FIDO2 Technology
FIDO2 is the latest specification of FIDO Alliance (Fast Identity Online), which was created to provide open and license-free standards for secure, Web Authentication. First came FIDO U2F, then FIDO UAF and lately followed by the FIDO2.
At its core, FIDO2 consists of the Client to Authenticator Protocol (CTAP) and the W3C standard WebAuthn, which together enable authentication, where users identify themselves with cryptographic authenticators (such as biometrics or PINs) or external authenticators (such as FIDO keys, wearable or mobile devices) to a, trusted WebAuthn remote peer (also known as a FIDO2 server) that typically belongs to a website or web app.
The difference between FIDO and FIDO2 compliant keys
FIDO2 is an improvement over the U2F standard, mainly with the ability to now perform password-less logins. This had to do with a shortcoming in the U2F protocol and/or devices such that they didn’t need to have much storage on these devices. Other FIDO2 authenticators can have extra functionality: User Verification (eg fingerprint, or PIN); and/or storing the {server id, user id, key pair, key handle} on the authenticator (called a “resident key”).
To address this, the new FIDO2 devices are now required to persist your username(s) for a particular site. The new CTAP2 protocol has also been extended to accommodate a more sophisticated authenticator.
How does FIDO2 work?
FIDO Alliance’s main goal was to eliminate passwords on the web. In order to achieve this, a secure communication path between the browser and the respective web services must be accomplished and this process is explained below:
- The user registers with an online service and generates a new key pair on the device used – consisting of a private key and a public FIDO2 key.
- The private key is stored on the device and is only known on the client-side, the public key is registered in the web service’s key database.
- Authentication is now only allowed through the verified private key, which must always be unlocked by the user.
- There are more options of FIDO2 authenticators that could authenticate with more factors such as entering a PIN, pressing a button, fingerprint, or inserting separate two-factor hardware (FIDO2 token).
What differentiates Fido2 tokens?
- The users will not face fragile password problems and can experience a password-less
- The user can simply authenticate his identity by pressing a button on a USB device or tapping over NFC.
- Fido2 tokens can support any number of services.
- Fido2 tokens enhance security levels by not sharing secrets between service providers and the fido2 token holder.
Read more about TrustSEC solutions
Great Content, Keep it up
Great article Trustsec team.Really thank you!