FIDO has definitely become the “hot thing” in identity and access management in 2019, even though the FIDO Alliance has been around nearly a decade. Vendors are pumping out press releases when their apps or devices become FIDO certified.
The constant news around that should be enough to make anyone curious about FIDO. What if users or organizations want to take advantage of FIDO, but use non-certified devices? (I’m looking at you, Apple.)
So, how does FIDO work on iPhone or other Apple devices, until they’re certified?
What is FIDO?
We’ve talked about it before, but let’s do a quick review for those few who might still be unaware, or still unsure of how it works. FIDO, or Fast Identity Online, came about back in 2012 with the FIDO Alliance looking to create a new authentication standard.
FIDO2 is the current iteration of the standard and covers a few different specifications:
- WebAuthn: W3C-certified API that enables FIDO support for browsers and platforms.
- CTAP2: needed for external authenticators, like the Yubikey, to work on devices or with browsers for multi-factor authentication. This essentially bridges your hardware FIDO key, through your device or browser, over to the server.
- CTAP1 (formerly FIDO U2F): allows for existing U2F devices to be used with FIDO2-enabled browsers and operating systems.
Additionally, there is FIDO UAF, which is a protocol that allows for the passwordless experience via device mechanisms (PIN, biometrics, etc.) instead of using a shared secret.
How does FIDO work?
At a very basic level, FIDO provides public cryptography for everyone, offering them a safer way to authenticate with accounts other than by a shared secret (e.g., a password). There are two keys involved, a private and public key pair. The private key never leaves the authenticator, while the authentication server for the online service knows the public key. The authenticator can be an on-device authenticator or an external authenticator (e.g., hardware key, etc.).
When a user registers with an online service, the authenticator device creates a unique private/public key pair. The public key becomes associated with the user’s account, while the device keeps the private key and the approved local authentication method. When a user wishes to sign into their account, the server sends a challenge to the device, which requires the user to use their local authentication method. This “signs” the challenge, which gets sent back to the server, approving them for access.
Since the private key never leaves the device, the experience is more resistant to Man in the Middle attacks. FIDO devices are designed to be interoperable since it’s a standard (FIDO Alliance even holds Interoperability events).
Unfortunately, Apple devices aren’t certified yet
Android 7+ became FIDO2 certified just ahead of RSA 2019, with Windows Hello following suit in May. Unfortunately, Apple continues to lag behind for iOS and macOS, making only a few steps in the right direction (more on that below), but no full commitment from them just yet.
However, just because Apple devices and first-party applications aren’t FIDO certified, doesn’t mean that users are SOL. FIDO-certified devices and apps do still work with or on your iPhone or Mac. It just requires the use of third-party desktop browsers with WebAuthn to connect to FIDO-certified authentication methods. iOS apps can make use of SDKs and APIs to enable FIDO UAF on the iPhone.
Desktop and laptop users have a decent amount of options in working with FIDO-certified hardware keys. Those with a hardware security key, like Yubikey or Google Titan Key, can use Google Chrome and Mozilla Firefox (for the latter, you need to enable U2F support first). A public preview of Safari allows for the use of USB-based CTAP2 devices, too. (it’s been in preview for nearly a year—just officially release it already Apple!) Yubico even released a USB-C compatible Yubikey for new MacBooks.
Using FIDO on an iPhone is a little less smooth than on macOS, but there are options. Nok Nok Labs offers organizations their Nok Nok App SDK for iOS v. 5.0 to use FIDO-certified authenticators (biometrics, PIN, etc.) and Yubico also has a Mobile SDK for iOS. Yubico has their Yubikey 5Ci coming soon, which features a lightning connector, and Apple introduced an NFC API for iOS 11+ (It’s still not as open to third-party apps as vendors may want, but it’s getting there).
The Google Titan Security Key Bluetooth version also works with iPhones with iOS 10+, but there are a couple caveats. Users will need to download the Google Smart Lock app, which will allow the Titan key to authenticate Google apps, but nothing else. It is possible to get further functionality and sign into first-party apps like Mail and Calendar if the user signs up for Google’s (free) Advanced Protection Program (you will have to enroll two security keys).
Apple users can make do
It may not be a smooth process, but Apple users can still improve their security with FIDO. Plus, Apple will eventually get FIDO certified, it’s just a matter of time. When I spoke with Phil Dunkelberger of Nok Nok Labs back at RSA, he spoke positively about Apple’s security moves at that point in time, but noted they’d have to eventually play ball and get certified if they want that W3C badge.
Apple’s Face ID and Touch ID have also helped consumers and organizations get used to the idea of authenticating via biometrics. So, it’s a bit of a bummer that they haven’t really gotten on the public cryptography train like so many other vendors.
In addition to the Safari preview and slowly opening up third-party NFC access, the recent news around iCloud access via Touch ID or Face ID shows Apple could be experimenting.
But, until Apple does make an official move, users are left with an awkward and incomplete experience; some apps will work, while others won’t. Granted, FIDO isn’t smooth sailing yet on Android and Windows, but it’s a much better experience. You can use it on more devices, even if certified apps remain somewhat limited.
On the other hand, if you’re an enterprise, all you really care about is protecting one account, which they control, and the rest should use federation. Many organizations could simply use the Nok Nok Labs SDK to enable FIDO for their users, if they wanted.