Q&A

The FIDO Impetus to Passwordless Authentications

The time is ripe for organizations to implement "phishing-resistant multifactor authentication" via FIDO standards, says advocate Andrew Shikiar.

• By Kurt Mackie
• 02/14/2022

Passwords can be guessed or exposed through phishing attacks. The FIDO Alliance's authentication standards aim to solve the widespread data breach problems associated with password use. Its FIDO2 standard is now integrated in most operating systems, Web browsers and physical security keys, offering resistance to the phished credentials problem.

FIDO2 offers the benefits of "phishing-resistant multifactor authentication," an approach that was recently embraced by the White House's Office of Management and Budget (PDF download). While the FIDO Alliance is mostly focused on passwordless implementations by organizations, it also offers resources for consumers and service providers. Its latest efforts include a passwordless approach to Internet of Things (IoT) devices, plus a coming certification program for IT professionals.

Andrew Shikiar, executive director and chief marketing officer at the FIDO Alliance, described the state of FIDO passwordless authentications in a recent chat.

Redmond: The FIDO Alliance has been around for almost 10 years and the FIDO2 industry standard is currently implemented in many products. So is the passwordless approach starting to catch on?
Andrew Shikiar: Yes, the passwordless approach is absolutely starting to catch on, but I think it's also helpful to look at the broader context. The FIDO Alliance was formed in 2013 to help address a world's dependence on passwords, but the aim really was seeking to address the data breach problem. The fact of the matter is that the vast majority of data breaches involve the use of passwords -- so by attacking the password problem, we're able to also tackle data breaches. The FIDO Alliance has been focused since Day 1 on finding a better way to do strong user authentication. FIDO's underlying approach leverages asymmetric public key cryptography, which is not new in and of itself. PKI [public key infrastructure] has been around for a long time, and smart cards have been around for a long time. The industry's problem has been finding the optimal blend between this level of security while also providing consumer-ready usability. And that's where FIDO's approach is unique -- especially in building an industry standard around those concepts.

The FIDO Alliance has devised specifications to that end?
The FIDO Alliance released two initial sets of specifications in December of 2014. There's the Universal Authentication Framework (UAF), which addresses biometric use cases, such as using your handset biometric to log in, or reauthenticate, instead of a password.

The other specification was the Universal 2nd Factor (U2F) authentication standard, which uses security keys (such as Yubikeys) as a second factor on top of passwords to do multifactor logins in a possession-based, phishing-resistant way. Both of these specifications have the same underlying privacy principles of keeping all biometric data, and all authentication data, stored locally on the device.

What makes them both unphishable is the fact that we're introducing the concept of the authenticator, which in essence allows the device to mediate the authentication process. This stands In contrast to the traditional approach of having a user present knowledge-based credentials when accessing a Website, such as entering a password, or even using a one-time password (OTP) -- both of which can easily be spoofed. Passwords can be stolen, and phishing is wildly successful. There are a ton of stolen credentials on the "dark web," and billions of credentials can be combined for pennies. Even a one-percent success rate is actually a positive return on investment for attackers. Also, the so-called "knowledge-based" password-centric approaches to authentication needed to be improved upon. We realized that to gain scale and really see this vision become reality, a platform approach was needed.

The FIDO Alliance also worked with the World Wide Web Consortium?
Yes, the FIDO Alliance charted a path by collaborating with the Worldwide Web Consortium (W3C), the standards body of the Web itself. The FIDO Alliance was working on something called the "FIDO 2.0 Web APIs," which were submitted to the W3C in late 2015. That's what launched the W3C's Web Authentication Working Group, which of course developed the WebAuthn protocol. After that, this W3C working group worked in parallel with FIDO Alliance's own working group, and we developed a corresponding spec called the "Client To Authenticator Protocol" (CTAP). CTAP basically extends the U2F vision to allow for direct, passwordless logins (versus only second factor) and also enabled a mobile device to serve as the security key. Those two pieces, WebAuthn and CTAP, are the two components of FIDO2. WebAuthn became a formal Web standard in 2019 and we immediately saw support was built into the Chrome, Firefox and Edge browsers, and later in the Safari browser. FIDO2 support has grown to include well over 90 percent of browsers in use today. The platform stakeholders taking part in FIDO Alliance built FIDO support natively into their operating systems as well. So, every Windows 10 PC, every Android 7 or later handset device and every Apple machine now has native support for FIDO authentication. It's also supported across security keys, which are a great option for the enterprise vs. outdated OTP tokens, and a scalable alternative to smart cards.

What's wrong with the current use of passwords, or knowledge-based authentication, for security?  
For starters, there's a fundamental need to understand the delineation between knowledge-based authentication and possession-based authentication.

Legacy multifactor authentication depends on knowledge-based factors. Anything that sits on a server, any knowledge-based factor, can and eventually will be stolen or manipulated out of the user's hands. Also, there are hundreds of millions, or billions, of credential pairs available for sale on the dark Web. Moreover, people don't use unique passwords for each Web site they visit. It's just an unmanageable situation. Stolen credentials can be stuffed into a Web site, or spoofed sites can be used to takeover accounts and gain credentials. A well-designed phishing attack has an over 40 percent success rate. Asking employees or consumers to be a shadow IT team is not really the way to go. So we need to take the human element out of the equation because that's where the risk comes into play.

With possession-based authentication, you're authenticating locally to your device; you're proving possession of your device. And the device then handles the authentication process with the server. This FIDO approach uses asymmetric public key cryptography approach -- whereby instead of having a password on a server and a knowledge secret stored in your head (or on a sticky note, more likely), you put a public key on the server, and then a private key is kept safely encrypted on the device in what we call the authenticator. Unlike a password, if someone steals my public key, it doesn't matter. There's no value to that public key. The private key is local on the device's authenticator. And the only way for that private key to be activated is for me to verify myself to the device -- which I can do with a biometric or local PIN, or by simply inserting or touching a security key. Nothing unique to me gets transmitted over the network -- only the encrypted communication between the keys. There's nothing to hack and nothing to steal. This approach shuts down the threat of remote attackers which are causing so much disruption because the bar is so low. We want to raise that bar and make it harder and more expensive for someone to be a professional hacker.

Is a Trusted Platform Module (TPM) Chip Needed for FIDO2 Authentications?
It is important to note that the FIDO Alliance certifies authenticators at different levels. A Level 1 authenticator means that the authenticator complies with the relevant FIDO specs and there's also a security audit performed by FIDO's certification team. A Level 2 authenticator must support a Restricted Operating Environment or ROE, such as a Trusted Execution Environment (TEE) or Secure Enclave (SE). These Level 2 authenticators are protected against malware and other remote software attacks. An L3 authenticator takes things a step further by also protecting against local hardware or brute force attacks. The vast majority of use cases -- like mainstream consumer authentication use cases -- are suited for L1 authenticators. But for more specialized or sensitive use cases (for example banking or government services), the service provider may want to specify L2 or higher levels. A relying party, the service provider or the enterprise, can use FIDO's metadata service to look up the attributes of an authenticator and grant access or not. They also can feed that data into a risk engine.

Will the U.S. government's recent memorandum recommending the use of phishing-resistant multifactor authentication spur FIDO2 use, and can smart cards be used?
We've been very fortunate to be able to engage with the U.S. government, which is a member of the FIDO Alliance. We're very happy with this updated guidance from the White House's Office of Management and Budget. Yes, smartcards are multifactor authentication, and it's something you have in your possession. It occurs using personal identity verification (PIV) cards and common access cards (CAC), which are very secure but are more expensive and time-consuming to deploy -- plus they primarily only work inside a federal agency. What's so significant about this announcement is that for the first time the federal government is also promoting the use of phishing-resistant authenticators to achieve the same means -- which includes both FIDO2 Security Keys as well as platform authenticators, such as Microsoft's Windows Hello. They also want agencies with citizen-facing applications to enable and require phishing-resistant authentications. While this initiative is pointed only at federal agencies, it is likely that regulated industries will follow suit -- which is why we see this as a watershed moment

Does the FIDO Alliance target consumers with the passwordless message?
We've yet to really push a consumer brand as our focus is very business-to-business centric. But if you look at consumer-oriented companies like eBay, it implemented WebAuthn and FIDO, giving users the option of using a device biometric instead of a password. There are several consumer-facing companies enabling it, such as Twitter, Dropbox and Facebook, as well as GitHub. They all are supporting FIDO.

We do have a Web site, called Login with FIDO, that serves two primary purposes. First, it has common-language explanations of what FIDO authentication is all about, which is suitable for consumers that wish to learn more. Secondly, the site is also meant to be a resource for service providers deploying FIDO to answer questions or provide more information for consumers. On a related note, last year we released user experience guidelines for service providers seeking to deploy FIDO to platform authenticators. It gives best practices on how to do it and what the enrollment steps should be for users, what language to use, iconography, etc. -- all based on very extensive research that we did on user logins. I know several banks are looking to use those guidelines for their own implementations to bring FIDO logins to consumers at scale.

What future efforts can we expect to see from the FIDO Alliance?
Our goal is to reduce reliance on passwords, but phishing attacks are still growing and data breaches are still happening, so we need to keep driving this technology. We'll be launching a FIDO Certified Professional Program to enable the next wave of information workers to be better prepared.

Our overall mission is to move past knowledge-based authentication in favor of modern FIDO authentication. But it doesn't just include user authentication. When you consider the threat of passwords in unmanned devices, you can quickly see the need for applying a FIDO approach to IoT. And we've done that through the first release of our FIDO Device Onboard specification, which will be a greater and greater focus for the FIDO Alliance in 2022 and beyond.