Many businesses are moving over to what is known as the “Zero Trust Framework”. Although this can be a complex deployment, in simpler terms, this is where the IT/Network Infrastructure is divided into different segments or “zones”. Each one of these has their layer of defenses, which makes use of what is known as “Multifactor Authentication”, or “MFA” for short. In this scenario an employee that wishes to gain access to one of these “zones” must go through at least three differing authentication mechanisms.
One such tool that is now being used for this very purpose is known as “FIDO2” and is further explored in this article.
What Is FIDO 2?
It is an acronym that stands for “Fast IDentity Online 2”. It is an open standard that is designed specifically for authenticating end users, such as the one in the example just given above. This standard (also referred to as a “protocol”) was created and implemented by the FIDO Alliance, which Microsoft plays a huge role in. Since its inception, there have been two versions of it:
- FIDO 1: This is the first version, and it came out in 2014.
- FIDO 2: This is the second version, and it came out in 2018.
The FIDO 2 protocol is designed to be Phishing resistant and fully intended to replace passwords in its entirety.
How Does FIDO 2 Work?
This protocol creates what are known as “Passkeys”. This can be technically defined as follows:
“A passkey is a form of multifactor authentication that uses public key cryptography in combination with biometrics like fingerprint and facial recognition or a device PIN to verify an account owner’s identity. Passkeys function as a replacement for traditional passwords.”
(SOURCE: 1).
A passkey uses the principles of Cryptography to create a pair of public and private passkeys. These are a series of long, random numbers which do not appear to make much sense. One of the key advantages of this approach is that this is automatically generated when the end user attempts to log into one of the “zones”. This pair of passkeys can be used as a kind of device or platform, which include:
- A desktop computer
- A smartphone
- A wireless notebook or tablet
- The front of end of a web application, such as logging into a credit card portal
Another strategic benefit also is that this same pair of passkeys can be used in combination will all the above. Meaning, if the end user wants to log into their credit card portal from their iPhone, the same passkeys can be used to log into the device as well onto the website. It is especially important to note that these passkeys are typically used in the first authentication mechanism in an MFA scenario. This is illustrated in the diagram below:
In this scenario, the end user is attempting to gain access to a particular “zone”. But before they can achieve this goal, they first must be authenticated by the FIDO 2 Passkeys, and if that is successful, they can then confirm their identity in the remaining two authentication mechanisms. Once all of this has been accomplished, the end user can then gain access to that “zone”.
How Are the Passkeys Generated?
There are two ways that the passkeys can be generated, which involve no intervention from the end user. They are:
- The Roaming Authenticator:
This is where the end user has to plugin in a FIDO 2 key into their device, such as the iPhone or an Android device.
- The Platform Authenticator:
This is where the FIDO 2 mechanism is embedded into the iPhone or Android device, and the passkey generation is initiated when the end user logs into their device, such as using a PIN number, FaceID, or TouchID.
The Benefits of Using FIDO 2
There are also other key benefits to using FIDO 2, such as:
1. An increased level in security:
As described earlier in this article, at least theoretically, a passkey that has been generated by the FIDO 2 protocol is unbreakable. Thus, it can withstand any kind of attempts by the Cyberattacker to break it.
2. The ease of use:
Using FIDO 2 requires no intervention or management by the end user whatsoever. The passkeys can be generated in a matter of just a few seconds.
3. IAM becomes easier:
This is an acronym that stands for “Identity and Access Management”. Passwords have always been a major component of this, but since the FIDO 2 passkeys can replace them, creating and implementing IAM based polices now becomes much easier for the IT Security.
4. Compliance:
Since the passkeys that are generated contain no identifying information or data about the end user, their privacy is almost guaranteed. Further, by using the FIDO 2 protocol, businesses can come into compliance quicker with the data privacy laws, such as those of the GDPR, CCPA, HIPAA, etc.
5. Highly scalable:
Since the FIDO 2 protocol is based upon an open-source framework and requires no licenses, businesses can quickly use this to fit their ever-changing Cybersecurity requirements.
Conclusions
If you are considering of using FIDO 2 for your environment, and need help or have questions, contact us today.