These original standards introduced the FIDO Universal Second Factor (FIDO U2F) protocol and the FIDO Universal Authentication Framework (FIDO UAF) protocol.
Both FIDO U2F and FIDO UAF are types of multifactor authentication (MFA), requiring two or three pieces of evidence (factors) to verify a user. These factors can be something the user knows (like a passcode or PIN), something the user has (such as a FIDO key or an authenticator app on a mobile device), or something the user is (such as a biometric).
3.1.2. FIDO U2F
FIDO U2F enhances password-based security by incorporating two-factor authentication (2FA), which requires two pieces of evidence to verify a user. The FIDO U2F protocol involves entering a valid username and password as the first factor, followed by using a USB, NFC, or Bluetooth device as the second factor, typically authenticated by pressing a button or entering a time-sensitive OTP (One-Time Password).
FIDO U2F succeeds CTAP1 and precedes CTAP2, which enables the use of mobile devices in addition to FIDO keys as second-factor devices.
3.1.3. FIDO UAF
FIDO UAF enables multifactor passwordless authentication. It requires the user to sign in with a FIDO-registered client device, which verifies the user’s presence through a biometric check (like a fingerprint or face scan) or a PIN as the first factor. The device then generates a unique keypair as the second factor. Websites or apps can also use a third factor, such as a biometric or the user’s geographic location.
FIDO UAF is the predecessor to the FIDO2 passwordless authentication standard.
3.2. FIDO comparison
3.3. FIDO types
3.3.1. FIDO2 Standards and components
WebAuthn (Web Authentication): A web standard that allows web applications to integrate strong, passwordless authentication methods. It works by letting users authenticate with biometric data (e.g., fingerprints or facial recognition) or hardware tokens (e.g., USB or NFC keys) directly through their web browsers.
CTAP (Client To Authenticator Protocol): A protocol that enables devices like smartphones, security keys, and biometric readers to communicate with the web browser or application to perform authentication.
3.3.2. How It Works
FIDO2 uses public-key cryptography to ensure secure authentication. When a user registers a device, a public-private key pair is created. The private key remains securely on the device, while the public key is stored on the server. During authentication, the server sends a challenge to the device, which signs it using the private key. This process verifies the user’s identity without transmitting sensitive data.
3.3.3.FIDO Benefits
Phishing Resistance: FIDO2 is inherently resistant to phishing attacks because the authentication process is domain-specific, making it impossible for credentials to be misused on fraudulent sites posing as legitimate ones.
Enhanced Security: FIDO2 authenticators use cryptographic keys and biometrics to greatly mitigate risks such as phishing, man-in-the-middle attacks, and password theft.
Privacy Protection: Biometric data is processed locally on the user's device and is not transmitted to service providers, ensuring user privacy.
Interoperability: FIDO2 is compatible with a wide array of devices and platforms, allowing users to select their preferred authentication method for various services.
User Convenience: FIDO2 methods are designed to offer a more seamless and user-friendly experience compared to traditional passwords, often requiring only a simple touch or glance for authentication.
Reduced Organisational Costs: By implementing FIDO2, organisations can lower expenses related to password resets, support inquiries, and security breaches.
4. Conclusion
That wraps up our current look at FIDO2 keys.
In the upcoming posts of this series, I’ll provide deeper insights from my hands-on testing, focusing on the strengths and unique features of each FIDO2 key. Stay tuned for more detailed reviews and an exploration of how these technologies enhance online security.
Thank you for following along. Check back soon for more updates and in-depth analysis!
Using passwordless authentication, is it still possible for the bad actor to steal a token?