FIDO2 Moves Forward with Passwordless Authentication
FIDO, Finally, Almost: Passwordless authentication is now becoming a possible dream, thanks to the ongoing standards work at the Fast Identity Online (FIDO) Alliance and the collaboration between competitors, such as Microsoft and Google.
Sources: RSA Conference 2018 (upper figure), FIDO Alliance (lower figure)
FIDO in the OS
Whether your OS is the browser, or whether it’s Windows, FIDO is not far. At an RSA Conference 2018 presentation, Microsoft and Google shared their roadmaps. Other vendors that announced FIDO 2.0 specifications (FIDO2) support include Daon, Feitian Technologies, Gemalto, Nok Nok Labs, Raonsecure, RSA, Vasco, and Yubico. In this post, we’ll dig into what was announced, and provide an introduction to FIDO2.
Passwords: The #1 Security Capability we Love to Hate
Passwords have served the industry well over the years, but come with a fundamental architectural weakness: they are what’s called “shared secrets,” that is, not really secrets. Worse, any password a user can remember has limited entropy available to resist increasingly sophisticated password cracking attacks. The only way to increase password assurance has been to sacrifice convenience by having many, more complex, and longer passwords. Users are not very good at this, and password manager tools have proven a poor crutch.
In the RSA Conference 2018 “Google And Microsoft Debut: Replacing Passwords With Fido2 Authentication,” speakers indicted passwords on charges of being not only “clumsy, hard to remember, and in need of change all the time” but also prone to loss in that “1 out of 14 phishing attempts succeeded in 2016″ and complicit in “81% of data breaches in 2016 that involved weak, default, or stolen passwords.”
For all the complaints, up until now passwords have proven hard to replace. The best we’ve been able to do is supplement them with a second authentication factor, such as a biometric device, or various kinds of one-time token generators.
At Last Things are Looking Up
The FIDO Alliance has brought together many types of vendors – OS, security hardware, authentication, browsers – to create good passwordless sign-in options. FIDO2 offers a single factor passwordless sign-in experience that is much easier and better than remembering and typing passwords. If all goes well, passwords will still have a role as the second factor when more than a gesture at a security token is needed for increased assurance. But passwords’ role could be greatly reduced.
How do They Do It?
FIOD2 accomplishes its assurance + usability hat trick by enabling passwordless sign-in with a secure token activated by a simple human gesture, such as pushing a button to prove presence and readiness to transact. FIDO2 then provides cryptographic registration, signing, and key management protocols to leverage that initial authentication event across multiple devices, servers, service providers, and applications.
Dave Bossio, Microsoft’s Group Program Manager for Operating System Security, demonstrated FIDO2 WebAuthn support in the Edge browser. Microsoft announced: “With the next Windows 10 update, we’re adding a limited preview of our FIDO2 security key support. This new capability will give your employees the ability to sign in to an Azure Active Directory-joined Windows 10 PC without a username or password. All they will need to do is insert FIDO2 compliant security key into their USB port and tab. They’ll be automatically signed in to the device and they’ll get single-sign-on access to all your Azure AD protected cloud resources, as well.“
Google’s Chrome browser and GSuite already supported FIDO’s Universal Second Factor (U2F), which is a standard for interoperable security keys, such as Yubico’s YubiKey. Later this year, Chrome will support the FIDO2 WebAuthn and CTAP specifications as well. Google’s Sam Srinivas, Product Management Director, Google Cloud Security demonstrated the feature at RSA Conference.
FIDO2 support in IOS and other Linux-based OSs is also needed. Additional vendors and browser developers are stepping up; for example, Firefox supports U2F and FDIO2.
Apple has not participated in the FIDO Alliance. However, there is a rumor that Apple may plan to support FIDO2: A knowledgeable Digital Identity Architect at a major corporation noted that “Apple has recently been making Safari enhancements that only make sense if it plans to implement FIDO 2.0.”
What is FIDO2?
FIDO2 is a framework of specifications designed to replace passwords with credentials that can’t be phished, replayed, or breached when servers are compromised – and to do that without sacrificing user convenience across difference types of devices and clients. To activate a FIDO2 credential (e.g., on a security key) users can employ gestures such as the use of PINs, biometrics, or button-pushing. Once the user is authenticated, the specifications enable the authenticator device (which could also be a host computer in its own right) to communicate information about the authentication event to other devices or systems using challenge/response protocols based on asymmetric (public/private) key cryptography.
The core FIDO2 speification are:
- FIDO Client To Authenticator Protocol (CTAP): CTAP specifies a protocol for communication between a personal device with cryptographic capabilities (aka authenticator) and a host computer that wishes to use these capabilities for security functions including strong user authentication. A person could use his/her phone or another portable security key as the authenticator to transparently and securely log on to notebooks, desktops, connected cars, and other devices. It gets better: A well-known security consultant took the stage at a recent security event as “the girl with the YubiKey earrings!”
- FIDO Attestation: Defines attestation formats used to validate FIDO Authenticators, uses of FIDO 2.0 credentials, and associated user verification methods. FIDO attestation could be mapped as authentication context to federation servers or other conditional/adaptive authentication systems.
FIDO2 also leverages some related specifications:
- Federation Protocol Profiles: These profiles (most still to be developed) will define how particular federation protocols can request and employ FIDO2 authentication and Token Bindings. An OpenID Connect FIDO profile is planned. Other profiles, such as a SAML 2.0 profile, are also possible.
- Token Binding over HTTP: Defines a collection of mechanisms that allow HTTP servers to cryptographically bind authentication tokens (such as cookies and OAuth tokens) to a TLS connection.
- Token Binding Protocol: Enables client/server applications to create long-lived, uniquely identifiable TLS bindings spanning multiple TLS sessions and connections. Applications are then enabled to cryptographically bind security tokens to the TLS layer, preventing token export and replay attacks.
This landing page provides links to all FIDO2 specifications as well as the preceding FIDO UAF and U2F specs.
Privacy and Manageability Benefits from Smart Key Management
Last but not least, FIDO has privacy-enhancing features. FIDO authentication doesn’t require personal data to be shared with a relying party, such as a web site. Not only does this protect the user’s privacy, it also reduces risks for relying parties – in case of a data breach they need have no personal data about their users to lose.
Moreover, FIDO does not require or encourage the user to use a single identity provider (IDP). FIDO manages keys on a per-domain basis, enabling users to have multiple keys for multiple personas. Per-domain keys also increase the chance that an enterprise can authenticate an external user through a credential the user already has, so long as it is issued by an IDP the enterprise trusts. Side note: Remember Microsoft’s InfoCard, aka Cardspace? Same idea.
What’s not to like about FIDO? Apparently not much. A google search of “FIOD2 limitations”, “FIDO2 challenges”, “FIDO2 problems” comes up with nothing useful (yet). The only limitations I can think of surround adoption: Where is Apple? How long will it take to produce all the federation profiles? What glitches will crop up in the early implementations? How fast will the vendors not yet on board implement it? FIDO plans conformance testing and certifications to encourage quality, but what about all the edge cases like low-power IT devices? Once deployed across broad ecosystems will FIDO implementations prove quantum-safe, or at least display crypto-agility? Questions or not, it feels like we’re on the right track to lessen our reliance on passwords at last.