The internet is a curious thing. It empowers us by being a gateway to the world's information, increases productivity by enabling us to work anywhere in the world and entertains us by streaming decades' worth of music, movies and television shows with a few clicks. Unfortunately, it also harbors the worst kinds of profit or thrill-seeking miscreants and criminals whether they are working alone in a basement or are bank-rolled by a deleterious nation state. This split personality of the internet can be plainly seen by security professionals who monitor the constant hum of web traffic, both legitimate and malicious, just below the surface. But similarly, it is hard for anyone to ignore the increase of high-profile data breaches these last few years perpetrated by these bad actors.
Multi-factor authentication offers an answer to these breaches. It has been in the news for more than a decade, but it has failed to take hold due to high cost, poor usability or both. Web security professionals and corporations have recognized this deficiency and formed the FIDO Alliance. What started in 2012 with a handful of companies now boasts 40 Board Level Members including heavyweights such as Google, Microsoft, Amazon, Intel and Facebook. Their mission is to reduce the world's over-reliance on passwords by designing more secure ways to authenticate without sacrificing usability or incurring extra cost.
The FIDO Alliance's most important job is designing standards in the form of specifications. Specifications are detailed technical descriptions that define how devices, systems and software should behave in order to ensure interoperability. To understand the necessity of interoperability, consider fingerprint readers. Today they are commonly built into laptops, smart phones or added via external USB scanners. With so many hardware vendors in this space alone, it's easy to imagine them all speaking different languages. As such, it is not possible for websites to recognize all these different readers or understand proprietary formats. Due to this cacophonous diversity, a common and promising option for multi-factor simply can't be leveraged. With the designation of FIDO2 as an official web standard in March this year, the promise of universal, interoperable multi-factor is tantalizingly close to being realized.
FIDO2 will enable users to utilize common devices to authenticate to websites in both desktop and mobile environments. It aims to make multi-factor authentication easy and straightforward - a direct assault on phishing attacks and the strain of passwords altogether. It does this by establishing a standardized way of authenticating users via Public Key Infrastructure (PKI). PKI has been a network security linchpin for decades - you actually use it every time you create a secure HTTPS connection to your favorite websites.
FIDO2 also creates clear separation between software vendors and hardware vendors. Abstracting away the hardware details allows all kinds of devices to be used through web browsers, be it fingerprint readers, cameras, hardware-based security keys or your smart phone. Allowing the same device to be used securely across multiple websites ensures a compromise of one site will no longer impact logons to other websites. FIDO2 can be utilized as a secure second factor or as a full replacement for the password you keep forgetting (aka "passwordless").
FIDO2 is comprised of two main specifications:
- Web Authentication ("WebAuthn")
- Client-to-Authenticator ("CTAP")
One of the most exciting aspects of FIDO2 is how quickly it has been adopted across the industry:
- Nearly all major browsers have already implemented WebAuthn (Chrome, Firefox, Edge, Opera) with Apple Safari declaring "experimental" support.
- Windows Hello on Windows 10 has already been certified as FIDO2 compliant.
- Microsoft Edge had an early MSFT-specific implementation last year, but they quickly abandoned it in favor of the standard WebAuthn function names which simplifies things for web site owners.
- Android 7.0 devices and later can already behave as an authenticator for mobile browsers.
- PortalGuard now supports FIDO2 as an additional 2nd Please contact us for more details.
Hardware vendors now need to catch up to support CTAP. Bluetooth (BLE) is an area to keep an eye on as it should allow you to eventually authenticate to your workstation using your phone's built-in hardware as the authenticator.
New announcements are being made at a break-neck pace. The right things feel like they are finally converging to bring true, secure authentication to the web. It's been forecast numerous times before, but the groundswell of support suggests this could truly be the change that will allow passwords to finally be put out to pasture.