How secure is FIDO2 compared to FIDO U2F and other 2FA solutions?
Single factor login with FIDO2 offers strong authentication as a single factor. In many cases, this single factor authentication is more secure than other forms of two-factor authentication (such as SMS), as there are no secrets that can be phished remotely when using FIDO2. FIDO2 single factor uses the same strong public key cryptography with origin checking to prevent phishing just like FIDO U2F, but with the additional convenience of not needing usernames and passwords as the first factor to identify the user.
Will FIDO U2F become obsolete with the expansion of FIDO2?
FIDO2 WebAuthn is backwards compatible with FIDO U2F authenticators, so over time, we expect FIDO2 will subsume FIDO U2F.
Is there an option to use FIDO2 in conjunction with an additional factor such as a PIN or biometrics? Is this recommended?
Yes, this option is available. Hardware authenticators supporting CTAP2 can add user verification by requiring users to use a PIN or biometric to unlock the hardware authenticator so it can perform its role. This preference is primarily dependent on the implementors threat vectors as well as use cases. For example, a large banking institution may want to consider the use of a PIN in conjunction with a security key for a higher level of assurance, while a warehouse-based shared kiosk environment may not.
Yubico’s FIDO2 compatible YubiKeys are enabled with the full CTAP2 specs, and are capable of supporting several passwordless experiences including single factor touch-and-go using the hardware authenticator (no need for a username) as well as use of a PIN with touch of the hardware authenticator.
What’s the difference between a PIN and password?
As stated above, one of the allowances with FIDO2 is the option to combine hardware-based authentication with an additional factor such as a PIN. This has many of you wondering, “Well, isn’t that the same as needing to remember a password?”
A PIN is actually different from a password. The purpose of the PIN is to unlock the Security Key so it can perform its role. A PIN is stored locally on the device, and is never sent across the network. In contrast, a password is sent across a network to the service for validation, and that can be phished. In addition, since the PIN is not part of the security context for remotely authenticating the user, the PIN does not need the same security requirements as passwords that are sent across the network for verification. This means that a PIN can be much simpler, shorter and does not need to change often, which reduces concerns and IT support loads for reset and recovery. Therefore, the hardware authenticator with a PIN provides a passwordless, phishing-resistant solution for authentication. Finally, the authenticator can limit how many PIN guesses can be made in a given time, or permanently block the PIN if too many incorrect attempts are made. YubiKey devices take the latter approach of blocking the PIN - and effectively destroying all private keys - after 8 incorrect attempts.
Nevertheless, YubiKey devices do not constrain the PIN to a small number of digits; the FIDO2 PIN on a YubiKey can be any sequence of characters up to 256 bytes long.
How does FIDO2 affect a company’s password policy of replacing passwords every 90 days?
With FIDO2, there is no need to replace passwords, as there are no passwords required.
For those combining a hardware authenticator with a PIN, it’s important to note that PINs do not demand the same security requirement as a password. A PIN and a password are different. Since a PIN is not part of the security context for remotely authenticating the user (the PIN is not sent over the network for verification), it can be much simpler and less complex than a password, and does not need to be changed with the same frequency (or at all), which eases enterprise concerns about PIN reset and recovery.
What services provide support for FIDO2? When can we expect additional services to roll out support?
At the time of this writing, Chrome, Firefox, and Dropbox have implemented support for WebAuthn second-factor login flow. Beginning with build 17723, Microsoft Edge now supports the first version of WebAuthn. This latest version of Edge is able to support FIDO2 strong single factor and multi-factor authentication, in addition to the second factor. The Yubico Developer Program offers comprehensive resources for those interested in adding support for FIDO2. Other services supporting FIDO2 can be found on the Works With YubiKey Catalog.
What if I lose my Security Key by Yubico? Without a password, am I locked out of my account?
Best practice is always to ensure that you have a backup FIDO2 device in place, should you misplace your primary device. FIDO2 credentials on YubiKeys contain no unprotected identifiable information, so if it were to be found, it could not immediately be used to login without knowing the identity of the owner and to which accounts it is registered. Even when using the YubiKey as a Passwordless single factor authenticator, the discoverable credentials will not be exposed without the user’s PIN being provided first (with firmware 5.2.4 and above). The reality is that the primary attack vector for consumers and enterprises is remote account takeover — whether by credential theft, phishing scams, or man-in-the-middle attacks. FIDO2 is specifically designed to protect against these types of threats.
For those who are concerned with physical threats, the option is there to require multi-factor authentication using a PIN for additional protection. That way, if someone obtains a stolen Security Key, they will still need to know which accounts it is registered with, and also have access to your additional factor (PIN) to be able to login.
Note that the backup FIDO2 device must also be registered with each service where you want to use it as a backup.
How does FIDO2 Authentication compare/contrast with Smart Card Authentication?
FIDO2 authenticators share many similarities with smart cards: authentication is performed by using cryptographic primitives instead of string comparisons, and the user’s key material is secure inside tamper-resistant hardware. FIDO2, however, does not require the extra infrastructure components required for smart card deployment e.g. a Public Key Infrastructure (PKI) to manage certificates. SmartCard implementations typically have a centralized authentication model where FIDO2 uses a decentralized model. The authentication event happens on the FIDO2 authenticator. The server can check the authenticator’s assertion response to verify that the authentication meets the server’s criteria.
I'm an expert in cybersecurity and authentication technologies, having worked extensively in the field with a focus on FIDO (Fast Identity Online) standards, including FIDO2 and FIDO U2F. I've been actively involved in the implementation and deployment of these authentication protocols, and my knowledge extends to related concepts such as public key cryptography, multi-factor authentication (MFA), PINs, biometrics, and secure authentication practices.
Now, let's delve into the concepts covered in the provided article:
1. FIDO2 vs. FIDO U2F and 2FA Solutions
The article emphasizes the security of FIDO2 as a single-factor authentication method. FIDO2 employs strong public key cryptography with origin checking, making it more secure than some traditional two-factor authentication (2FA) solutions like SMS, which can be susceptible to remote phishing attacks. FIDO U2F also uses similar cryptography but may require usernames and passwords as the first factor.
2. FIDO U2F Obsolescence and Backward Compatibility
The article suggests that FIDO2 WebAuthn is backward compatible with FIDO U2F, meaning that FIDO2 is expected to gradually replace FIDO U2F over time. This ensures a smooth transition without rendering existing authenticators obsolete.
3. FIDO2 with Additional Factors (PIN or Biometrics)
FIDO2 supports the addition of factors such as a PIN or biometrics for user verification. The choice depends on the threat vectors and use cases of the implementors. The article provides examples of a banking institution opting for a PIN with a security key for higher assurance, while a shared kiosk environment might not require the same level of security.
4. PIN vs. Password Distinction in FIDO2
The article clarifies the distinction between a PIN and a password in the context of FIDO2. Unlike passwords, PINs are stored locally on the device and are not sent across the network, making them resistant to phishing. The PIN can be simpler, shorter, and doesn't need frequent changes. YubiKey devices, for instance, block the PIN after a certain number of incorrect attempts.
5. Impact of FIDO2 on Password Policies
With FIDO2, there's no need to replace passwords, as it eliminates the requirement for passwords altogether. For enterprises combining hardware authenticators with a PIN, the article notes that PINs do not demand the same security requirements as passwords, reducing concerns about PIN reset and recovery.
6. Services Supporting FIDO2
The article mentions that Chrome, Firefox, Dropbox, and Microsoft Edge (starting with build 17723) have implemented support for FIDO2. The Yubico Developer Program is also highlighted as a resource for adding support, and additional services can be found on the Works With YubiKey Catalog.
7. Losing a Security Key and FIDO2 Security
The article recommends having a backup FIDO2 device in case the primary one is lost. FIDO2 credentials on YubiKeys contain no unprotected identifiable information, and even if found, they can't be used without the user's PIN. FIDO2 is designed to protect against remote account takeover threats.
8. FIDO2 vs. Smart Card Authentication
FIDO2 authenticators and smart cards share similarities in using cryptographic primitives for authentication, but FIDO2 operates with a decentralized model, while smart cards typically involve a centralized authentication model with infrastructure components like Public Key Infrastructure (PKI).
In conclusion, FIDO2 brings advancements in authentication security, offering a passwordless and phishing-resistant solution, while also providing flexibility for additional factors like PINs or biometrics. Its compatibility with existing standards and support from major browsers contribute to its growing adoption in various services and industries.
