November 4, 2019

FIDO2 Is The Passwordless Evolution Of FIDO

Back in March of 2019, the FIDO Alliance announced that the Web Authentication (WebAuthn) specification is now an official web standard. They also announced FIDO2 to bring a passwordless evolution to the standard.

FIDO Revisited

The Fast IDentity Online (FIDO) Alliance is an open industry association with more than 250 company members, including Aetna, Amazon, American Express, Bank of America, Facebook, Google, Intel, Mastercard, Microsoft, PayPal, Samsung, and Visa. FIDO has a focused mission on opening authentication standards to help reduce the world’s dependence on passwords as a means of cyber identity authentication.

We have talked before about life beyond passwords, and the FIDO alliance was born to help make that a reality. According to the fidoalliance.org website:

“The FIDO Alliance is working to change the nature of authentication with open standards that are more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage.

The FIDO Alliance works to fulfill its mission by:

    • Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users
    • Operating industry certification programs to help ensure successful worldwide adoption of the specifications
    • Submitting mature technical specification(s) to recognized standards development organization(s) for formal standardization”

For implementing authentication beyond a password (and perhaps an OTP), companies have traditionally been faced with an entire stack of proprietary clients and protocols. FIDO changes this by standardizing the client and protocol layers. This ignites a thriving ecosystem of client authentication methods such as biometrics, PINs and second–factors that can be used with a variety of online services in an interoperable manner. There are three core ideas driving FIDO:

  1. Ease of use
  2. Privacy and security
  3. Standardization

The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.

How Is FIDO2 Different?

FIDO2 combines the World Wide Web Consortium’s (W3C) Web Authentication specification (WebAuthn) and FIDO Alliance’s corresponding Client-to- Authenticator Protocol (CTAP), to accelerate the industry’s shift away from passwords by allowing common devices to securely and easily authenticate in both mobile and desktop environments. This reflects the global need to address traditional binary authentication problems and solve the growing issue of password insecurity. According to the FIDO Alliance website, the difference between FIDO and FIDO2 is:

“The specifications under FIDO2 support existing passwordless FIDO UAF and FIDO U2F use cases and expand the availability of FIDO Authentication. Users that already have external FIDO-compliant devices, such as FIDO security keys, will be able to continue to use these devices with web applications that support WebAuthn. Existing FIDO UAF devices can still be used with pre-existing services as well as new service offerings based on the FIDO UAF protocols.”

So, put simply, FIDO combines WebAuthn and CTAP to deliver a truly passwordless evolution of the FIDO U2F version.

 

FIDO2 Certified

Acceptto is the industry's first solution providing technology to develop an innovative, patented BiobehavioralTM authentication platform that continuously monitors and manages access to cyber resources. The Acceptto solution supports both FIDO UAF 1.0 servers and FIDO 2.0 servers, easily integrates with your iOS app and the Acceptto FIDO server to add secure FIDO authentication via the device’s sensors (ex: TouchID, FaceID) or pin code. It provides stronger security, a simpler, easy to use and a frictionless experience of passwordless authentication for legitimate users.

Acceptto’s eGuardian engine continuously creates, and monitors user behavior profiles based on the user interaction with the It’sMe authenticator. Every time an activity occurs, actionable intelligence is gathered and used to optimize the user profile. eGuardian is capable of autonomously and continually learning new policies and adapting existing ones. While policies can still be manually defined and contribute to the computation, our Biobehavioral AIML approach automatically finds the optimal policy for each transaction. eGuardian leverages a mixture of AI & ML, expert systems and SMEs to classify, detect, and model behavior, and assign real-time risk scores to continuously validate your identity prior to, during and post-authentication.

Download the Acceptto FIDO whitepaper today and then check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy registering for a free demo today.

Download Whitepaper

identity Access Management FIDO2 passwordless authentication