Hello, 🌎! The First Identity Online (FIDO) Alliance was launched in 2013 with the sole purpose of finding an alternative to password-based authentication. Well, close to a decade later, they believe they have found a solution that will permanently supplant password-based authentication in conjunction with legacy multi-factor authentication (MFA) mechanisms. In this blog post, I’ll talk about FIDO-based secure authentication. Before talking about FIDO authentication, I’d like to give some context as to why we need to replace passwords. Let’s go for it!
Why Do Passwords Need to be Replaced?
Usernames and passwords have been the dominant form of authentication since the beginning of the Internet. Since then, security researchers have identified many vulnerabilities associated with a system implementing password-based authentication. Most of these vulnerabilities are not directly linked to computers, but to people. People naturally find ways to subvert password best practices like reusing passwords or creating rememberable but guessable passwords.
Even when password-based authentication systems have enabled a second factor of authentication, such as time-based one-time password (TOTP), researchers and attackers have still found ways to compromise these credentials. And when a threat actor has gained compromised credentials, they may have “the key(s) to the kingdom”. Hence, the birth of the FIDO Alliance!
FIDO-based authentication is a hardware-based phishing-resistant authentication mechanism, making it an AAL3 (“authenticator assurance level 3”) solution as defined by NIST’s Digital Identity Guidelines, which means the process of authentication offered by the solution is the securest possible. FIDO-based authentication relies on a users smartphone or smart device, such as a smartwatch, to act as a “roaming authenticator” with the ability to swiftly move between devices that automatically store FIDO credentials — eliminating the need for a password.
Bluetooth is used to perform the authentication between the authenticating FIDO device and the device the user is trying to authenticate to. The operating system of a supported FIDO device will be able to sync FIDO credentials across multiple devices that are tied to a user’s biometrics (that’s dope!). If the OS of a newly acquired device does not implement the FIDO authentication protocol, a Bluetooth protocol that depends on the user having a device that does possess a FIDO credential can be used to facilitate verification and authentication of the device and user.
Additional security can to be added to the FIDO authentication lifecycle by adding a “device-bound cryptographic key” that can be used in conjunction with the FIDO credential to perform authentication as shown in the image below.
No system is ever 100% secure but I am excited to see the transition to this revolutionizing form of authentication which takes advantage of something that pretty much most people have access to… a smartphone! And also, I am tired of passwords! I recommend reading the paper, linked below in the references section, by the FIDO alliance themselves which isn’t too long of a read.
If you enjoyed reading this blog and learned something, keep an eye out for more of my posts and maybe consider following me on GitHub, where I work on cybersecurity projects. And if you are feeling really generous, consider buying me a coffee!