Q&A

Yubico Shares Expertise on How To Get to Passwordless

Yubico experts explained the state of the art in getting to phishing-resistant multifactor authentication.

• By Kurt Mackie
• 08/24/2023

This month, I chatted with Yubico experts Erik Parkkonen, solutions architect, and Derek Hanson, vice president of standards and alliances, on the passwordless goal for organizations and where we are at this point.

Organizations greatly need phishing-resistant multifactor authentication to ward off attacks, so why aren't they using existing technologies, such as Fast IDentity Online 2 (FIDO2)-based authenticators? Yubico makes authentication keys and is a founding member of the FIDO Alliance. Santa Clara, Calif. and Stockholm, Sweden-based Yubico also partners with Microsoft to support businesses in enabling passwordless authentications.

In this Q&A, Parkkonen and Hanson explained the current state of the art with passwordless. In essence, FIDO2 is very close to supporting a passwordless world across all device platforms.

Redmond: Can organizations go passwordless today using FIDO2 technologies across platforms?
Parkkonen: If an organization wants to go all the way passwordless, they probably can get really close to that reality. Microsoft Entra ID [formerly "Azure Active Directory"] has been supporting FIDO2 passwordless since March of 2021, I believe. It started small, with Web sign-in and Windows sign-in, on Windows itself, but then it's been a slow march forward: native apps, macOS, Web sign-in, Chromebooks. And now we're starting to see more interesting use cases, such as with RDP [Remote Desktop Protocol], so accessing remote desktops using FIDO2 security keys to sign in to that desktop. And then once inside the desktop, continuing to use your security key for other sites and other authentication purposes.

A really interesting case right now is with Azure Virtual Desktop, where you can use FIDO2 security keys in a similar fashion. Most recently, there has been iOS and Safari support. We're starting to see it [FIDO2 passwordless] trickling into the mobile space -- that is, we can now use FIDO2 passwordless with Entra ID with iOS and Safari. This means now that Web applications now support FIDO2 passwordless on iPhones and iPads. The big areas that l didn't mention, that still lack FIDO2 passwordless support, are native apps on iOS and macOS, and there is also no support on Android today.

What are passkeys, and are they broadly supported, at present?
Parkkonen: The iOS platform does support FIDO2 and has passkey support. Passkeys are simply FIDO2 credentials that allow for usernameless and passwordless sign-in flows, like those supported with Microsoft Entra ID. However, Microsoft Entra ID has only enabled the support so far for iOS Web applications, namely Safari browser web applications, so native apps, like Microsoft Teams app or Microsoft 365 app, don't support it yet.

With Android, on the other hand, the platform itself does support FIDO, but when using security keys it lacks support for features like user verification, which is where you're using your FIDO2 security keys and you're either prompted for a PIN or for biometrics. Also, the Android platform doesn't support FIDO2 passkeys on security keys, which allows for that usernameless, passwordless sign-in flow. Since the Android platform doesn't support these, Microsoft would have to do additional things to get that kind of FIDO2 passwordless support for native Android apps.

If you wanted more technical terminology, the Android platform doesn't have support for CTAP2 [Client to Authenticator Protocol 2]. Android supports CTAP1, but CTAP2 has all those additional capabilities that I was talking about and that does not yet exist natively on the Android platform.

Is there a target date for CTAP2 Android support?
Hanson: No, to the best of my knowledge, there are no public announcements from Google on support and I haven't heard any public committed dates. Android is the largest mobile platform outside the United States, and so the lack of support impacts a lot of people's ability to authenticate using passwordless MFA [multifactor authentication] or passkeys, which are foundational features to unlock the passwordless future.

How do Certificate-Based Authentication (CBA), recently promoted by Microsoft, and FIDO2 passwordless relate, or do they?
Parkkonen: Certificate-Based Authentication and FIDO2 passwordless are two separate authentication methods that don't really have any overlap today, although the YubiKey 5 Series and the YubiKey 5 FIPS Series support both of them. CBA is supported on the Microsoft Entra ID platform, but it's also called "smart cards" or "PIV" [Personal Identity Verification] elsewhere. All of those terms are often used interchangeably. Entra ID added support for CBA back in October 2022. In February 2023, Microsoft started adding mobile support for a Certificate-Based Auth with YubiKey. With the mobile support, if you have a smart card certificate on a YubiKey, you can plug that into your mobile device or scan it with NFC [near field communications] and it's able to authenticate with that smart card. All of this CBA support is completely separate from the FIDO2 passwordless support that Entra ID also supports.

So, we've got PIV (smart cards), CBA (certificates) and FIDO2 -- are they different solutions to the same problem?
Hanson: It helps to know why smart card and certificate technologies exist and why they're deployed. With PIV, you get to see some of that person's identity. Verification cards, certificates, smart cards -- those are all phrases about a technology that has been around for a very long time, which uses public-private key crypto for users to authenticate. The certificates are signed objects that a server gives back to a user, saying "I trust this user," and it's associated with a key. And that key can be stored on a card, or it can be stored on something like a YubiKey. It even can be stored on a mobile phone. With public key cryptography, the security is anchored around the protection of the key, which is why the key is in a physical device, such as a card, YubiKey or phone.

The reason that public-private key cryptography was so important is that you couldn't be tricked into giving away the key, which was protected in the hardware. That stood in contrast to everything that was going on with passwords. And really, the problem that we're talking about today is that smartcards were admitted because passwords were weak, and we needed a better solution.

So, the real problem is the use of passwords?
Hanson: People have worked on the password problem for a very long time, trying to Band-Aid it, when we needed to rip it out. The Band-Aids were the traditional definitions of MFA, so you'd get a text message that had a code, or hardware would use a one-time password code, or we did push app notifications. All of those things, ultimately, were subject to the same basic phishing attacks. The problem is those phishing attacks have become easy to do at scale. And they're cheap to run at scale.

If phishing has been such a big problem, and we've had solutions such as certificates or smart cards, then why isn't everyone using smart cards?
Hanson: It's because the way we implemented smart cards was very heavy. It was designed by government and enterprise for critical infrastructure and for protecting their environments. What came out of that was PKI, or public key infrastructure, and it included all of the services around how certificates get issued, how to get a device, credit a key and get that certificate -- all the processes. It became very heavy, and that was never going to work for consumer-facing services, for government-to-citizen facing services, because the scale was a challenge. And so that's actually why FIDO was built on the exact same foundation of public key crypto. The idea is to have users self-register credentials, and do all of the stuff in hardware, where we didn't have all the heavy public key infrastructure impeding our ability to roll this out in mass to users.

Where are we with passwords, multifactor authentication and the new technologies being rolled out? Is FIDO2 ("passwordless MFA") ready for primetime?
Hanson: The answer to that latter question is "almost." Passwords have been able to mature in enterprise and consumer settings for decades, but we're really just five years into the journey of FIDO2 passwordless multifactor authentication. And we've seen some evolutions. That's why Erik referred to passkeys. Google and Apple had been talking about how do we change this public key crypto solution to make it even more accessible to people, and so that's where they've been talking about passkeys, aimed at consumer users. This renewed effort at passkeys that Google and Apple are making for consumers is also benefiting the enterprise space and expanding where passkeys on YubiKeys can also be used.

Is FIDO2 also a good solution to the phishing problem faced by businesses?
Hanson: What has been going on with Microsoft and our partnership is we're focused on the high-assurance use cases for enterprises and businesses to prevent phishing. We can do that with certificates for legacy applications and environments. And we can do that with FIDO for small-and-medium businesses that are just coming on board and don't have that legacy back office, or the need to build a large infrastructure to support certificates.

But there are still gaps with FIDO2 on the mobile device side?
Hanson: Yes, and we have a few gaps around how we enable enterprises to issue FIDO credentials. Those are all known problems, but we're starting to make progress. Enterprises should consider two perspectives: how they secure their solutions and how they prevent the phishing of users. It'll likely be a blending of two technologies, certificates and passwordless, to defend the enterprise. That'll be the case because enterprises typically must deal with multiple generations of solutions, not just the latest ones. From mainframes through Active Directory on premises, through Entra ID in the cloud, we have different authentication solutions for preventing phishing, based upon who the user is, the application that they're accessing and the class of workstation that they have.

If you're still on Windows 7, you're going to use a certificate and the experience is going to be painful. But if you're on Windows 11, and you've got the best, latest and greatest, we can use FIDO and we can do a lot more things to really improve that experience, while we're fighting that phishing problem. So, the best tools are FIDO and certificates.

With FIDO2, will government agencies give up their PIV cards?
Hanson: I don't know that giving up the PIV card is necessarily the right angle. Many government agencies have years invested in their certificate-based infrastructures, which do secure their applications. But they need a more usable solution because those certs, smart cards and badges don't work on mobile phones -- there are just all sorts of challenges. And so, for the foreseeable future, large organizations like U.S. federal departments, likely will see a blending of the certificates and the PIV cards with the adoption of new FIDO-based authentication.

The PIV cards for the government use cases do so much more than just sign the user into the computer. They're actually the identification documents that show whether or not you're eligible to even have a credential to sign in. The PIV card largely follows the old authentication model in NIST 800-163, which combined "who are you" with "how you signed in." It's referred to as "levels of assurance." And that was changed in NIST 800-163 Rev. 3, and in the current draft of Rev. 4, where we're seeing how you sign in, and who you are, are two different things. The government is going to need to make a long-term investment to decouple identification and authentication, which will allow their employees, their contractors and everyone else to have greater flexibility on how they actually sign in.

Is it easy for IT pros to set up FIDO2 keys for their environment?
Parkkonen: We do have guides and professional services that can help, but I think it is getting to the point where it's technically easy to enable it for many organizations. IT Pros can set up a demo with just a few clicks and enable the features for a small pilot group of users. However, before getting far in the journey, IT pros should look at the full lifecycle for their users. You have this massive rollout of FIDO2 passwordless and how are you going to do that? Will you ship hardware, such as YubiKeys, and how are you going to get those keys into the hands of the users? How will you do the training? Users can have keys in hand, but they're just too busy and haven't taken the time to figure out how to use them.

Conditional access control is another consideration. Start putting those enforcement mechanisms into place to break users' habits by using conditional access. This will get them to stop using their passwords and One-Time Passcodes and start using phishing-resistant auth instead. Account recovery is another important area. Make sure that you can recover if your users have lost their authenticators.

Setting up self-service account recovery is probably the best way to reduce help desk costs for your IT organization. If using security keys, the best way to support self-service is by registering more than one key. Evaluate what recovery looks like without self-service and if you lost your only authentication method. If you are using a knowledge-based recovery mechanism, such as answering questions from the helpdesk, would it really be secure enough for your organization? And also think about how will the user continue to be productive while they wait for a new authenticator to be issued to them. Make sure the user is using phishing-resistant auth through all aspects of recovery.

Do the Microsoft Authenticator App and the Yubico Authenticator App perform the same functions?
Parkkonen: In general, the Microsoft Authenticator App can be used as a passwordless sign-in mechanism, or as a second factor on top of a password, via a mobile push notification. Yubico Authenticator has similar second-factor MFA capabilities. We support OTP [One-Time Passcode] protocols with Yubico Authenticator using TOTP, which is a time-based rolling code that changes every 30 seconds as a second factor for passwords. Yubico Authenticator offers a great way to fill in those gaps that we talked about before where FIDO2 passwordless isn't supported yet. You can have your users using the same key to support OTP and FIDO2.

For FIDO2 passwordless, those two Authenticator apps aren't required at all. For Certificate-Based Authentication, however, there may be some dependencies for deployment when using mobile devices.

Did the work-from-home shift over the last couple of years have an effect on the adoption of passwordless technologies?
Hanson: It fundamentally changed how IT administrators considered deploying technology. Onboarding used to be a time when you came into the office, met with HR and then went to your desk to connect. IT departments perhaps didn't know what to do when they had to onboard a remote employee. Now they have to be able to onboard anyone anywhere and get them a laptop with Windows Autopilot setups. As for getting YubiKeys to employees, Yubico has a couple of services to help IT administrators deliver them to specific addresses, which we announced in the first months of the pandemic.