At the RSA Conference 2018, Microsoft and Google demonstrated the new FIDO2 authentication capabilities they have recently implemented in their core products. Here we will discuss what FIDO2 is, and how you can leverage it. Before we do that, let’s take a step back and talk about how FIDO2 fits into the broader set of FIDO passwordless authentication standards. Whether you’re a developer, IT Manager or end-user, you’re familiar with the problems with passwords.  They tax end-users, make your infrastructure vulnerable, and are susceptible to scalable attacks. Nok Nok Labs founded the FIDO Alliance in 2013 and brought its key inventions to create a framework of FIDO standards to help eliminate passwords.

With FIDO, end users get simple and unphishable authentication appropriate to their use case, developers get a single API that shields them from the complexity of authenticators and security mechanisms, and IT operators get a single backend that can select the right authenticator for a user by policy regardless of end-user platform or use case.

FIDO makes it possible to deliver strong authentication to users at population scale and changes the economics of authentication. FIDO protocols are now widely deployed commercially to over 3 billion users by the world’s largest Payments, Banking, Insurance, and Telecom companies.  So far, FIDO protocols have addressed the mobile use case at scale across all operating systems and allowed authentication in browsers and on non-mobile devices through the use of the phone or a USB token as an authentication factor.

To reach an even wider audience, Nok Nok Labs has worked with Google, Microsoft and a few other partners to bring FIDO natively into Browsers and Operating systems.  This new effort can be best understood as “FIDO for Browsers” sits next to the existing FIDO protocols that can be thought of as “FIDO for Mobile Apps”. The new work provides a standard API that allows users to login with FIDO in a browser without a password and to use phones or tokens as authenticators.

Structure of FIDO2

FIDO2 is comprised of two parts. First, there is Web Authentication (aka WebAuthn), which is the JavaScript API (application programming interface), a W3C standard. The FIDO Alliance and the W3C worked together to develop this new standard that is being implemented by browser vendors like Mozilla, Chrome and Edge, WebKit etc.  Second, there is the Client to Authenticator (CTAP) protocol. CTAP allows FIDO2-capable devices to interface to external authenticators over bluetooth, USB, or NFC. Web Applications do not use CTAP directly.

Like other FIDO protocols, FIDO2 is based on standard public key cryptography and offers a high degree of security. During setup, the client registers a public key with the online service provider. Later, when authenticating, the service provider uses a challenge-response process to verify that the client owns the private key. Only public keys are stored on the server, as opposed to passwords where shared secrets are stored on the server. Furthermore, privacy is ensured since user keys are unique across service providers.

Key Takeaways about FIDO2

  • FIDO2 is “FIDO for Browsers” and adds to the existing “FIDO for Mobile Apps” capabilities of FIDO to create passwordless user experiences that simple, secure and scalable.
  • FIDO2 is composed of two protocols, WebAuthn and CTAP.  WebAuthn is a joint work product of the FIDO Alliance and the W3C with Nok Nok, Google, Microsoft and PayPal as principal authors.  CTAP remains a work product of the FIDO Alliance.
  • The FIDO Alliance will provide testing and certification of FIDO2 implementations as usual.  The Alliance has also created security certifications for authenticators.
  • The FIDO Alliance has created a “Universal FIDO Server” certification to recognize vendors who have committed to implement and maintain compatibility with all current and future FIDO protocols.  Nok Nok is proud to be the first vendor to commit to this certification, allowing its customers to confidently proceed with implementations without delay across browser and mobile app use cases and across all operating systems and authenticator types.

Advantages of all FIDO Protocols

When Nok Nok founded the FIDO Alliance we pioneered a set of principles that would apply and guide the work of the FIDO Alliance.  All FIDO protocols provide these benefits:

  • Low-friction strong authentication
  • No shared secrets stored on the server
  • Designed from the ground up for privacy
  • Use any on-device or external authenticator with an expanding set of choices (UAF, FIDO2)
  • Open standard with no vendor lock-in
  • Resistance to phishing and other scalable attacks

How it Works

Here you see a high-level architectural view of FIDO2:

FIDO2 Architecture

There are 3 components on the client side:

  • Web pages that use the W3C WebAuthn JavaScript API, for example, using an SDK from Nok Nok Labs.
  • The Web browser that implements the WebAuthn API and connects to the FIDO2 subsystem of the underlying operating system.
  • Authenticators that the subsystem accesses to verify the user.

The server side has the relying party’s web application connected to a FIDO2 Server, for example, from Nok Nok Labs.

For more details on WebAuthn, you can review the W3C JavaScript API. As you may note, the WebAuthn API is extensive. Nok Nok provides an SDK with a simpler API that handles the lower-level REST (Representational State Transfer) and WebAuthn calls.

With the Nok Nok SDK, the initial user setup is kicked off using a single call:

appSdk.register(session)
.then(function(result) {
    ...
}}
.catch(function(result) {
   ...
}

 

Later on, the user authentication is done similarly:

appSdk.authenticate(session)
.then(function(result) {
    ...
}}
.catch(function(result) {
   ...
}

Where is FIDO2 Supported?


Platform support for FIDO2 is evolving. Right now, the following browsers support it.

Platform Browsers
Windows 10 Insider Preview v17704+ Edge
Windows Chrome 67+ Firefox 61+
Mac OS Chrome 67+ Firefox 60+

The FIDO2 specification is expected to be finalized soon. Over time the list of platforms and browsers should expand, so stay tuned!

Next Steps

Now that you understand how FIDO2 works, sign up to get access to the SDK and try it out yourself.

Sign Up