FIDO has been in the news recently, especially during the week of RSA 2019. We wrote an introduction to FIDO early last year, but we wanted to take a look at what the FIDO Alliance has been up this year and the newly minted WebAuthn standard.
WebAuthn: Recognized as an authentication standard
The World Wide Web Consortium (W3C) announced in March that Web Authentication (WebAuthn) officially became a web standard. It serves as the next step in the industry’s drive toward eliminating or at least reducing reliance on passwords and instead on focusing on biometrics and other authentication methods instead.
So, what is WebAuthn? It is a credential management API that allows web applications to authenticate users without storing their passwords on servers. The API uses public key cryptography, which involves the use of a private-public keypair, where you keep a private key on your device and the server has a public key, which is useless without the private key.
So what does WebAuthn actually mean for users? Previously, users provided a shared secret (i.e., their password) when logging into accounts, which is then stored on a server that may or may not be secure. This left ways for bad actors to gain access to your account: maybe the password is stored in plain text, the server isn’t properly secured, or your password is easy enough to guess or social engineer (reusing passwords found in a previous breach, using your birthdate or something similar). Additionally, one way to strengthen the security of an account, two-factor authentication, still struggles with low adoption—as of November 2017 only 28% of people even enabled it.
So WebAuthn eliminates the need to have the server store passwords. Instead, the server registers a WebAuthn credential using the private-public keypair, which also includes an identifier for that user. To prevent replay attacks, the server should create a challenge made up of a randomly generated string.
Though just named a standard, Google Chrome, Microsoft Edge, Mozilla Firefox, and Apple Safari (still in preview) have adopted it. When I wrote about the Yubikey (which used the legacy U2F protocol that was supplanted by FIDO2 and WebAuthn) last summer, only Chrome was a consistent option, though Firefox and Safari could work if you had some technical knowledge, so it’s nice to see adoption grow! One site that enabled WebAuthn quickly is Dropbox, but expect others to follow suit, especially sites that implemented U2F.
Not content with WebAuthn as it is, FIDO Alliance is already hard at work on a Level 2 specification.
The FIDO Alliance may have struggled out of the gate following its inception, but now it’s in a good position with the shifting industry focus toward conditional access/zero trust. More and more organizations are getting into the idea of password-less login, which FIDO standards provide through hardware keys and biometric authentication.
Just before the WebAuthn announcement, Google and FIDO Alliance revealed that Android 7+ is now FIDO2 certified. The certification will allow Android app developers to enable password-less login. The new Samsung Galaxy S10 and S10 Plus feature an ultrasonic fingerprint scanner developed by Qualcomm that was the first to receive FIDO Biometric Component Certification.
Definitely a good start to a year only three months in.
At RSA 2019, I sat down with FIDO Alliance co-founder and Nok Nok Labs CEO Phil Dunkelberger to learn more about FIDO. He explained the FIDO Alliance developed FIDO partially for personal privacy. Authentication keys remain stored on a hardware device, requiring those who want to gain access to your account to physically have one of your devices. FIDO was developed to try and be a future-looking system based around adaptive authentication, not simply a replacement for username and passwords. The goal is to allow users to decide how they wish to authenticate.
Nok Nok Labs offers their own FIDO-based server that provides companies with a command center where IT can see the different keys in use. Their S3 Authentication Suite is certified for all current FIDO protocols and allows companies to use biometric authenticators. Phil mentioned that Fujitsu provides VPN access for employees, but requires FIDO biometrics to ensure those logging in are who they say they are.
Nok Nok Labs was one of the founding companies around FIDO, though over 400 companies ultimately contributed. They currently integrate with over 600 FIDO-certified products. Phil said that over 300 million FIDO keys have been deployed, largely due to how it’s meant to be easy for organizations to scale up. The financial industry, in particular, has been a big adopter of FIDO; they have millions of users, consisting of both internal (employees) and external (customers).