The word “passwordless” may conjure up images of an online service that’s wide open to cybercriminals, but in fact the opposite is true.
By reducing or eliminating the need to create, manage and remember passwords, organizations can streamline the way people access the services they want to use, while keeping data fully protected.
The key to achieving passwordless authentication is working with solutions that comply with FIDO2. What is FIDO2 compliant? This post will provide all the details you're looking for.
What Is FIDO2?
There could come a point where FIDO2 is so widely adopted you may not need to understand it in detail. Until then, here are the basics:
Overview of FIDO2 and its role in authentication
Developed by the Fast Identity Online (FIDO) Alliance, FIDO2 is a standard intended to let users authenticate themselves on an application or system using symmetric public key cryptography. It follows previous specifications such as FIDO Universal Second Factor (FIDO U2F) and the FIDO Universal Authentication Framework.
FIDO2 provides organizations flexibility in how they secure critical systems and applications by allowing either two-factor authentication or a completely passwordless approach.
Benefits of using FIDO2 for passwordless authentication
As a non-commercial entity, the FIDO Alliance works for the benefit of organizations around the world, and FIDO2 is just the latest example.
The open nature of the specification means organizations can implement FIDO2 as a standard within the products they develop using their own software engineers, or those they purchase from third party vendors.
Using a combination of encryption, a hardware-based token and identifiers such as biometrics and PINs lets organizations that adopt FIDO2 prevent man-in-the-middle attacks and other security threats. In that sense, FIDO2 is more secure than a traditional smartcard which relies on a single way to verify someone’s identify and requires specific infrastructure.
FIDO2 compliance requirements
FIDO requires those interested in implementing its standard to be formally certified. This involves several steps, including self-validating that the tools you're using conform to FIDO specifications.
Auditors will then oversee interoperability tests, check that the authenticators can ward off threats like phishing, remote software and local hardware attacks. Once this information has been validated, FIDO can officially confirm that the FIDO2 servers supporting the implementation comply with all requirements and are certified.
How Does FIDO2 Work?
The FIDO Alliance’s work on this standard shows how the organization is learning from previous approaches and making authentication increasingly secure.
Explanation of FIDO2's underlying technology and protocols
When you register for a FIDO2-supported online service, the application or system involved will generate both a public and private key designed exclusively to access that service.
These passkeys can only be provided once you have confirmed who they are through an authenticator. This could be what's called a "bound authenticator," such as a PIN or a biometric identifier such as your fingerprint or facial scan.
Some implementations use what are known as cross-platform or “roaming” authenticators, such as a physical key that you plug into your device. YubiKey, for instance, is FIDO2 compliant. A smartphone, tablet or even a wearable like a smartwatch could also serve as a roaming authenticator.
FIDO2 relies on WebAuthn, a protocol that works within a browser to register, manage and authenticate you when you try to access a site or system. WebAuthn is a component of FIDO2, but the latter encompasses other elements as well.
The Client to Authenticator Protocol (CTAP), meanwhile, manages the relationship between security tokens that communicate with an application or system.
Step-by-step process of FIDO2 authentication
Once you’ve signed up for a FIDO2-supported service, your private key will be stored on your device, like your laptop or smartphone. Meantime, the public key is stored on the servers of the organization running the service.
From here, the process becomes both simple and fluid:
- Log into your app by pressing a button in your browser.
- Your service provider will send a security challenge by calling upon the WebAuthn protocol.
- Depending on the authentication method you chose during the sign-up process, you’ll respond to the security challenge by entering your PIN, scanning your fingerprint or plugging in your hardware key.
- The system will use the data from your authenticator to share and verify your private key against the public key. This is sometimes called “signing” the challenge.
- You’re in – the system will provide access to the service you want to use.
In practice, logging in this way can happen very quickly, where it becomes almost routine but remains highly secure.
Integration considerations for implementing FIDO2
Some aspects of FIOD2 integration, such as modifying a service’s registration and login screens, may be fairly straightforward. For organizations with a lot of legacy infrastructure, however, there could be other changes that will need to be made to shift from a traditional username and password approach to completely passwordless authentication.
FIDO2 vs U2F vs UAF
The FIDO Alliance has an ongoing mission to reduce the world’s over-reliance on passwords. This has led to a number of standards, which can sometimes be a little difficult to distinguish.
Comparison between FIDO2, U2F, and UAF authentication
Think of U2F as a “second factor experience.” When you logged into digital service, for instance, U2F provided a second factor to authenticate yourself, such as a FIDO security key. U2F has since been rebranded as CTAP2 now that FIDO2 is available.
UAF, meanwhile, set the stage for passwordless logins by allowing the use of fingerprints, facial scans and other factors as an authenticator when they registered for an account.
Key differences and similarities between these protocols
To a certain extent, FIDO2 builds upon UAF and incorporates U2F or CTAP2. The biggest difference is that U2F was really about adding a second factor to strengthen services that used passwords, while FIDO2 aims at eliminating passwords altogether.
Use cases for each authentication standard
U2F was a good solution at a point when organizations might not have been completely ready to transition away from the passwords that had long been a part of their IT security policies. Now that it is a part of FIDO2, however, it is essentially obsolete as a standalone standard.
UAF really makes passwordless authentication possible and makes sense for organizations that might want to prioritize biometrics as their authenticator of choice. FIDO2 provides a bit more flexibility and choice in how you standardize passwordless authentication across your organization.
Advantages of FIDO2 Compliance
FIDO2 isn’t the only way to authenticate users, but there are some compelling business drivers to keep in mind as you weigh your decision:
Enhanced security features provided by FIDO2 compliance
Can FIDO2 be hacked? Not easily. By storing cryptographic keys and biometric data such as a fingerprint on your devices, FIDO2 makes life a lot more difficult for cybercriminals who have traditionally relief on stealing credentials through digital channels. It’s a way of establishing an encrypted login process by default.
Adding private keys into the mix, including a hardware key, FIDO2 also offers organizations an alternative to setting up login processes that rely on sending text messages with a one-time passcode (OTP).
These security features can provide defenses against social engineering attacks such as phishing schemes and ransomware, among other cyber threats.
Elimination of passwords and improved user experience
Passwords can be difficult for people to remember, and not everyone creates strong passwords in the first place. This leaves organizations open to malware, data breaches, advanced persistent threats and more.
Even with strong password policies, organizations still need to make sure they’re enforced, and IT departments can wind up spending more time than they should having to reset passwords.
FIDO2 overcomes these challenges. Even though multiple steps are involved, the ease of use that comes with a passwordless approach gives people more time to focus on what they want to do when they access a digital service.
Compatibility with various devices and platforms
FIDO2 can work with a variety of devices such as laptops and PCs, and the number of online platforms supporting the standard continues to grow. Microsoft, Twitter/X, Shopify and GitHub all provide login via FIDO2, for example.
Challenges of FIDO2 Compliance
As with any industry standard, adopting FIDO2 doesn’t come without some potential tradeoffs or drawbacks that you need to take into account.
Potential implementation challenges and considerations
Beyond integrating with legacy infrastructure, switching to FIDO2 may require investing in security tokens, which become a significant expense for large enterprises with many employees. The concept of passwordless authentication is also likely to be new to many employees, which means any rollout will have to come with the appropriate level of training.
Adoption barriers and how to overcome them
In some environments, the use of biometric authenticators may raise concerns among employees or other stakeholders about where data is being stored and how it will be used. Explaining the rules of biometrics in UAF and FIDO2 should be done in layperson’s terms and at the outset of the registration process.
Adoption can also face pushback if people accessing the same online service several times a day feel like the additional steps in FIDO2 are a burden. Take the time to help them understand the extra level of defense the standard provides against common forms of cyber threat to secure buy-in.
Dealing with legacy systems can also be a challenge, so consider rolling out FIDO2 in phases, starting with the most critical online services and then expanding over time.
Addressing potential risks and vulnerabilities
There are some nuances to keep in mind with FIDO2. Chief among them is the need to secure any protected session tokens, particularly if there’s no validation of the device that requested it. Otherwise, threat actors might attempt to steal these tokens to conduct man-in-the-middle attacks to compromise an organization’s defenses.
It’s also important to register a second FIDO key in the event that someone misplaces the original.
Security researchers have suggested there could be FIDO2 risks involving logins using NFC connections and issues with a pinToken that gets generated at startup. Organizations should keep a watch on this kind of research and how the FIDO Alliance continues to evolve the standard.
Applications of FIDO2 Compliance
Unlike some standards that see little take-up, FIDO2 is already being deployed by some high-profile names:
Real-world examples of FIDO2 implementation
In 2023, Google formally released code that would allow for the creation of strong security keys based on FIDO2. The company said using it would provide a way to combat potential security attacks that cybercriminals might develop using powerful quantum computers.
Amazon Web Services (AWS) is also now supporting passkeys based on FIDO2, which the company says will help customers meet multi-factor authentication (MFA) requirements.
Industries and use cases where FIDO2 compliance is beneficial
Tech companies and organizations that primarily offer products and services through digital channels are natural candidates for FIDO2 adoption. However, any organization that would benefit from passwordless logins might use solutions based on the standard as well.
For commercial property owners, FIDO2’s use of hardware keys could ensure only authorized individuals are permitted to gain access to a particular location’s premises.
FIDO2’s options around biometric authenticators could make it a staple within the travel sector to verify travelers’ identities.
FIDO2 could support regulatory compliance standards such as Know Your Customer (KYC) and anti-money laundering (AML) rules. Even environments connected to the Internet of Things (IoT) could benefit from passwordless logins.
Success stories and case studies
The FIDO Alliance regularly publishes success stories of organizations that apply its standards. Recent examples include Wedding Park Co. Ltd., a review site and media company that has used FIDO2 to provide passwordless authentication and reduced login errors that used to number 200 a month.
In Japan, meanwhile, automotive manufacturing giant Toyota Motor Corp. has also shifted to FIDO2, allowing employees to avoid having to enter a username and password each time they want to access one of the organization’s smartphone apps.
How LastPass Meets FIDO2 Compliance
LastPass is not only FIDO2 compliant – it was the first password manager to be certified under the new standard.
Added layer of security
Organizations that use LastPass can use biometric authenticators such as their fingerprint or facial scan to access their vault. The latter is encrypted, providing extra defenses. This builds upon the LastPass Authenticator App that was first introduced in 2022.
FIDO2 authenticator
Adding FIDO2 authenticators brings LastPass customers greater choice in how they want to introduce passwordless logins, while master passwords can be kept in the vault for scenarios where they might still be needed. The end result is a stronger security posture as well as convenience for employees.
Reduce phishing risk
With tools like generative artificial intelligence (AI) now commonplace, threat actors could create near-endless iterations of the messages they use in phishing schemes. Organizations using FIDO2 reduce and mitigate the severity of that problem, because a password alone is not enough to penetrate an online service.
Meeting cyber insurance requirements
Keeping up with the demands of industries such as insurance can be a burden on IT departments, but LastPass has addressed that too by supporting FIDO2. The standard demonstrates adherence to common requirements around encryption, MFA and more.
Does passwordless authentication appeal to you? Start your LastPass trial today.
