Free trial

Transforming online security with FIDO2 passkeys and passwordless authentication

Authentication
Sarah Van De Vyver,
Blog Generic

Traditional password-based authentication methods, once considered the cornerstone of online security, are increasingly failing in the face of sophisticated cyberattacks. Often, the first hurdle in user engagement is the login password. Not only is creating and managing passwords a major annoyance, but the login password is also notoriously vulnerable to data breaches. 

To combat this, the FIDO (Fast Identity Online) Alliance is at the forefront of a transformative movement in online security, dedicated to revolutionizing authentication protocols. As the number of data breaches soar, the FIDO Alliance has developed authentication protocols, also known as FIDO authentication, to provide greater security for individuals and enterprises.

What is FIDO authentication?

FIDO2 is a global authentication standard created to reduce the use of passwords. It uses public key cryptography, an encryption method that leverages pairs of cryptographic keys to authenticate users, to create a more secure and user-friendly alternative to traditional passwords and one-time passcodes (OTP) sent by SMS.

With FIDO authentication, traditional authentication methods such as passwords stored on servers, SMS OTP, and knowledge-based authentication (KBA), are replaced by on-device authentication. FIDO ensures that authentication data, such as private cryptographic keys, remain stored on the user's device instead of on a server. Whether the user is a customer or employee, they can authenticate using cryptographic login credentials, which are unlocked locally through secure mechanisms like biometrics (e.g., fingerprint or face recognition) or a PIN. This approach enhances security and eliminates the risks associated with centralized credential storage and traditional password-based systems.

FIDO authentication offers an interoperable and standardized ecosystem of authenticators. With it, organizations can deploy strong authentication (also known as multi-factor authentication or MFA) for login, without the incremental cost of in-house development. 

Introducing FIDO2 passkeys

The availability of FIDO2 passkeys signifies a departure from conventional password-based authentication methods. FIDO2 passkeys offer a passwordless authentication solution that is both highly secure and user-friendly.  

As with FIDO authentication, FIDO2 passkeys use public key cryptography. When setting up a FIDO2 passkey, a unique pair of keys is generated: a public key, which is shared with and stored securely by the online service, and a private key, which remains securely stored on the user’s device. The private key is never transmitted or exposed, providing robust protection against phishing and server-side credential breaches.

During authentication, the user's device signs a unique challenge issued by the service using the private key stored securely on the device. The service verifies the authenticity of the signed challenge using the public key stored on its server. This passwordless process eliminates the need for traditional passwords and provides strong phishing resistance by ensuring authentication can only occur with the specific service that issued the challenge. This greatly reduces the risk of unauthorized access and credential theft. 

Combat social engineering with phishing resistant FIDO2 passkeys

FIDO2 passkeys are widely regarded as the gold standard in protecting employees and consumers against phishing attacks. Even if a malicious actor attempts to deceive a user through a phishing website or email, the cryptographic design of FIDO2 passkeys ensures that sensitive authentication information cannot be intercepted or misused.

In an era where fraudsters leverage generative AI and machine learning to craft increasingly sophisticated and targeted phishing campaigns, FIDO2 passkeys remain resilient. Their reliance on public key cryptography makes them inherently resistant to automated phishing attempts. Additionally, FIDO2 passkeys can be configured to require user interaction—such as biometrics or PIN entry—at the time of authentication, preventing exploitation by malicious bots.

By reducing the risk of phishing attacks, FIDO2 passkeys significantly enhance online security while delivering a seamless user experience. This makes them an essential tool for businesses and government organizations seeking to safeguard digital systems and instill greater peace of mind. 

Benefits of FIDO2 passkeys

In addition to reducing the risk of unauthorized access, FIDO2 passkeys offer the following benefits:  

  • Enhanced security: FIDO2 authenticators ensure that cryptographic login credentials are unique for each website, remain on the user's device, and are never stored on a server. This approach stops phishing, password theft, credential stuffing, and replay attacks.
  • Convenience: Users can authenticate via simple built-in methods, such as fingerprint readers or facial recognition, or through FIDO security keys tailored to individual preferences. Users do not need to remember complex passwords.
  • Privacy: FIDO authentication safeguards privacy by ensuring that cryptographic keys are website-specific, preventing cross-site tracking. When biometrics are used, the data does not leave the user's device.
  • Interoperability: FIDO2 passkeys are supported by a growing number of online services and platforms, making them a versatile authentication solution for both consumers and enterprises.
  • Scalability: Enabling FIDO2 passkeys on websites is straightforward, requiring just a simple JavaScript API call. This is supported across leading browsers and platforms, making it accessible on billions of devices globally.

How FIDO2 passkeys and passwordless authentication work with WebAuthn CTAP

FIDO2 combines the W3C's (World Wide Web Consortium) Web Authentication (WebAuthn) specification and the FIDO Alliance's Client-to-Authenticator Protocol (CTAP). Together, these specifications enable FIDO2 passkeys to seamlessly integrate with web-based authentication workflows. The result is a secure, straightforward, and scalable authentication process.

W3C, WebAuthn, and CTAP work together in the following ways:

  • WebAuthn enables passwordless authentication experiences on the web, eliminating the reliance on passwords and enhancing security. WebAuthn is a W3C standard, implemented in major web browsers such as Microsoft Edge, Google Chrome, and Apple’s Safari. It defines a web API for creating and using strong, public key-based credentials to authenticate users.

    With WebAuthn, websites can request and obtain cryptographic credentials (public and private key pairs) from FIDO2 authenticators during user registration. During authentication, WebAuthn allows websites to challenge users by sending a cryptographic challenge to the authenticator, which the user's device signs with the private key and sends back to the website for verification.
  • CTAP (Client-to-Authenticator Protocol) is defined by the FIDO Alliance and facilitates communication between client devices, such as computers or mobile devices, and authenticator devices, such as USB security keys or biometric sensors. CTAP is responsible for handling the communication between the user's device (client) and the FIDO2 authenticator during authentication transactions. When a website initiates a WebAuthn authentication request, the client device communicates with the FIDO2 authenticator using CTAP to perform the necessary cryptographic operations.

FIDO2 authentication from OneSpan

As a board member of the FIDO Alliance and an active participant in multiple FIDO2 working groups, OneSpan is part of FIDO’s initiative to standardize the authentication industry. OneSpan's lastest additions to its FIDO2 passkey portfolio are: 

  • DIGIPASS FX1 BIO: This cutting-edge physical passkey with fingerprint scan empowers organizations to embrace passwordless authentication while providing the strongest security against social engineering and account takeover attacks.
  • DIGIPASS FX7: This simple and easy-to-use FIDO2-enabled phishing-resistant authenticator protects organizations looking to mitigate social engineering and ATO attacks. It also offers an improved user experience enabling a ‘work from anywhere, anytime on any device’ policy.    

OneSpan also offers full FIDO capabilities as part of OneSpan Mobile Security Suite. This means organizations can implement passwordless authentication to enhance both the customer and employee experience. By replacing static passwords with modern capabilities, such as biometrics, organizations can also protect their mobile apps against phishing, adversary-in-the-middle, and replay attacks.

FIDO-certified authentication methods are supported out-of-the box and can work with any of the user's devices (iOS and Android), operating systems, and authenticators. This gives organizations and service providers flexible choices on how to approach passwordless authentication. 

To learn more about FIDO, we invite you to listen to OneSpan's Field CTO discuss the future of authentication this podcast: Why FIDO is the future of authentication, recorded in 2024 on Expert Insights

Audio file
digipass fx authenticators are FIDO certified
Webpage

FIDO hardware authenticators

Go passwordless with DIGIPASS FX authenticators. Improve the user experience and thwart account takeover and advanced phishing schemes.

Learn more
Sarah Van De Vyver
Sarah Van De Vyver

Sarah is Product Marketing Manager at OneSpan and responsible for OneSpan’s FIDO, hardware and server solutions. She has over 15 years of experience in ICT and Communications and held previous positions within OneSpan’s Corporate Communications department.

Go To Top
Share