Providing secure and easy-to-use authentication methods is a goal of any web application. The most common way to authenticate users is through usernames and passwords.
However, this method has many issues, as users must remember multiple passwords for different websites. There are also many other issues users face when they must type their passwords every time they log in to a system.
All this means that, today, application developers want to find alternate methods for password authentication. FIDO2 is one of the most successful authentication methods currently available, where software and hardware applications can authenticate users without requiring them to type passwords.
Short for Fast IDentity Online 2.0, FIDO2 is a modern specification for strong authentication created by the Fast Identity Online Alliance.
Founded in July 2012, this alliance was a collaborative effort by tech giants such as Google, Microsoft, Lenovo, and PayPal. As to reduce the growing security concerns around password protection, FIDO2 specification was made open to everyone.
FIDO2 mainly allows two options for users. To authenticate themselves, users can use either:
As many modern devices support biometric sensors like fingerprinting and facial recognition, biometric data is becoming the more popular option for FIDO2. A FIDO2 security key is a physical device that connects to your device via USB, Bluetooth, or NFC.
(Related reading: SAML authentication.)
What works under the hood in FIDO2 is public key cryptography. When a user registers to an application that uses FIDO2, it creates a private key and a public key:
During authentication, the server sends a challenge to the user's device. A challenge is presented — a random piece of data generated by the server during the authentication process — which the user's device must sign with its private key to prove the user's identity.
Once the device signs the challenge, it creates a cryptographic signature. This signature, along with the challenge, is sent back to the server. The server then uses the stored public key to verify the signature. Since only the corresponding private key could have created this valid signature, the server can confirm the user's identity without needing a password.
All the user has to do is verify themselves by using the fingerprint option or facial recognition option on the device, and then the device will handle the rest of the process.
In the case of a FIDO2 security key (like a Yubikey), the user will need to insert the key and, if required, press a button on the key to authenticate.
(Know the difference: authentication vs. authorization.)
FIDO focuses on providing secure, passwordless authentication using hardware tokens. The original FIDO standards, such as U2F (Universal 2nd Factor), enhance security by generating unique cryptographic keys for each site. This ensures that compromised data from one site cannot be used to access others.
FIDO2 expands on the original FIDO standards by introducing two standards:
The key difference is that FIDO primarily addresses second-factor authentication, whereas FIDO2 aims for a broader, passwordless authentication experience. FIDO2 supports a wider range of authenticators and seamless integration with web applications which enhances both security and user convenience.
WebAuthn and CTAP are the two primary protocols used in FIDO2. WebAuthn focuses on web-based authentication, where the user is authenticated by comparing a private key stored on the user's device with a public key stored on the server. Moreover, WebAuthn ensures that each user has a unique key pair for each website.
CTAP handles device-level communication, such as between browsers and biometric devices. It is responsible for releasing the private key only when the user is properly verified by a biometric device or a FIDO2 security key.
WebAuthn can function without CTAP in cases where the authenticator is built into the device, such as a laptop’s fingerprint scanner or a smartphone’s facial recognition. However, for external authenticators like security keys, CTAP is essential.
WebAuthn provides an API to create and manage public key credentials. It offers two key methods.
As the WebAuthn API is widely supported by modern browsers, including Google Chrome, Mozilla Firefox, Microsoft Edge, Apple Safari, and Opera, developers can implement WebAuthn for a wide user base.
Let’s summarize the key benefits of FIDO2 that we have discussed in the above sections to give you a clearer understanding.
Initial setup complexity. The initial setup process for FIDO2 can be more complex compared to traditional password systems. This includes registering devices and keys, which may require additional user support and training.
System compatibility. Ensuring that your existing systems, particularly legacy systems, are compatible with FIDO2 authentication methods can be challenging. This may involve significant redesigns or updates to your backend infrastructure to handle FIDO2 requests effectively.
Compliance issues. You will have to comply with FIDO2 standards which require ongoing attention and updates to your codes to meet compliance requirements.
Certified authenticators. Procuring and managing FIDO2-certified authenticators is necessary. This involves verifying the compatibility and security of authenticators, which can be an additional logistical challenge.
Organizations like Microsoft, Apple, and Google have expressed their interest in increasing support for the FIDO2 due to its potential. While this is something to hope for, it is not the only indication that FIDO is growing. In fact, according to research conducted by Gartner, by 2025 more than 25% of Multi-Factor Authentication transactions will be based on FIDO.
As FIDO becomes increasingly standardized across the tech industry, we’ll be able to see some advancements in their authentication transactions. This could include increased biometrics like voice and iris scans as devices become more capable of handling it as input. The use of mobile phones’ built-in wallets for FIDO2 authentication is also increasing among some providers. This increasing adoption could mean that FIDO might become the universal second factor for MFA, replacing flimsy existing solutions like one-time codes.
See an error or have a suggestion? Please let us know by emailing ssg-blogs@splunk.com.
This posting does not necessarily represent Splunk's position, strategies or opinion.
The Splunk platform removes the barriers between data and action, empowering observability, IT and security teams to ensure their organizations are secure, resilient and innovative.
Founded in 2003, Splunk is a global company — with over 7,500 employees, Splunkers have received over 1,020 patents to date and availability in 21 regions around the world — and offers an open, extensible data platform that supports shared data across any environment so that all teams in an organization can get end-to-end visibility, with context, for every interaction and business process. Build a strong data foundation with Splunk.