• Home
  • /Learn
  • /The Benefits (and Flaws) of FIDO2 Web Authentication
background image

Blog

The Benefits (and Flaws) of FIDO2 Web Authentication

certification

Fast Identity Online (FIDO) Alliance developed FIDO2 authentication for passwordless authentication.

This article is the lowdown on FIDO2 authentication, how it ensures passwordless authentication, its advantages/disadvantages, and, of course, the differences between FIDO and FIDO2.

Let's get started:

What is FIDO2 Authentication?

FIDO2 authentication is a passwordless authentication technique that allows users to operate their devices (smartphones, tablets, laptops, and IoT systems with biometrics or USB security keys). It allows for seamless authentication for mobile and desktop environments or web services. The FIDO (Fast IDentity Online) Alliance was founded in 2012 by Lenovo, PayPal, Validity Sensors, Nok Nok Labs, Infineon, and Agnito to build a passwordless authentication protocol. 

In 2013, Yubico, Google, and NXP joined the alliance. In December 2014, Samsung and PayPal collaborated to release/launch the first passwordless authentication protocol FIDO for Samsung Galaxy S5. It enabled users to log in and shop with a finger swipe and pay via PayPal. 

FIDO2 authentication provides a passwordless mode to verify users digitally and keep their privacy intact while addressing security and scalability issues that password-based authentication cannot. We access online services through the standard web API embedded into the web platform infrastructure. 

How Does FIDO2 Authentication Work?

Authentication techniques and processes are good only when they are easy to use. The FIDO Alliance created passwordless authentication to work with existing infrastructure. It is simple and easy to implement. When users visit an online service or website that supports FIDO2 authentication, the authentication procedure allows the user to sign in as usual (traditional method).

After providing the username and password, within the website (user profile, configuration, or user settings), we see the option for enabling the biometric login through our device.  

When choosing this option, an exchange of cryptographic keys occurs. This process allows the same device to authenticate the user later. The next time the user uses the FIDO2 authentication device to verify their PIN or biometric for generating the private keys and completing the authentication process. Most FIDO2 authentication devices work as roaming authenticators.

We can see them as a USB stick (Yubikey), inbuilt hardware (within enterprise systems), or Windows Hello. Security firms like our team here at Packetlabs are adept at implementing FIDO2 authentication and have granular knowledge of its capabilities.

Benefits of FIDO2 Authentication

FIDO2 authentication offers numerous benefits to an enterprise, including:

  • Security: Cybercriminals cannot access an account if the user leverages FIDO2 authentication since the attackers will need a physical device, too.

  • No Multiple Passwords Required: Another significant advantage of the FIDO2 authentication technique is that users do not have to remember multiple passwords. They can use the same device and authentication mechanism (two-factor PIN or biometric through that FIDO2 standard device) to log into different accounts.

  • No Locking or Resetting: No one can lock or reset your account even though they get your username and password. The attackers also cannot revamp or recover your account by masquerading as a legitimate user. Only the FIDO2 user with the physical device can do so.

  • Lack of Tracking: Since the cryptographic keys are unique for different online services, no service can track the users. Hence, FIDO2 also helps protect digital privacy.

Disadvantages of FIDO2 Authentication Techniques

There are numerous drawbacks associated with FIDO2 authentication mechanisms. The most common of these are:

  • New Technology: FIDO2 authentication can be new to many employees. Again, this new authentication system can be costly in terms of money and time. The firm must buy or develop compatible devices and train its employees to use them.

  • Lack of Physical Protection: FIDO2 authentication is not flawless, as it depends on the system/computer's authentication. In case of a physical security breach, if cyber criminals rob the device, they can access the account.

  • No Broad Support: Another issue with FIDO2 authentication is that many browsers and online services support FIDO2. However, not all websites and browsers support it as a universal standard for passwordless authentication.

Difference between FIDO, FIDO2 Authentication, and WebAuthN

FIDO is the first attempt by FIDO Alliance to create a cross-industry standard for passwordless authentication. FIDO2 authentication is the second iteration of passwordless authentication with CTAP and WebAuthN. Here, World Wide Web Consortium (W3C) developed WebAuthN as a standard for cryptographic keys.

However, FIDO2 is a standard for passwordless authentication using biometric or PIN devices that utilize WebAuthN while appending other easy security capabilities.

Conclusion

Before we wrap up today's blog, we wanted to, in conclusion, offer up some of the top companies that currently deal in FIDO2 paswordless authentication.

These companies are:

  • Yubico: Yubico offers single-factor authentication through its USB hardware authentication device. It uses the touch/tap mechanisms to authenticate users.

  • Azure AD: An enterprise-grade identity and authentication service that enables conditional access and multi-factor authentication to guard accounts and services against cyber threats.

  • Okta: Okta enables Single Sign-On (SSO) for passwordless authentication. Enterprise software uses it for authenticating users with multiple services.

  • FusionAuth: Lastly, FusionAuth is another passwordless authentication product that allows quick authentication across various applications. It is compatible with web services, desktops, and smartphone apps.

Ready to level up your organization's cybersecurity? Reach out to our team today (or sign up for our newsletter for more trending tips and expert advice!)

Sign up for our newsletter

Get the latest blog posts in your inbox biweekly!