Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
John Fontana
John Fontana

WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication

New standards offer protection against hacking, credential theft, phishing attacks, and hope for the end of an era of passwords as a security construct.

The Internet began without an identity layer and has suffered since with a password retrofit, but new open, standards-based innovations for protecting log-ins to applications on the web, desktop, and mobile devices are ready for service providers and end users hoping for better access controls.

Two modern authentication innovations born from collaboration between the World Wide Web Consortium (W3C) and the FIDO Alliance now offer cross-platform standards that enable strong authentication based on battle-tested public key cryptography.

These authentication upgrades, combined with a palatable user experience, are today's hope that tomorrow begins to end reliance on passwords as a security construct.

The standards, known under the banner FIDO2, offer protection against account hacking, credential theft, and phishing attacks that have plagued the Internet to the tune of billions of credentials stolen over the past few years. In addition, FIDO2 privacy principles protect users by guarding cryptographic keys and preventing sharing of user data among website operators.

This effort is not about more security add-ons, third-party helper apps, or unfamiliar user requirements. It's about native authentication technology built into native platforms, web browsers, operating systems such as Windows and Android, and devices, including hardware-backed credential protection using technologies such as a Trusted Platform Module (TPM).

FIDO2 represents the building blocks to go beyond basic log-in and specify the first strong authentication standard for the web — thus providing users secure credentials that resist attack.

What Is FIDO2?
Simply put, FIDO2 has two pieces that can work together or separately: an application programming interface (API) and a set of rules for transmitting data between devices (a protocol). Both were introduced in April before the annual RSA conference.

The Web Authentication API (WebAuthn), developed by the W3C, is already part of Google Chrome (since version 67), Firefox (since version 60), and, recently, Microsoft Edge. WebAuthn is now a native feature of modern browsers, and authentication is no longer an Internet retrofit or add-on.

The WebAuthn API allows an end user to register a public key credential with a specific website using a FIDO-based authenticator, and for that same user to subsequently use that credential to log in to that website. Registration operations can be repeated on an infinite number of websites, each one creating a new set of public and private keys bound to a specific website.

The second piece of FIDO2, the Client to Authenticator Protocol (CTAP), allows for device-to-device strong authentication over USB, NFC, or Bluetooth. FIDO2, developed by the FIDO Alliance, lets users authenticate on one device (for example, a smartphone) and use that authentication to log in to web apps or operating systems running on a different device.

CTAP adds new authentication schemes to the FIDO palette, including user verification on a device, authenticating to a local device (such as a laptop), or authenticating a user to an online service being accessed from another local device.

Where Is This Headed?
FIDO2's goal is a standardized, universal authentication platform with password-less, biometric, and device-based authentication options to support any number of consumer or business use cases.

The W3C builds standards for web browsers, which means WebAuthn will become the foundational underpinning for a standard authentication mechanism that works across platforms.

The target audience is consumers and enterprises that want strong authentication for protecting access to resources and data on the web or other computing platforms. In addition, FIDO2 embraces developers by eliminating the complexity of building security and strong authentication into their apps. The requirement now is just an API call.

What to Expect
Today, the W3C has WebAuthn approved for implementation and is working toward formal standardization. Hurdles to worldwide adoption exist, however, including building support among website operators and igniting a cultural shift among end users looking to replace breach fatigue with stronger authentication.

The FIDO Alliance is continuing to expand. It has incorporated its second-factor specification, called Universal Second Factor (U2F), into CTAP version 1 and is nearing completion on a CTAP version 2 that will add PIN capabilities for operations such as transactions. FIDO's Universal Authentication Framework (UAF) also is aligning with FIDO2 principles.

The W3C is adding depth and breadth to the opportunity with a palette of Web specs for security, cryptography, and payments that can integrate WebAuthn for secure authentication.

The goal is that the current trend of stolen credentials via phishing or man-in-the-middle attacks will fade for those who adopt FIDO2 capabilities. And regulations such as General Data Protection Regulation and PSD2, while rooted in Europe, will affect the authentication choices of website operators and end users around the world.

With the first core tenets of FIDO2 already available, and fine -tuning underway for WebAuthn and CTAP, the adoption barriers are lowered and the promise of a more secure Internet is well within sight.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

John Fontana tracks authentication and identity standards for Yubico. He also sits on the FIDO Alliance Board and is the co-chair of the W3C WebAuthn Working Group. Previously, he followed all things identity for Ping Identity. He spent 15 years as a tech journalist for a ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/21/2018 | 5:20:21 AM
Thanks for sharing
User Rank: Apprentice
9/19/2018 | 6:39:32 PM
Re: Fake website detection?
It feels to me that a fake website can a) not use data from the key to do a login to the actual site, but b) can fool me into thinking everything is fine and try to collect personal information, until I realize something is amis. I think the loop needing closing here is that my action to insert the key should cause the browser to give feedback that "site did not authenticate to any key pair, so are you sure this site is legit?" Rich
User Rank: Apprentice
9/19/2018 | 6:39:27 PM
Re: Fake website detection?
It feels to me that a fake website can a) not use data from the key to do a login to the actual site, but b) can fool me into thinking everything is fine and try to collect personal information, until I realize something is amis. I think the loop needing closing here is that my action to insert the key should cause the browser to give feedback that "site did not authenticate to any key pair, so are you sure this site is legit?" Rich
User Rank: Author
9/19/2018 | 5:43:33 PM
Re: Fake website detection?
When you register your FIDO device with a web site, the device creates an origin-specific key pair. Those keys are bound to that origin (e.g. www.darkreading.com). If a hacker attempts to divert your session to a different web site the key wil not recognize that site as being associated with your key pair, and will not issue a signature (i.e. authentication fails). This origin concept is key to FIDO's privacy assurances.
User Rank: Apprentice
9/19/2018 | 5:11:22 PM
Fake website detection?
If I accidentally end up at fake-google.com, can fido2 help me realize that? I stick in my key, the site says everything is fine, but the key didn't do anything. How do I recognize this? Thanks.
Exploits Released for As-Yet Unpatched Critical Citrix Flaw
Jai Vijayan, Contributing Writer,  1/13/2020
Active Directory Needs an Update: Here's Why
Raz Rafaeli, CEO and Co-Founder at Secret Double Octopus,  1/16/2020
Microsoft Patches Windows Vuln Discovered by the NSA
Kelly Sheridan, Staff Editor, Dark Reading,  1/14/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: This comment is waiting for review by our moderators.
Current Issue
The Year in Security: 2019
This Tech Digest provides a wrap up and overview of the year's top cybersecurity news stories. It was a year of new twists on old threats, with fears of another WannaCry-type worm and of a possible botnet army of Wi-Fi routers. But 2019 also underscored the risk of firmware and trusted security tools harboring dangerous holes that cybercriminals and nation-state hackers could readily abuse. Read more.
Flash Poll
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
[Just Released] How Enterprises are Attacking the Cybersecurity Problem
Organizations have invested in a sweeping array of security technologies to address challenges associated with the growing number of cybersecurity attacks. However, the complexity involved in managing these technologies is emerging as a major problem. Read this report to find out what your peers biggest security challenges are and the technologies they are using to address them.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-01-17
Spring Framework, versions 5.2.x prior to 5.2.3 are vulnerable to CSRF attacks through CORS preflight requests that target Spring MVC (spring-webmvc module) or Spring WebFlux (spring-webflux module) endpoints. Only non-authenticated endpoints are vulnerable because preflight requests should not incl...
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a deserialization vulnerability if an index file of a parsed heap dump is replaced by a malicious version and the heap dump is reopened in Memory Analyzer. The user must chose to reopen an already parsed heap dump with an untrusted inde...
PUBLISHED: 2020-01-17
It was found that the Red Hat Enterprise Linux 8 kpatch update did not include the complete fix for CVE-2018-12207. A flaw was found in the way Intel CPUs handle inconsistency between, virtual to physical memory address translations in CPU's local cache and system software's Paging structure entries...
PUBLISHED: 2020-01-17
** REJECT ** DO NOT USE THIS CANDIDATE NUMBER. ConsultIDs: CVE-2008-1382. Reason: This candidate is a reservation duplicate of CVE-2008-1382. Notes: All CVE users should reference CVE-2008-1382 instead of this candidate. All references and descriptions in this candidate have been removed to prevent ...
PUBLISHED: 2020-01-17
Eclipse Memory Analyzer version 1.9.1 and earlier is subject to a cross site scripting (XSS) vulnerability when generating an HTML report from a malicious heap dump. The user must chose todownload, open the malicious heap dump and generate an HTML report for the problem to occur. The heap dump could...