FIDO 2.0: What happened to 1?

So as humans we suck at managing passwords!

( Really? You do not agree, just search on Google “Breaches due to password leak 2024 or whichever year you are reading this”)

But isn’t this why we have MFA?

True, since we suck at keeping passwords secure we came up with MFA. But then some amazing group of people forgot that just how you need Rate Limits on passwords you have to have the same on MFA Requests. This led to a new kind of attack called MFA Fatigue

( Yes, folks behind FIDO Alliance also suck at managing passwords, mfa and even implementing FIDO2. But you know it’s all good! **knudge** ,**knudge**, **wink**, **wink** )

What’s FIDO then?

So just how Chris Evans in the last scene of Marvel’s Endgame manages to bring all the major and medium superfolks back together to fight against Thanos, a similar industry Alliance was born (granted not in such a dramatic way as we wanted it to be, but *sigh* nonetheless..) believe it or not way back in 2013 of technology, commercial, and government organizations.

The alliance released the FIDO 1.0 authentication standards—which introduced phishing-resistant multifactor authentication (MFA)—in 2014 and the latest passwordless authentication standard—FIDO2 (also called FIDO 2.0 or FIDO 2)—in 2018.

Cut the crap and explain it to me please!

Cool! So the FIDO alliance (and us folks in the trenches of security wearing our black hoodies) understand that passwords suck! Big time! So they came up with “Passkeys”! (We suck at naming cool new things 99.9% of the time)

What are “Passkeys”? So these are meant to replace passwords and are meant to be faster, easier and provide more secure sign-ins to websites and apps across a user’s devices and they are meant to be strong and phish-resistant!

Warning! Lot of technical mumbo jumbo coming up. If you are not sure about the technical terms I suggest reading more!

FIDO authentication uses standard public key cryptography techniques to provide phishing-resistant authentication. During registration with an online service, the user’s client device creates a new cryptographic key pair that is bound to the web service domain. The device retains the private key and registers the public key with the online service. These cryptographic key pairs, called passkeys, are unique to every online service.

With FIDO, the user’s device must prove possession of the private key by signing a challenge for sign-in to be completed. This can only occur once the user verifies the sign-in locally on their device, via quick and easy entry of a biometric, local PIN or touch of a FIDO security key. Sign-in is completed via a challenge-response from the user device and the online service; the service does not see or ever store the private key.

FIDO is designed from the ground up to protect user privacy and prevent phishing. Every passkey is unique and bound to the online service domain. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.

FIDO2 Defined

FIDO2 (Fast IDentity Online 2) is an open standard for user authentication that aims to strengthen the way people sign in to online services to increase overall trust. When a user registers with a FIDO2-supported online service, the client device registered to perform the authentication generates a key pair that works only for that web app or website.

The public key is encrypted and shared with the service, but the private key remains securely on the user’s device. Then, each time the user attempts to sign in to the service, the service presents a unique challenge to the client. The client activates the passkey device to sign the request with the private key and return it. This makes the process cryptographically protected from phishing.

The FIDO2 set of specifications has two components: Web Authentication (WebAuthn) and Client-to-Authenticator Protocol 2 (CTAP2).

The main component, WebAuthn, is a JavaScript API that is implemented in compliant web browsers and platforms so that registered devices can perform FIDO2 authentication. The World Wide Web Consortium (W3C), the international standards organization for the World Wide Web, developed WebAuthn in partnership with the FIDO Alliance. WebAuthn became a formal W3C web standard in 2019.

The second component, CTAP2, developed by the FIDO Alliance, allows roaming authenticators, such as FIDO2 security keys and mobile devices, to communicate with FIDO2-supported browser and platforms.

Types Of Authenticators:

Roaming Authenticators → Portable hardware devices that are separate from users’ client devices including security keys, smartphones, tablets, wearables, and other devices that connect with client devices through the USB protocol or near-field communication (NFC) and Bluetooth wireless technology

Platform Authenticators → Authenticators are embedded in users’ client devices, whether a desktop, laptop, tablet, or smartphone. Comprising biometric capabilities and hardware chips for protecting passkeys, platform authenticators require the user to sign in to FIDO-supported services with their client device then authenticate through the same device, generally with a biometric or a PIN. Examples of platform authenticators that use biometric data include Microsoft Windows Hello, Apple Touch ID and Face ID, and Android Fingerprint.

Uhh.. What happened to FIDO 1.0?

FIDO2 evolved from FIDO 1.0, the first FIDO authentication specifications released by the alliance in 2014. These original specifications included the FIDO Universal Second Factor (FIDO U2F) protocol and the FIDO Universal Authentication Framework (FIDO UAF) protocol.

Both FIDO U2F and FIDO UAF are forms of multifactor authentication, which requires two or three pieces of evidence (or factors) to validate a user. These factors can be something only the user knows (such as a passcode or PIN), possesses (such as a FIDO key or an authenticator app on a mobile device), or is (such as a biometric).

FIDO U2F → Strengthens password-based authorization standards with two-factor authentication (2FA), which validates the user with two pieces of evidence. The FIDO U2F protocol requires an individual to provide a valid username and password combination as a first factor then use a USB, NFC, or Bluetooth device as a second factor, generally authenticating by pressing a button or keying in a time-sensitive OTP. FIDO U2F is the successor to CTAP 1 and the predecessor to CTAP2, which allows individuals to use mobile devices in addition to FIDO keys as second-factor devices.

FIDO UAF → Facilitates multifactor passwordless authentication. It requires an individual to sign in with a FIDO-registered client device—which confirms the user’s presence with a biometric check, such as a fingerprint or face scan, or with a PIN—as a first factor. The device then generates the unique keypair as a second factor. A website or app can also use a third factor, such as a biometric or the user’s geographic location.FIDO UAF is the predecessor to FIDO2 passwordless authentication.

References And Credits:

FIDO Alliance

FIDO Alliance is focused on providing open and free authentication standards to help reduce the world’s reliance on passwords, using UAF, U2F and FIDO2.

https://fidoalliance.org/

What Is FIDO2? | Microsoft Security

FIDO2 is an open standard for multifactor passwordless authentication in mobile and desktop environments. Learn the basics and benefits of FIDO authentication.

https://www.microsoft.com/en-us/security/business/security-101/what-is-fido2#fido2defined

Guide to Passwordless Authentication

Curious about passwordless authentication? Wondering how it can create a more secure login? We'll walk you through what it is and how it works in an

https://www.1kosmos.com/authentication/passwordless-authentication/

Photo by frame harirak on Unsplash

Conclusion

Check out my other blog posts here ✏️

SOC Blogs

BoredToolbox.

https://boredtoolbox.pw/soc-blogs

If you want to chit-chat, discuss security topics, learn how to get into security or just plain hang out feel free to reach out via my socials or setup a mentoring call:

📞

Bored Toolbox

I am a Security Engineer, passionate about building secure solutions that solve a problem at scale. Currently I work with Meta as a Security Engineer with the RL Trust Team solving Manufacturing Security Challenges for Reality Labs

https://bento.me/boredtoolbox