FIDO2 is a joint project of the FIDO Alliance and the W3C and enables strong passwordless multi-factor authentication. The method is based on the fundamentals of asymmetric encryption and uses second factors such as biometric features, hardware keys, smart cards, or TPM modules to log on to a web service. Some browsers, operating systems, and web services are already compatible with FIDO2 and support the procedure.
What is FIDO2?
FIDO2 is a method for online authentication without the need for passwords. The method is the result of collaboration between the non-commercial FIDO Alliance (FIDO = Fast IDentity Online) and the World Wide Web Consortium (W3C). The authentication solution provides strong passwordless multi-factor authentication and uses secondary factors such as biometric features, hardware keys, smart cards, or TPM modules (Trusted Platform Module). The cryptographic basis of the challenge-response method is asymmetric encryption with its private and public keys.
The FIDO2 protocol combines the FIDO Alliance’s Client to Authenticator Protocol (CTAP) and the W3C’s WebAuthn API and can be integrated into browsers, for example. CTAP was derived from an earlier work of the FIDO Alliance, the U2F standard. CTAP and WebAuthn form an authentication protocol for embedded or external authenticators and trusted peers. Between the trusted peer and the authenticator, a Web browser with WebAuthn client can act as an intermediary.
Although FIDO2 is still a young standard, some browsers such as Edge, Chrome, or Firefox, operating systems such as Android or Windows 10, and web services such as Office 365 are already compatible with FIDO2 and support the passwordless login procedure. The aim of the procedure is to make logging in more secure and at the same time easier compared to password-based authentication.
In addition, existing options in the devices, such as fingerprint readers or integrated TPM modules, are to be used as secure secondary factors for logon.
The basic operation of FIDO2
From the user’s perspective, FIDO2 works transparently. It is a challenge-response method for multi-factor authentication (MFA) that uses asymmetric encryption methods and factors such as biometric features, hardware tokens, smart cards, embedded security elements or TPM modules. Login to a web service via a browser can proceed as follows:
Basically, the WebAuthn protocol is responsible for communication between the server and the browser, and the CTAP protocol is responsible for communication between the browser and the authenticator.
- First, the Web service sends a challenge to the browser of the client that wants to log in.
- The browser forwards the challenge to the authenticator.
- The authenticator queries the user’s knowledge, biometric characteristics, or other factors and, if successful, generates a digital signature for the challenge. It returns this signature to the browser.
- The browser transmits the signed challenge to the web service.
- The web service verifies the signature and, if successful, authenticates the client.
- The factors used by the authenticator, such as PIN, knowledge, or biometric features, do not leave the local end device during the complete authentication process.