Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.

Endpoint

9/19/2018
02:30 PM
John Fontana
John Fontana
Commentary
50%
50%

WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication

New standards offer protection against hacking, credential theft, phishing attacks, and hope for the end of an era of passwords as a security construct.

The Internet began without an identity layer and has suffered since with a password retrofit, but new open, standards-based innovations for protecting log-ins to applications on the web, desktop, and mobile devices are ready for service providers and end users hoping for better access controls.

Two modern authentication innovations born from collaboration between the World Wide Web Consortium (W3C) and the FIDO Alliance now offer cross-platform standards that enable strong authentication based on battle-tested public key cryptography.

These authentication upgrades, combined with a palatable user experience, are today's hope that tomorrow begins to end reliance on passwords as a security construct.

The standards, known under the banner FIDO2, offer protection against account hacking, credential theft, and phishing attacks that have plagued the Internet to the tune of billions of credentials stolen over the past few years. In addition, FIDO2 privacy principles protect users by guarding cryptographic keys and preventing sharing of user data among website operators.

This effort is not about more security add-ons, third-party helper apps, or unfamiliar user requirements. It's about native authentication technology built into native platforms, web browsers, operating systems such as Windows and Android, and devices, including hardware-backed credential protection using technologies such as a Trusted Platform Module (TPM).

FIDO2 represents the building blocks to go beyond basic log-in and specify the first strong authentication standard for the web — thus providing users secure credentials that resist attack.

What Is FIDO2?
Simply put, FIDO2 has two pieces that can work together or separately: an application programming interface (API) and a set of rules for transmitting data between devices (a protocol). Both were introduced in April before the annual RSA conference.

The Web Authentication API (WebAuthn), developed by the W3C, is already part of Google Chrome (since version 67), Firefox (since version 60), and, recently, Microsoft Edge. WebAuthn is now a native feature of modern browsers, and authentication is no longer an Internet retrofit or add-on.

The WebAuthn API allows an end user to register a public key credential with a specific website using a FIDO-based authenticator, and for that same user to subsequently use that credential to log in to that website. Registration operations can be repeated on an infinite number of websites, each one creating a new set of public and private keys bound to a specific website.

The second piece of FIDO2, the Client to Authenticator Protocol (CTAP), allows for device-to-device strong authentication over USB, NFC, or Bluetooth. FIDO2, developed by the FIDO Alliance, lets users authenticate on one device (for example, a smartphone) and use that authentication to log in to web apps or operating systems running on a different device.

CTAP adds new authentication schemes to the FIDO palette, including user verification on a device, authenticating to a local device (such as a laptop), or authenticating a user to an online service being accessed from another local device.

Where Is This Headed?
FIDO2's goal is a standardized, universal authentication platform with password-less, biometric, and device-based authentication options to support any number of consumer or business use cases.

The W3C builds standards for web browsers, which means WebAuthn will become the foundational underpinning for a standard authentication mechanism that works across platforms.

The target audience is consumers and enterprises that want strong authentication for protecting access to resources and data on the web or other computing platforms. In addition, FIDO2 embraces developers by eliminating the complexity of building security and strong authentication into their apps. The requirement now is just an API call.

What to Expect
Today, the W3C has WebAuthn approved for implementation and is working toward formal standardization. Hurdles to worldwide adoption exist, however, including building support among website operators and igniting a cultural shift among end users looking to replace breach fatigue with stronger authentication.

The FIDO Alliance is continuing to expand. It has incorporated its second-factor specification, called Universal Second Factor (U2F), into CTAP version 1 and is nearing completion on a CTAP version 2 that will add PIN capabilities for operations such as transactions. FIDO's Universal Authentication Framework (UAF) also is aligning with FIDO2 principles.

The W3C is adding depth and breadth to the opportunity with a palette of Web specs for security, cryptography, and payments that can integrate WebAuthn for secure authentication.

The goal is that the current trend of stolen credentials via phishing or man-in-the-middle attacks will fade for those who adopt FIDO2 capabilities. And regulations such as General Data Protection Regulation and PSD2, while rooted in Europe, will affect the authentication choices of website operators and end users around the world.

With the first core tenets of FIDO2 already available, and fine -tuning underway for WebAuthn and CTAP, the adoption barriers are lowered and the promise of a more secure Internet is well within sight.

Related Content:

 

Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

John Fontana tracks authentication and identity standards for Yubico. He also sits on the FIDO Alliance Board and is the co-chair of the W3C WebAuthn Working Group. Previously, he followed all things identity for Ping Identity. He spent 15 years as a tech journalist for a ... View Full Bio
Comment  | 
Print  | 
More Insights
Comments
Newest First  |  Oldest First  |  Threaded View
Williamastro
50%
50%
Williamastro,
User Rank: Apprentice
9/21/2018 | 5:20:21 AM
Thanks for sharing
Nice
richalt
50%
50%
richalt,
User Rank: Apprentice
9/19/2018 | 6:39:32 PM
Re: Fake website detection?
It feels to me that a fake website can a) not use data from the key to do a login to the actual site, but b) can fool me into thinking everything is fine and try to collect personal information, until I realize something is amis. I think the loop needing closing here is that my action to insert the key should cause the browser to give feedback that "site did not authenticate to any key pair, so are you sure this site is legit?" Rich
richalt
50%
50%
richalt,
User Rank: Apprentice
9/19/2018 | 6:39:27 PM
Re: Fake website detection?
It feels to me that a fake website can a) not use data from the key to do a login to the actual site, but b) can fool me into thinking everything is fine and try to collect personal information, until I realize something is amis. I think the loop needing closing here is that my action to insert the key should cause the browser to give feedback that "site did not authenticate to any key pair, so are you sure this site is legit?" Rich
jfontana
100%
0%
jfontana,
User Rank: Author
9/19/2018 | 5:43:33 PM
Re: Fake website detection?
When you register your FIDO device with a web site, the device creates an origin-specific key pair. Those keys are bound to that origin (e.g. www.darkreading.com). If a hacker attempts to divert your session to a different web site the key wil not recognize that site as being associated with your key pair, and will not issue a signature (i.e. authentication fails). This origin concept is key to FIDO's privacy assurances.
https://fidoalliance.org/specs/u2f-specs-master/fido-u2f-overview.html
richalt
50%
50%
richalt,
User Rank: Apprentice
9/19/2018 | 5:11:22 PM
Fake website detection?
If I accidentally end up at fake-google.com, can fido2 help me realize that? I stick in my key, the site says everything is fine, but the key didn't do anything. How do I recognize this? Thanks.
97% of Americans Can't Ace a Basic Security Test
Steve Zurier, Contributing Writer,  5/20/2019
How Security Vendors Can Address the Cybersecurity Talent Shortage
Rob Rashotte, VP of Global Training and Technical Field Enablement at Fortinet,  5/24/2019
TeamViewer Admits Breach from 2016
Dark Reading Staff 5/20/2019
Register for Dark Reading Newsletters
White Papers
Video
Cartoon Contest
Current Issue
Building and Managing an IT Security Operations Program
As cyber threats grow, many organizations are building security operations centers (SOCs) to improve their defenses. In this Tech Digest you will learn tips on how to get the most out of a SOC in your organization - and what to do if you can't afford to build one.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
CVE-2019-7068
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7069
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have a type confusion vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7070
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .
CVE-2019-7071
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an out-of-bounds read vulnerability. Successful exploitation could lead to information disclosure.
CVE-2019-7072
PUBLISHED: 2019-05-24
Adobe Acrobat and Reader versions 2019.010.20069 and earlier, 2019.010.20069 and earlier, 2017.011.30113 and earlier version, and 2015.006.30464 and earlier have an use after free vulnerability. Successful exploitation could lead to arbitrary code execution .