Transforming online security with FIDO2 passkeys and passwordless authentication
Traditional password-based authentication methods, once considered the cornerstone of online security, are increasingly failing in the face of sophisticated cyberattacks. Often, the first hurdle in user engagement is the login password. Not only is creating and managing passwords a major annoyance, but the login password is also notoriously vulnerable to data breaches.
The FIDO (Fast Identity Online) Alliance is at the forefront of a transformative movement in online security, dedicated to revolutionizing authentication protocols. The FIDO Alliance has developed authentication standards that use public key cryptography to create a more secure and user-friendly alternative to traditional passwords and one-time passcodes (OTP) sent by SMS.
FIDO Authentication is a global authentication standard. With FIDO Authentication, traditional authentication methods such as passwords stored on servers, SMS OTP, and knowledge-based authentication (KBA) are replaced by on-device authentication. This ensures that authentication data remains stored on the user's device – not on a server. Whether your user is a customer or employee, they can now access cryptographic login credentials using local biometrics, PINs, or other mechanisms.
In essence, FIDO Authentication offers an interoperable and standardized ecosystem of authenticators. With it, organizations can deploy strong authentication (also known as multi-factor authentication or MFA) for login, without the incremental cost of in-house development.
Introducing FIDO2 passkeys
The Alliances’ latest addition, FIDO2 passkeys, signifies a departure from conventional password-based authentication methods. FIDO2 passkeys offer a passwordless authentication solution that is both highly secure and user-friendly.
At the heart of FIDO2 passkeys lies public key cryptography, an encryption method that uses pairs of cryptographic keys to authenticate users.
When setting up a FIDO2 passkey, a unique pair of keys is generated: a public key stored securely with the online service and a private key retained by the user's device.
During authentication, the user's device signs a challenge issued by the service using the private key, and the service verifies the signature using the stored public key. This process eliminates the need for passwords entirely, greatly reducing the risk of unauthorized access. Hence, we refer to it as phishing-resistant.
Benefits of FIDO2 passkeys
- Enhanced Security: FIDO2 ensures that cryptographic login credentials are unique for each website, remain on the user's device, and are never stored on a server. This approach stops phishing, password theft, credential stuffing and replay attacks.
- Convenience: Users can authenticate via simple, built-in methods such as fingerprint readers or facial recognition, or through FIDO security keys tailored to individual preferences. They no longer need to remember complex passwords.
- Privacy: FIDO Authentication safeguards privacy by ensuring that cryptographic keys are website-specific, preventing cross-site tracking. When biometrics are used, the data does not leave the user's device.
- Interoperability: FIDO2 passkeys are supported by a growing number of online services and platforms, making them a versatile authentication solution for both consumers and enterprises.
- Scalability: Enabling FIDO2 on websites is straightforward, requiring just a simple JavaScript API call. This is supported across leading browsers and platforms, making it accessible on billions of devices globally.
How FIDO2 passkeys and passwordless authentication work with WebAuthn CTAP
FIDO2 combines the W3C's (World Wide Web Consortium) Web Authentication (WebAuthn) specification and the FIDO Alliance's Client-to-Authenticator Protocol (CTAP). Together, these specifications enable FIDO2 passkeys to seamlessly integrate with web-based authentication workflows. The result is a secure, straightforward, and scalable authentication process.
Here’s how they work together:
- WebAuthn enables passwordless authentication experiences on the web, eliminating the reliance on passwords and enhancing security. WebAuthn is a W3C standard, implemented in major web browsers such as Microsoft Edge, Google Chrome, and Apple’s Safari. It defines a web API for creating and using strong, public-key-based credentials to authenticate users.
With WebAuthn, websites can request and obtain cryptographic credentials (public and private key pairs) from FIDO2 authenticators during user registration. During authentication, WebAuthn allows websites to challenge users by sending a cryptographic challenge to the authenticator, which the user's device signs with the private key and sends back to the website for verification. - The CTAP (Client-to-Authenticator Protocol) is defined by the FIDO Alliance and facilitates communication between client devices, such as computers or mobile devices, and authenticator devices, such as USB security keys or biometric sensors. CTAP is responsible for handling the communication between the user's device (client) and the FIDO2 authenticator during authentication transactions. When a website initiates a WebAuthn authentication request, the client device communicates with the FIDO2 authenticator using CTAP to perform the necessary cryptographic operations.
Combat social engineering with phishing-resistant FIDO2 passkeys
FIDO2 passkeys are often referred to as the gold standard in protecting employees and consumers against phishing attacks. Unlike passwords, which can be easily phished or intercepted, FIDO2 passkeys rely on public key cryptography to authenticate users securely. This means that even if a malicious actor attempts to trick someone into providing their passkey through a phishing website or email, the cryptographic nature of FIDO2 passkeys safeguards that sensitive authentication information.
We live in a time when generative AI and machine learning are exploited by fraudsters to create more sophisticated and personalized phishing campaigns. The cryptographic underpinnings of FIDO2 passkeys make them resistant to automated phishing attempts. As an additional security measure, FIDO2 passkeys can be setup to require user interaction at the time of authentication, thwarting malicious bots seeking to exploit vulnerabilities.
By mitigating the risk of phishing attacks, FIDO2 passkeys bolster online security, providing a better user experience and greater peace of mind for business and government organizations.
FIDO2 authentication from OneSpan
As a board member of the FIDO Alliance and an active participant in various FIDO2 working groups, OneSpan is part of FIDO’s initiative to standardize the authentication industry. OneSpan first addition to its FIDO2 passkey portfolio is DIGIPASS FX1 BIO. This cutting-edge physical passkey with fingerprint scan empowers organizations to embrace passwordless authentication while providing the strongest security against social engineering and account takeover attacks.
We also offer full FIDO capabilities as part of OneSpan Mobile Security Suite. This means organizations can implement passwordless authentication to enhance customer and employee experience by replacing static passwords with modern capabilities such as biometrics, while also protecting their mobile apps against phishing, adversary-in-the-middle, and replay attacks.
FIDO-certified authentication methods are supported out-of-the box as they come to market. Because of standardization, any application can work with any of the user's devices (iOS and Android), operating systems, and authenticators. This gives organizations and service providers a plethora of choices on how to approach passwordless authentication.
Visit our FIDO authentication page to learn more about FIDO for passwordless login, including FIDO2, FIDO U2F (universal second factor), and FIDO UAF (universal authentication framework) solutions.
Why FIDO is the future of authentication
Hear OneSpan's Field CTO discuss FIDO on this podcast, first published in July 2024 on Expert Insights.