Dark Reading is part of the Informa Tech Division of Informa PLC

This site is operated by a business or businesses owned by Informa PLC and all copyright resides with them.Informa PLC's registered office is 5 Howick Place, London SW1P 1WG. Registered in England and Wales. Number 8860726.


02:30 PM
John Fontana
John Fontana

WebAuthn, FIDO2 Infuse Browsers, Platforms with Strong Authentication

New standards offer protection against hacking, credential theft, phishing attacks, and hope for the end of an era of passwords as a security construct.

The Internet began without an identity layer and has suffered since with a password retrofit, but new open, standards-based innovations for protecting log-ins to applications on the web, desktop, and mobile devices are ready for service providers and end users hoping for better access controls.

Two modern authentication innovations born from collaboration between the World Wide Web Consortium (W3C) and the FIDO Alliance now offer cross-platform standards that enable strong authentication based on battle-tested public key cryptography.

These authentication upgrades, combined with a palatable user experience, are today's hope that tomorrow begins to end reliance on passwords as a security construct.

The standards, known under the banner FIDO2, offer protection against account hacking, credential theft, and phishing attacks that have plagued the Internet to the tune of billions of credentials stolen over the past few years. In addition, FIDO2 privacy principles protect users by guarding cryptographic keys and preventing sharing of user data among website operators.

This effort is not about more security add-ons, third-party helper apps, or unfamiliar user requirements. It's about native authentication technology built into native platforms, web browsers, operating systems such as Windows and Android, and devices, including hardware-backed credential protection using technologies such as a Trusted Platform Module (TPM).

FIDO2 represents the building blocks to go beyond basic log-in and specify the first strong authentication standard for the web — thus providing users secure credentials that resist attack.

What Is FIDO2?
Simply put, FIDO2 has two pieces that can work together or separately: an application programming interface (API) and a set of rules for transmitting data between devices (a protocol). Both were introduced in April before the annual RSA conference.

The Web Authentication API (WebAuthn), developed by the W3C, is already part of Google Chrome (since version 67), Firefox (since version 60), and, recently, Microsoft Edge. WebAuthn is now a native feature of modern browsers, and authentication is no longer an Internet retrofit or add-on.

The WebAuthn API allows an end user to register a public key credential with a specific website using a FIDO-based authenticator, and for that same user to subsequently use that credential to log in to that website. Registration operations can be repeated on an infinite number of websites, each one creating a new set of public and private keys bound to a specific website.

The second piece of FIDO2, the Client to Authenticator Protocol (CTAP), allows for device-to-device strong authentication over USB, NFC, or Bluetooth. FIDO2, developed by the FIDO Alliance, lets users authenticate on one device (for example, a smartphone) and use that authentication to log in to web apps or operating systems running on a different device.

CTAP adds new authentication schemes to the FIDO palette, including user verification on a device, authenticating to a local device (such as a laptop), or authenticating a user to an online service being accessed from another local device.

Where Is This Headed?
FIDO2's goal is a standardized, universal authentication platform with password-less, biometric, and device-based authentication options to support any number of consumer or business use cases.

The W3C builds standards for web browsers, which means WebAuthn will become the foundational underpinning for a standard authentication mechanism that works across platforms.

The target audience is consumers and enterprises that want strong authentication for protecting access to resources and data on the web or other computing platforms. In addition, FIDO2 embraces developers by eliminating the complexity of building security and strong authentication into their apps. The requirement now is just an API call.

What to Expect
Today, the W3C has WebAuthn approved for implementation and is working toward formal standardization. Hurdles to worldwide adoption exist, however, including building support among website operators and igniting a cultural shift among end users looking to replace breach fatigue with stronger authentication.

The FIDO Alliance is continuing to expand. It has incorporated its second-factor specification, called Universal Second Factor (U2F), into CTAP version 1 and is nearing completion on a CTAP version 2 that will add PIN capabilities for operations such as transactions. FIDO's Universal Authentication Framework (UAF) also is aligning with FIDO2 principles.

The W3C is adding depth and breadth to the opportunity with a palette of Web specs for security, cryptography, and payments that can integrate WebAuthn for secure authentication.

The goal is that the current trend of stolen credentials via phishing or man-in-the-middle attacks will fade for those who adopt FIDO2 capabilities. And regulations such as General Data Protection Regulation and PSD2, while rooted in Europe, will affect the authentication choices of website operators and end users around the world.

With the first core tenets of FIDO2 already available, and fine -tuning underway for WebAuthn and CTAP, the adoption barriers are lowered and the promise of a more secure Internet is well within sight.

Related Content:


Black Hat Europe returns to London Dec. 3-6, 2018, with hands-on technical Trainings, cutting-edge Briefings, Arsenal open-source tool demonstrations, top-tier security solutions and service providers in the Business Hall. Click for information on the conference and to register.

John Fontana tracks authentication and identity standards for Yubico. He also sits on the FIDO Alliance Board and is the co-chair of the W3C WebAuthn Working Group. Previously, he followed all things identity for Ping Identity. He spent 15 years as a tech journalist for a ... View Full Bio

Recommended Reading:

Comment  | 
Print  | 
More Insights
Newest First  |  Oldest First  |  Threaded View
User Rank: Apprentice
4/6/2020 | 4:55:02 AM
Re: Thanks for sharing
Thanks for sharing, that was a great information to know about
User Rank: Apprentice
9/21/2018 | 5:20:21 AM
Thanks for sharing
User Rank: Apprentice
9/19/2018 | 6:39:32 PM
Re: Fake website detection?
It feels to me that a fake website can a) not use data from the key to do a login to the actual site, but b) can fool me into thinking everything is fine and try to collect personal information, until I realize something is amis. I think the loop needing closing here is that my action to insert the key should cause the browser to give feedback that "site did not authenticate to any key pair, so are you sure this site is legit?" Rich
User Rank: Apprentice
9/19/2018 | 6:39:27 PM
Re: Fake website detection?
It feels to me that a fake website can a) not use data from the key to do a login to the actual site, but b) can fool me into thinking everything is fine and try to collect personal information, until I realize something is amis. I think the loop needing closing here is that my action to insert the key should cause the browser to give feedback that "site did not authenticate to any key pair, so are you sure this site is legit?" Rich
User Rank: Author
9/19/2018 | 5:43:33 PM
Re: Fake website detection?
When you register your FIDO device with a web site, the device creates an origin-specific key pair. Those keys are bound to that origin (e.g. www.darkreading.com). If a hacker attempts to divert your session to a different web site the key wil not recognize that site as being associated with your key pair, and will not issue a signature (i.e. authentication fails). This origin concept is key to FIDO's privacy assurances.
User Rank: Apprentice
9/19/2018 | 5:11:22 PM
Fake website detection?
If I accidentally end up at fake-google.com, can fido2 help me realize that? I stick in my key, the site says everything is fine, but the key didn't do anything. How do I recognize this? Thanks.
COVID-19: Latest Security News & Commentary
Dark Reading Staff 6/4/2020
Abandoned Apps May Pose Security Risk to Mobile Devices
Robert Lemos, Contributing Writer,  5/29/2020
How AI and Automation Can Help Bridge the Cybersecurity Talent Gap
Peter Barker, Chief Product Officer at ForgeRock,  6/1/2020
Register for Dark Reading Newsletters
White Papers
Cartoon Contest
Write a Caption, Win a Starbucks Card! Click Here
Latest Comment: What? IT said I needed virus protection!
Current Issue
How Cybersecurity Incident Response Programs Work (and Why Some Don't)
This Tech Digest takes a look at the vital role cybersecurity incident response (IR) plays in managing cyber-risk within organizations. Download the Tech Digest today to find out how well-planned IR programs can detect intrusions, contain breaches, and help an organization restore normal operations.
Flash Poll
Twitter Feed
Dark Reading - Bug Report
Bug Report
Enterprise Vulnerabilities
From DHS/US-CERT's National Vulnerability Database
PUBLISHED: 2020-06-04
In MiniShare before 1.4.2, there is a stack-based buffer overflow via an HTTP PUT request, which allows an attacker to achieve arbitrary code execution, a similar issue to CVE-2018-19861, CVE-2018-19862, and CVE-2019-17601. NOTE: this product is discontinued.
PUBLISHED: 2020-06-04
The MQTT protocol 3.1.1 requires a server to set a timeout value of 1.5 times the Keep-Alive value specified by a client, which allows remote attackers to cause a denial of service (loss of the ability to establish new connections), as demonstrated by SlowITe.
PUBLISHED: 2020-06-04
Portable UPnP SDK (aka libupnp) 1.12.1 and earlier allows remote attackers to cause a denial of service (crash) via a crafted SSDP message due to a NULL pointer dereference in the functions FindServiceControlURLPath and FindServiceEventURLPath in genlib/service_table/service_table.c.
PUBLISHED: 2020-06-04
Castel NextGen DVR v1.0.0 is vulnerable to CSRF in all state-changing request. A __RequestVerificationToken is set by the web interface, and included in requests sent by web interface. However, this token is not verified by the application: the token can be removed from all requests and the request ...
PUBLISHED: 2020-06-04
Pydio Cells 2.0.4 web application offers an administrative console named “Cells Console� that is available to users with an administrator role. This console provides an administrator user with the possibility of changing several settings, including the applicat...