02:30 PM
John Fontana
John Fontana

WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication

New standards offer protection against hacking, credential theft, phishing attacks, and hope for the end of an era of passwords as a security construct.

The Internet began without an identity layer and has suffered since with a password retrofit, but new open, standards-based innovations for protecting log-ins to applications on the web, desktop, and mobile devices are ready for service providers and end users hoping for better access controls.

Two modern authentication innovations born from collaboration between the World Wide Web Consortium (W3C) and the FIDO Alliance now offer cross-platform standards that enable strong authentication based on battle-tested public key cryptography.

These authentication upgrades, combined with a palatable user experience, are today's hope that tomorrow begins to end reliance on passwords as a security construct.

The standards, known under the banner FIDO2, offer protection against account hacking, credential theft, and phishing attacks that have plagued the Internet to the tune of billions of credentials stolen over the past few years. In addition, FIDO2 privacy principles protect users by guarding cryptographic keys and preventing sharing of user data among website operators.

This effort is not about more security add-ons, third-party helper apps, or unfamiliar user requirements. It's about native authentication technology built into native platforms, web browsers, operating systems such as Windows and Android, and devices, including hardware-backed credential protection using technologies such as a Trusted Platform Module (TPM).

FIDO2 represents the building blocks to go beyond basic log-in and specify the first strong authentication standard for the web — thus providing users secure credentials that resist attack.

What Is FIDO2?
Simply put, FIDO2 has two pieces that can work together or separately: an application programming interface (API) and a set of rules for transmitting data between devices (a protocol). Both were introduced in April before the annual RSA conference.

The Web Authentication API (WebAuthn), developed by the W3C, is already part of Google Chrome (since version 67), Firefox (since version 60), and, recently, Microsoft Edge. WebAuthn is now a native feature of modern browsers, and authentication is no longer an Internet retrofit or add-on.

The WebAuthn API allows an end user to register a public key credential with a specific website using a FIDO-based authenticator, and for that same user to subsequently use that credential to log in to that website. Registration operations can be repeated on an infinite number of websites, each one creating a new set of public and private keys bound to a specific website.

The second piece of FIDO2, the Client to Authenticator Protocol (CTAP), allows for device-to-device strong authentication over USB, NFC, or Bluetooth. FIDO2, developed by the FIDO Alliance, lets users authenticate on one device (for example, a smartphone) and use that authentication to log in to web apps or operating systems running on a different device.

CTAP adds new authentication schemes to the FIDO palette, including user verification on a device, authenticating to a local device (such as a laptop), or authenticating a user to an online service being accessed from another local device.

Where Is This Headed?
FIDO2's goal is a standardized, universal authentication platform with password-less, biometric, and device-based authentication options to support any number of consumer or business use cases.

The W3C builds standards for web browsers, which means WebAuthn will become the foundational underpinning for a standard authentication mechanism that works across platforms.

The target audience is consumers and enterprises that want strong authentication for protecting access to resources and data on the web or other computing platforms. In addition, FIDO2 embraces developers by eliminating the complexity of building security and strong authentication into their apps. The requirement now is just an API call.

What to Expect
Today, the W3C has WebAuthn approved for implementation and is working toward formal standardization. Hurdles to worldwide adoption exist, however, including building support among website operators and igniting a cultural shift among end users looking to replace breach fatigue with stronger authentication.

The FIDO Alliance is continuing to expand. It has incorporated its second-factor specification, called Universal Second Factor (U2F), into CTAP version 1 and is nearing completion on a CTAP version 2 that will add PIN capabilities for operations such as transactions. FIDO's Universal Authentication Framework (UAF) also is aligning with FIDO2 principles.

The W3C is adding depth and breadth to the opportunity with a palette of Web specs for security, cryptography, and payments that can integrate WebAuthn for secure authentication.

The goal is that the current trend of stolen credentials via phishing or man-in-the-middle attacks will fade for those who adopt FIDO2 capabilities. And regulations such as General Data Protection Regulation and PSD2, while rooted in Europe, will affect the authentication choices of website operators and end users around the world.

With the first core tenets of FIDO2 already available, and fine -tuning underway for WebAuthn and CTAP, the adoption barriers are lowered and the promise of a more secure Internet is well within sight.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

John Fontana tracks authentication and identity standards for Yubico. He also sits on the FIDO Alliance Board and is the co-chair of the W3C WebAuthn Working Group. Previously, he followed all things identity for Ping Identity. He spent 15 years as a tech journalist for a ... View Full Bio
Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
9/21/2018 | 5:20:21 AM
Thanks for sharing
User Rank: Apprentice
9/19/2018 | 6:39:32 PM
Re: Fake website detection?
It feels to me that a fake website can a) not use data from the key to do a login to the actual site, but b) can fool me into thinking everything is fine and try to collect personal information, until I realize something is amis. I think the loop needing closing here is that my action to insert the key should cause the browser to give feedback that "site did not authenticate to any key pair, so are you sure this site is legit?" Rich
User Rank: Apprentice
9/19/2018 | 6:39:27 PM
Re: Fake website detection?
It feels to me that a fake website can a) not use data from the key to do a login to the actual site, but b) can fool me into thinking everything is fine and try to collect personal information, until I realize something is amis. I think the loop needing closing here is that my action to insert the key should cause the browser to give feedback that "site did not authenticate to any key pair, so are you sure this site is legit?" Rich
User Rank: Author
9/19/2018 | 5:43:33 PM
Re: Fake website detection?
When you register your FIDO device with a web site, the device creates an origin-specific key pair. Those keys are bound to that origin (e.g. www.darkreading.com). If a hacker attempts to divert your session to a different web site the key wil not recognize that site as being associated with your key pair, and will not issue a signature (i.e. authentication fails). This origin concept is key to FIDO's privacy assurances.
User Rank: Apprentice
9/19/2018 | 5:11:22 PM
Fake website detection?
If I accidentally end up at fake-google.com, can fido2 help me realize that? I stick in my key, the site says everything is fine, but the key didn't do anything. How do I recognize this? Thanks.
It Takes an Average of 3 to 6 Months to Fill a Cybersecurity Job
Kelly Jackson Higgins, Executive Editor at Dark Reading,  3/12/2019
New Mirai Version Targets Business IoT Devices
Dark Reading Staff 3/19/2019
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: LOL  Hope this one wins
Current Issue
5 Emerging Cyber Threats to Watch for in 2019
Online attackers are constantly developing new, innovative ways to break into the enterprise. This Dark Reading Tech Digest gives an in-depth look at five emerging attack trends and exploits your security team should look out for, along with helpful recommendations on how you can prevent your organization from falling victim.
Flash Poll
The State of Cyber Security Incident Response
The State of Cyber Security Incident Response
Organizations are responding to new threats with new processes for detecting and mitigating them. Here's a look at how the discipline of incident response is evolving.
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2019-03-18
An unquoted search path vulnerability was identified in Lenovo Dynamic Power Reduction Utility prior to version that could allow a malicious user with local access to execute code with administrative privileges.
PUBLISHED: 2019-03-18
Five9 Agent Desktop Plus 10.0.70 has Incorrect Access Control (issue 2 of 2).
PUBLISHED: 2019-03-17
Phamm (aka PHP LDAP Virtual Hosting Manager) 0.6.8 allows XSS via the login page (the /public/main.php action parameter).
PUBLISHED: 2019-03-15
CircuitWerkes Sicon-8, a hardware device used for managing electrical devices, ships with a web-based front-end controller and implements an authentication mechanism in JavaScript that is run in the context of a user's web browser.
PUBLISHED: 2019-03-15
An Integer overflow vulnerability exists in the batchTransfer function of a smart contract implementation for CryptoBotsBattle (CBTB), an Ethereum token. This vulnerability could be used by an attacker to create an arbitrary amount of tokens for any user.