A world with no passwords and how FIDO2 can help make it happen

93.2 percent of the overall web browser market has embraced FIDO2: Google Chrome, Microsoft Edge, Apple Safari, Mozilla Firefox, and Opera.

The FIDO Alliance is driven by hundreds of global tech leaders across enterprise, payments, telecom, government, and healthcare that have come together in support of the organization’s mission to reduce the world’s reliance on passwords.

StrongKey has long worked with the FIDO Alliance to standardize FIDO protocols, which assures strong cryptographic-based authentication that protects against phishing, malware and other attacks. They recently announced their FIDO2 server received its interoperability certification from the FIDO Alliance. So we took a moment to speak with Arshad Noor, who is the CTO of StrongKey to get his take on FIDO2 Certification, the difference between FIDO and FIDO2, and what developers should do if they want to FIDO-enable their applications.

ADM: What is your role in FIDO’s mission?

Authentication based on public-key cryptography has been the most advanced form of authenticating users for over two decades. Although it wasn’t widely adopted by consumers, this advanced authentication method is finally resurging with simpler, stronger protocols through the FIDO Alliance, a non-profit standards group. Their mission is to help reduce the world’s over-reliance on passwords, and we have been supporting that mission as active members since 2015. Besides participating in various Working Groups, StrongKey has built open-source FIDO servers that implement the Universal 2nd Factor (U2F) and the FIDO2 protocols. We support FIDO’s mission by enabling companies to use FIDO Certified servers to enable strong authentication in their web applications and eliminate the risk of password breaches permanently.

ADM: What does FIDO2 Certification mean for your customers?

FIDO2 Certification of servers provides an assurance to everyone that products conform to the specifications standardized by the FIDO Alliance and are guaranteed to work with FIDO Certified authenticators. This ensures faster implementation times due to reduced friction in development, testing, and deployment, saving time and money.

ADM: What is the difference between FIDO and FIDO2?

FIDO is, unfortunately, a widely-confused term. The FIDO Alliance is a non-profit standards group with the charter of eliminating passwords from the internet using public cryptography-based protocols. The "legacy" protocols—Universal 2nd Factor (U2F) and Universal Authentication Framework (UAF)—are collectively referred to as "FIDO."

FIDO2, however, is the newest FIDO Alliance and it incorporates multiple sub-protocols: WebAuthn JavaScript  API standardized by the World Wide Web Consortium (W3C), the Client to Authenticator Protocol 1 (CTAP1) and the Client to Authenticator Protocol 2 (CTAP2)—essentially allowing FIDO2 Certified solutions to solve for authentication using biometrics or U2F protocols.

ADM: It looks like you recently announced a free, open-source FIDO2 server for the developer community on GitHub. What is your philosophy behind this?

StrongKey has long believed in the use of open-source, public key cryptography for solving many business problems, supporting that goal since 2001 with public key infrastructures (PKI). While PKI had a modicum of success in the enterprise and government sectors, it did not gain any traction in the consumer space. When the FIDO Alliance came about in 2014, we recognized the potential of this initiative and implemented an open-source U2F server immediately. Participating in various FIDO Alliance working groups has allowed us to contribute time and knowledge towards the overall mission of eliminating passwords, which is a continuation of our belief that shared-secret based authentication (including passwords, One-Time PINs (OTP), and Knowledge-Based Authentication) is simply unacceptable to properly support authentication today. Creating and open-sourcing a FIDO Certified FIDO2 server ensures that companies and government agencies anywhere in the world can protect themselves from such attacks and strengthen the internet without paying any licensing fees.

ADM: How does FIDO2 improve application security?

FIDO2 improves application security in many ways:

• It eliminates passwords and other forms of shared-secret based authentication
• It enables the use of secure hardware built into modern mobile devices to support strong authentication
• It leverages the use of "device-local" authentication schemes – biometrics, PINs, patterns – to separate the authentication of the human user to the device from the cryptographic authentication between the application client and its server
• It eliminates phishing and similar forms of man-in-the-middle attacks on human users
• It enables secure "single sign-on" to multiple web applications at different sites with unique cryptographic keys
• It supports protecting the privacy of the human user as an underlying tenet

ADM: What should developers do if they want to FIDO-enable their existing or new web applications today?

Developers will need to modify their web applications to incorporate the WC3-standardized WebAuthn JavaScript API calls, as well as use a FIDO2 server to enable strong authentication. They may choose to support their existing authentication protocol in addition to FIDO2 in order to help their user community transition smoothly to the newer authentication mechanism. To support application developers as they ease into FIDO2 enablement, we created a free online resource at encryptedweb.org

ADM: Can the world ever truly be password free?

Realistically, this could take decades. Companies and government agencies are likely to focus on securing their high-risk applications first and move down the risk ladder one application at a time. Some applications may simply be unable to use FIDO protocols for a variety of reasons – unsupported frameworks, unavailable source code, unavailable domain knowledge, unacceptable return-on-investment, etc., but there are workarounds that do exist in the market today. In order to keep the internet safe, passwords/shared-secrets alone are no longer an acceptable form of authentication.

ADM: How would the removal of passwords affect the digital identity trust organizations try to build with their customers?

With the removal of passwords and reliance on encryption-backed authentication like FIDO2, organizations will not only be able to trust that their user is, in fact, who the user says they are but also instill confidence on the user’s end that only the user is being appropriately identified by the organization. Due to the security features of the FIDO2 protocols, risks of scalable attacks on the organization through the removal of password databases and phishing attacks on customers are eliminated. In that sense, both organizations and their customers have nothing but positive outcomes from the use of FIDO2.

Arshad Noor is the CTO of StrongKey, a Silicon Valley and Durham, NC based company focused on securing data through strong authentication, encryption, digital signatures and key management. He has 32 years of experience in the Information Technology sector, of which, more than 19 were devoted to designing and building key-management infrastructures for dozens of mission-critical environments around the world. He has been published in periodicals and journals, as well as authored XML-based protocols at OASIS and represents StrongKey at the FIDO Alliance. He is also a frequent speaker at forums such as RSA, ISACA, OWASP, and the ISSE.