FIDO2 Passwordless Authentication
It’s been long understood that enterprises need to move away from passwords and basic multi-factor authentication (MFA). Security issues being the obvious reason why. Considering it only takes 10 minutes to crack a lowercase password that is six characters long (Avast), passwords remain a weak link and are the source of many cybersecurity vulnerabilities. On top of the major security concerns, passwords are detrimental to customer experience. According to MasterCard, about a third of online purchases are abandoned at checkout because customers can’t remember their passwords.
However prevalent these issues may be, enterprises remain hesitant to switch over to a passwordless solution due to the complex implementation and high cost involved. But now, thanks to the FIDO alliance and vendors with FIDO passwordless authentication built into their solutions, adoption of passwordless security is finally attainable. Read on as we discover what the FIDO alliance is, what FIDO2 passwordless authentication is, the benefits and how companies like Transmit Security have incorporated this golden standard of secure passwordless authentication into our own solutions.
An open standard for all
Since 2013, Fast Identity Online (FIDO) has aimed to change the nature of authentication through a set of open technical specifications for mechanisms of authenticating users to online services without the use of passwords. Making it more secure and convenient for all.
The fact that FIDO is an open standard plays a huge role in it’s significance for the industry. Given that open standards will remain open is especially important in the identity space. With many enterprises relying on multiple vendors and solutions, the fact that they can have the freedom to choose and change where needed is a big plus. With this independence, comes an ever increasing adoption rate of FIDO2. Developers are much more receptive to using open standards as they are easily scalable. While enterprises enjoy the benefit of independence. Evolve at a much faster pace.
FIDO consists of three main protocols:
- Universal Second Factor (U2F): The first protocol created was intended to work as a second factor of authentication alongside the user’s password (the first factor).
- The Universal Authentication Framework (UAF): The second protocol created was in response to the ever growing demand for passwordless authentication. However, only usable on mobile devices.
- Client to Authenticator Protocol (WebAuthn + CTAP): Enables users to authenticate on mobile or desktop using common devices like laptop sensors or biometrics instead of relying on a password. This is the latest release from the FIDO alliance and one that we’ll continue to discover further below.
FIDO2: The new authentication standard
In a continuous effort to move the world beyond passwords, FIDO’s latest standard known as FIDO2 is a combination of the Client to Authenticator Protocol (CTAP) and Web Authentication (WebAuthn) that can be formally certified. FIDO2 effectively solves the issues of traditional authentication by addressing the security, convenience, privacy and scalability issues that are commonly lacking.
FIDO2 ensures a better user experience that uses the built-in capabilities, such as finger and face scan, of devices to enable strong authentication. Effectively eliminating the need for passwords and OTPs. The beauty of implementing FIDO2 rather than relying on passwords is that there is essentially nothing for hackers to steal or manipulate. It helps solve the age old issue of usability vs. security.
All the benefits of FIDO2 Passwordless Authentication built into BindID
While it’s all very well to know about FIDO2, applying it correctly is another thing. You could implement the biometric authentication interfaces in your applications yourself really quickly and have your customers using biometrics overnight. But at the same time you would be breaking the concept of usable security. Leaving you with a solution that’s neither easy to use nor secure.
When putting FIDO2 ‘in the real world’ there are several technical pitfalls. Managing authenticators, devices and users throughout different FIDO2 authentication use-cases can quickly become a daunting task. In order to effectively bind FIDO2 authenticators to user identities (while allowing users to transfer this binding among their authenticators) in a secure and frictionless manner, involves the implementation of complex cross-channel, cross device authentication session management.
This complexity is compounded by the need to maintain a consistent user experience among different browsers and platforms. Not an easy task to take on alone. However, when using BindID, applications handoff the complexity of maintaining real-world FIDO2 authentication scenarios to the service, which takes care of all authentication flow details and gets back to the application with a final detailed and secure authentication result. Meaning you can implement effortlessly and verify instantly.