Your Guide to FIDO2 Passwordless Authentication

As traditional username-password authentication fails to meet the evolving security needs of industries and sectors all around the globe, passwordless authentication methods are quickly gaining traction. At the same time, the standard password-based login experience is clunky and inconvenient for users, failing to meet customers’ evolving expectations in the digital world. 

In efforts to standardize passwordless authentication across different applications, websites, and browsers, the FIDO Alliance continues to develop open standards and specifications that help service providers implement such security methods for a better customer experience, privacy, and scalability. One of the Alliance’s latest advancements is the development of FIDO2 specifications. 

In this article, we will discuss:

• What FIDO2 authentication is

• How FIDO2 looks in practice

• Benefits and challenges of FIDO2

• First steps for implementing FIDO2 passwordless implementation

• How FIDO protocols are evolving

FIDO2 passwordless authentication is the most recent extension of Fast Identity Online (FIDO), which is an open and standardized set of authentication protocols that makes it easier for online developers to deploy and consumers to use passwordless security methods. FIDO2 applies specifically to common devices for secure identity authentication via mobile devices or desktops. 

FIDO2 differs from traditional password-based authentication in that it is more secure and easier for users to log into websites and applications.

FIDO2 Authentication Methods

FIDO2 provides digital service providers a way to implement passwordless multi-factor authentication (MFA) to verify user identities, combining multiple authentication methods for enhanced security.

Passwordless Authentication

Online providers that utilize FIDO2 passwordless authentication can support a number of other secure methods to validate users besides passwords. Such methods include: 

• Biometric data like fingerprint or facial recognition

• Passkeys

• QR Codes

• Security keys

• WebAuthn

   

With FIDO2, online users can enjoy a quick and secure login experience, largely unaware of the protocols working behind the scenes to make it happen. Here is a more detailed look at the fundamental workings of FIDO2.

Components of FIDO2

WebAuthn Protocol

The WebAuthn protocol that we briefly mentioned above is a core component of FIDO2. It is the standard web API enabled by websites and browsers to facilitate user authentication on web applications. In other words, this is the interface where public key credentials can be created, managed, and communicated with authenticators.

Authentication Flow

For a better understanding of how FIDO2 passwordless authentication works in practice, here is a step-by-step breakdown of what this process looks like from start to finish. 

1. User initiation: A user visits a FIDO2-supported website or application for the first time, and they must select an authentication method that is supported by the service provider.

2. Key pair generation: During initiation, a new authentication key pair will be generated;  the private key is stored on the user’s device, and the public key is stored on the service provider’s servers.

3. Authentication: For future login attempts, the service provider will use the WebAuthn protocol to provide a challenge to the user’s device to prove possession of the private key; the challenge is signed when the user completes the authentication method that was established at account creation (like fingerprint scanning or voice recognition), which will allow the private key to be shared and verified against the public key and grant the user access.

While the two may appear similar, it’s important to understand the distinction between FIDO2 and UAF protocols.

Evolution from U2F (Universal 2nd Factor)

Universal 2nd Factor (U2F) was a direct predecessor of the CTAP FIDO2 specification we referenced above. More specifically, U2F was renamed CTAP1, which is now largely obsolete, and the specification used in FIDO2 is referred to as CTAP2.  

The U2F protocol added a second strong authentication factor to password-based authentication with an external security device. CTAP2 builds on this protocol to enable the authenticator to be both factors of authentication for a passwordless login experience.

UAF (Universal Authentication Framework)

The Universal Authentication Framework (UAF) protocol established the framework for online providers to offer a passwordless login experience, including multi-factor authentication where needed. This represents the earlier edition of what is now a more robust passwordless authentication method under FIDO2. 

UAF protocols had an emphasis on biometrics for validating users, allowing them to set facial recognition, fingerprint scanning, or facial recognition as their method of authentication when registering a new account. For subsequent sign-ins, they could simply provide their selected method of authentication rather than a password.

FIDO2

FIDO2 is an evolution of protocols that combines the strengths of UAF and U2F. We’ve already discussed how U2F directly ties into FIDO2’s CTAP2 specification, and the framework for FIDO2 extends largely from the ideas set forth with UAF.

Similar to the goal of UAF to let users authenticate themselves without the use of passwords, FIDO2 combines additional specifications including WebAuthn and CTAP2 to be a more modern, standardized, and secure passwordless solution.

Passkeys for Passwordless Login

FIDO2 passkeys give users secure access to their accounts without having to enter a username-password combination. Organizations can deploy FIDO sign-ins with passkeys so users can sign in with the same PIN or biometric credentials they use to access the device. The use of passkeys allows for a better user experience, enhanced security, and easier scalability.

Access Control

FIDO2 passwordless authentication can also enhance access controls to physical locations like offices or residential buildings. A stolen key or passcode alone will not provide unauthorized parties with access to the premises using this method.

Secure IoT Device Authentication

Another application of FIDO2 is that it can be utilized for secure authentication between a user’s mobile devices and their IoT devices. This promotes a more secure onboarding process for IoT devices.

Contactless Payments

Lastly, FIDO2 can be leveraged for secure and convenient mobile payments. This can work to prevent unauthorized or fraudulent purchases without adding more friction for authorized buyers to complete their transactions.

Secure Travel

There are also positive implications for supporting secure international travel with FIDO2 standards. The use of biometric authentication with a fingerprint scan or facial recognition can work as a straightforward and secure method for verifying a traveler’s identity rather than relying on traditional methods like a passport or other documentation, which can be forged or falsely replicated.

KYC Compliance

FIDO2 can help streamline the customer onboarding process for organizations that must comply with Know Your Customer (KYC) and Anti-Money Laundering (AML) regulations. These standards can securely validate a customer’s identity as they open a new bank account or apply for a loan, helping to prevent the risk of identity theft or other financial-related crimes.

Heightened Security

One of the biggest advantages of FIDO2 passwordless authentication is that it provides enhanced security. The cryptographic credentials provided at login are unique for each online service provider and are never shared or stored on servers.

Thus, FIDO2 lessens the risk of phishing attacks or password theft in case of a breach or other cybersecurity event. If an attacker attempts to use stolen credentials to access an account, they would be blocked since they don’t possess the cryptographic key that’s kept private on the user’s personal device for successful authentication.

Improved User Experience

FIDO2 also allows a more convenient and seamless user login experience. Rather than needing to remember the unique password they’ve created for each online account, users can log in using biometric authentication like fingerprint scanning or facial recognition.

Reduce Reliance on Passwords

Standard username-password logins provide significant security risks, and FIDO2 passwordless authentication helps lessen global reliance on this flawed security method. Instead, digital service providers can employ stronger authentication methods that don’t involve passwords, like biometrics or physical tokens.

Scalability

By design, FIDO2 can be deployed across various applications and industries. Implementation of FIDO2 is highly adaptable and scalable, as it can be enabled on common devices with a standard web API.

Cost-Efficiency

There is a potential for cost savings with FIDO2 as it relates to password management and support. Organizations may save on programs and IT support resources for password resetting and other account support efforts. FIDO2 passwordless authentication eliminates the need for users to remember passwords and waste resources trying to access their accounts.

Ease of Enrollment Across Multiple Devices

FIDO2 passkey standards make it easier to access digital service providers from new devices. These new standards allow users to sync their private keys across multiple devices, eliminating the need to re-enroll every account on each new device.

User Awareness

For widespread FIDO2 adoption, there will need to be increased user education and awareness around passwordless authentication. Many online users may be used to the standard method of entering their username and password to access their accounts, and they may not understand the purpose and benefits that passwordless login can provide. 

Successful adoption is driven by a combination of people, processes, and technology. Organizations should not simply change the technology and expect customers to quickly adapt in lockstep. Educating users on the benefits of FIDO2 can help support this transition.

Ensuring a Convenient Customer Experience

Users need to be provided with a choice of credentials they can use to authenticate into a digital service. If a digital service provider limits these by default, users may become frustrated and may seek out an alternative provider that offers a better customer experience. 

Similar to improving user awareness of FIDO2, organizations should roll out these new options using appropriate change management best practices. This will help users gain a greater understanding of why their login experience is changing and the benefits they can enjoy.

Device Compatibility

More devices and products continue to get FIDO2 certified as this authentication method gains traction. However, it is not available across all websites and digital service providers just yet, so there can still be some hiccups while it becomes the universal authentication method.

Organizations looking to obtain FIDO2 certification should be prepared for the following considerations.

Security Requirements

Those who are interested in implementing FIDO2 protocols should investigate whether their organization’s security requirements are aligned with FIDO2’s robust authentication methods.

In other words, is the security provided by FIDO2 enough to meet your organization’s requirements? Will it be able to address some of the security weaknesses you’ve already identified within your organization?

User Experience Goals

It’s important for online service providers to understand how implementing FIDO2 will impact the user experience. In many cases, it can improve their experience through passwordless and convenient authentication. 

Do a thorough assessment to see if this is something your organization has a need for currently. Maybe you are frequently offering support services to users who cannot remember their passwords or make consistent complaints about the login process. If this is the case, implementing FIDO2 passwordless authentication could be the key to meeting your user experience goals.

Industry Compliance

Organizations should also be aware of how FIDO2 can help them meet industry-specific compliance requirements. For organizations that must adhere to HIPAA, GDPR, CCPA, or PSD2 (soon-to-be PSD3) privacy laws, FIDO2 could help bolster their ability to protect sensitive user data and stay compliant with such regulations.

Implementation Readiness

While implementing a new authentication protocol like FIDO2 may not happen overnight, there are some ways to prepare your organization for the process. To begin with, you should consider how FIDO2 will integrate with your existing technology infrastructure, applications, and systems. 

Do you anticipate any particularly challenging areas for implementation? Is there a backup plan you can set up to avoid any outages?

Before you begin adoption, you may want to assess how you will roll this new authentication method out to your existing users. This might involve educating them on passwordless authentication to improve user buy-in to this new security method and implementing change management best practices to help them understand their new credential choices. By getting this prep work out of the way, you can set your organization up for success with FIDO2 implementation.

FIDO is constantly evolving. Here is some more context on how it came to be and the various developments that preceded FIDO2.

FIDO Alliance Formation

FIDO2 authentication standards were created jointly by the World Wide Web Consortium (W3C) and the FIDO Alliance, which is an open industry association dedicated to decreasing the world’s reliance on passwords. 

Since its inception, the goal of the FIDO Alliance has been to establish industry standards for passwordless authentication methods and make it easier for organizations to develop and deploy them.

Development of UAF and U2F

Universal Authentication Framework (UAF) and Universal Second Factor (U2F) are two FIDO protocols that emerged before FIDO2 to help strengthen passwordless authentication. 

Both were released in 2014, and though there are some similarities between UAF and U2F, they are built for distinct purposes. 

• UAF: permits the use of multi-factor authentication and passwordless authentication to access online services; includes methods like fingerprint scanning or entering a PIN to authenticate users.

• U2F: adds a second factor to password-based authentication for enhanced security.

Birth of FIDO2

FIDO2 emerged as an evolution of UAF and U2F, introduced officially in April 2018. The unique goal of FIDO2 is to standardize passwordless authentication across different mobile and desktop applications. 

There are two specifications FIDO2 relies on to accomplish this: the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification and FIDO Alliance’s Client-to-Authenticator Protocol (CTAP).

Favored for its enhanced security and ease of use, FIDO2 specifications are helping more organizations implement passwordless authentication for their online platforms. 

FIDO2 is quickly becoming the standard user authentication method across different browsers, websites, and applications. In fact, a recent report from FIDO Alliance shows that consumer awareness for passkeys has grown significantly over its first year of being live, going from 39% awareness in 2022 to 52% in 2023.

At Ping Identity, we know that embedding FIDO into your apps and services can enhance the user experience and help you mitigate security risks. That’s why we’ve developed scalable and robust solutions to help you implement passwordless authentication with minimal manual configuration. With Ping Identity, you can leave the shortcomings of passwords behind and leverage FIDO2 specifications to your advantage.

Implementing Passwordless for Your Organization

PingOne for Customers Passwordless is our cloud-based passwordless solution that can serve all customer types and requires minimal setup. For a more seamless and secure online experience, contact us today to learn more about our passwordless solutions.