It took 10 years, but the future has arrived for Multi-Factor Authentication!

FIDO_Alliance_logoThe internet is a curious thing. It empowers us by being a gateway to the world's information, increases productivity by enabling us to work anywhere in the world and entertains us by streaming decades' worth of music, movies and television shows with a few clicks. Unfortunately, it also harbors the worst kinds of profit or thrill-seeking miscreants and criminals whether they are working alone in a basement or are bank-rolled by a deleterious nation state. This split personality of the internet can be plainly seen by security professionals who monitor the constant hum of web traffic, both legitimate and malicious, just below the surface. But similarly, it is hard for anyone to ignore the increase of high-profile data breaches these last few years perpetrated by these bad actors.

Multi-factor authentication offers an answer to these breaches. It has been in the news for more than a decade, but it has failed to take hold due to high cost, poor usability or both. Web security professionals and corporations have recognized this deficiency and formed the FIDO Alliance. What started in 2012 with a handful of companies now boasts 40 Board Level Members including heavyweights such as Google, Microsoft, Amazon, Intel and Facebook. Their mission is to reduce the world's over-reliance on passwords by designing more secure ways to authenticate without sacrificing usability or incurring extra cost.

The FIDO Alliance's most important job is designing standards in the form of specifications. Specifications are detailed technical descriptions that define how devices, systems and software should behave in order to ensure interoperability. To understand the necessity of interoperability, consider fingerprint readers. Today they are commonly built into laptops, smart phones or added via external USB scanners. With so many hardware vendors in this space alone, it's easy to imagine them all speaking different languages. As such, it is not possible for websites to recognize all these different readers or understand proprietary formats. Due to this cacophonous diversity, a common and promising option for multi-factor simply can't be leveraged. With the designation of FIDO2 as an official web standard in March this year, the promise of universal, interoperable multi-factor is tantalizingly close to being realized.

FIDO2 will enable users to utilize common devices to authenticate to websites in both desktop and mobile environments. It aims to make multi-factor authentication easy and straightforward - a direct assault on phishing attacks and the strain of passwords altogether. It does this by establishing a standardized way of authenticating users via Public Key Infrastructure (PKI). PKI has been a network security linchpin for decades - you actually use it every time you create a secure HTTPS connection to your favorite websites.

FIDO2 also creates clear separation between software vendors and hardware vendors. Abstracting away the hardware details allows all kinds of devices to be used through web browsers, be it fingerprint readers, cameras, hardware-based security keys or your smart phone. Allowing the same device to be used securely across multiple websites ensures a compromise of one site will no longer impact logons to other websites. FIDO2 can be utilized as a secure second factor or as a full replacement for the password you keep forgetting (aka "passwordless").

FIDO2 is comprised of two main specifications:

  • Web Authentication ("WebAuthn")
  • Client-to-Authenticator ("CTAP")

Without going into any gory details, WebAuthn is implemented by web browsers and is exposed via JavaScript. CTAP describes how hardware devices (referred to as "authenticators") must act whether they be built-in or available via USB, NFC or Bluetooth Low Energy (BLE).

One of the most exciting aspects of FIDO2 is how quickly it has been adopted across the industry:

Hardware vendors now need to catch up to support CTAP. Bluetooth (BLE) is an area to keep an eye on as it should allow you to eventually authenticate to your workstation using your phone's built-in hardware as the authenticator.

New announcements are being made at a break-neck pace. The right things feel like they are finally converging to bring true, secure authentication to the web. It's been forecast numerous times before, but the groundswell of support suggests this could truly be the change that will allow passwords to finally be put out to pasture.

Tags: 2FA, Authentication Security, information security, MFA, Multi-Factor Authentication, network security, #2FA, data breach, #phishing, two-factor, Two-Factor Authentication, #YubiKey, increase security, Google Authenticator, Duo Push Security, secure passwords, FIDO, FIDO Alliance, Biometrics, information systems, voice biometrics, password-based authentication, multilayer encryption, strong online security, technology evolution, improve security, phone call, interoperability, FIDO2, PKI, Public Key Infrastructure, Client-to-Authenticator, CTAP, fingerprint readers, hardware token, passwordless, WebAuthn, Web Authentication, Authenticators

Gregg Browinski

Author: Gregg Browinski