Half a century-old password authentication remains vulnerable to social engineering attacks, notably Phishing. Phishing is the top attack vector in most ransomware attacks. Cybercriminals can guess or phish or harvest a password and be able to replay it. Password-based authentication systems have evolved over the years. Today, they augment with safeguarding mechanisms such as multi-factor authentication (MFA) or its subset called two-factor authentication (2FA), Universal 2nd Factor Protocol (U2F), and other proprietary implementations.
But still, password-based MFA systems are vulnerable to social engineering abuse like fatigue attacks. For example, major corporations, such as Uber, Cisco, and Microsoft, were hacked using the fatigue vulnerability in their MFA system. Even though most MFA vendors offer workarounds to avoid such attacks, they are not foolproof and do not adhere to a standard. Also, in the 2020 Twitter attack, the hackers used a combination of social engineering and fake login pages to dupe employees who used two-factor authentication to give up their usernames and passwords.
U2F, on the other hand, provides more robust second-factor authentication with hardware-bound security keys like Yubikey. But its adoption is limited to secured on-premises environments because of its friction with the device upgrade and replacement process in case it is lost or stolen. Also, Google recently abandoned its U2F support, stating.
U2F never became an Open Web standard and was subsumed by WebAuthn (a W3C standard).
But whether you use U2F or MFA, first-factor password authentication is still the root cause of many ransomware attacks. So, it is crucial for any organization seeking to strengthen its security posture – to implement a scalable, standard-based, and phishing-resistant authentication system that does not rely on traditional passwords.
Passwordless Authentication with Fast Identity Online (FIDO2)
FIDO2 is a passwordless MFA standard, and by default, it offers two-factor authentication in one easy step. It is an open standard from FIDO Alliance which developed the original U2F specification (now called CTAP1). The FIDO2 consists of two standards: WebAuthn (Web Authentication by W3C) and CTAP2 (Client-to-Authenticator Protocol by FIDO), with the core component being WebAuthn. But do not get caught up with the numbers; they just represent the latest version of the passwordless authentication standard.
How Does it Work?
FIDO2 offers more robust security with cryptographic login credentials unique across every website. Upon registration, a private-public key pair (aka credential) is created for a web app. The private key is then securely stored on the user’s device, while a public key with a randomly generated ID identifying credentials is stored on the server. The server can then use the stored public key to prove the user’s identity for subsequent logins. In most cases, the private key does not leave the user’s device.
After initial registration, the client/app uses a passkey which is the main ingredient of the private key, to enable authentication. The passkeys replace legacy passwords. Unlike passwords, passkeys provide faster, easy, and more secure sign-ins to websites and apps. These passkeys are created and managed by so-called authenticators. There are two kinds of authenticators: one is a platform authenticator, which resides in the OS, and another is external. Yubikey, a physical security key, is an example of an external authenticator. The external authenticators can connect to the device through various interfaces like USB, Lightning, Bluetooth, and NFC.
The Yubikey 5 series security key, which meets the highest NIST security level by design, offers only single-device passkeys which cannot be copied. However, by default, platform authenticators provide multi-device passkeys, a key feature that allows the same private key to exist on multiple devices. This addresses the common device loss and upgrades issues mentioned earlier. Only the private key remains the same, but each device still has its unique passkey means you can sign into an app from multiple devices (Desktop, Laptop, and Mobile devices), even new ones, without re-enrolling every device on every account. It also enables leveraging existing Password Managers to backup and sync passkeys across devices. When the Password Manager backs up a passkey, it uses end-to-end encryption. It uploads the corresponding private key in its encrypted form using an encryption key only available on the user’s devices. It prevents bad actors from stealing private keys out of backup sources – without a private key, they cannot use the passkey to sign into the corresponding user account. Additionally, platform authenticators leverage the device’s encryption hardware – TPM (Trusted Platform Module) to protect private keys with robust hardware-protected encryption.
There are several reasons for everyone to jump on the FIDO2 bandwagon. Following is an excerpt from the CISA recommendations on MFA:
Any form of MFA is better than no MFA. Any MFA will raise the cost of attack and will reduce your risk. Having said that, the only widely available phishing-resistant authentication is FIDO authentication.
But the following two significant announcements in early 2022 are poised to accelerate the broader adoption of FIDO2 in on-premises and cloud environments.
The first was when the Office of Management & Budget announced its Federal Zero Trust Strategy. It requires federal agencies to implement a phishing-resistant standard authentication like FIDO2 to access agency-hosted accounts. Moreover, the NIST has certified FIDO2-compliant security keys like Yubikeys 5 with FIPS 140-2 validation, which enables government agencies and regulated industries to meet the highest authenticator assurance level 3 (AAL3).
But the most notable was when Apple, Google, and Microsoft jointly announced the commitment to expand support for FIDO standards to accelerate the availability of passwordless sign-in with passkeys to consumers across leading devices and platforms.
As of this writing, FIDO2 is supported by all major browsers (Chrome, Edge, Safari, and Firefox) on various platforms (Windows, macOS, and most Linux variants) and major mobile platforms (Android, iOS, and Microsoft), with exception to Microsoft, which is in the early phases of rollout, and OpenSSH.
There is always a cost involved in adopting emerging technology solutions such as FIDO2. But the benefits outweigh the cost. For example, if FIDO2 could prevent even one ransomware attack, it would recoup your entire investment. Also, organizations with many business apps could migrate them in phases, starting with critical ones. FIDO2, by design, enables single sign-on (SSO) without needing an external SSO platform like Okta/Auth0, Duo, OneLogin, JumpCloud, etc. This inherent SSO capability reduces cost significantly and improves manageability. FIDO2 could also be leveraged in OAuth2 environments for user authentication before user consent and resource authorization. Last but not least, FIDO2 can very well complement federation protocols such as OIDC (Open ID Connect) and SAML (Security Assertion Markup Language) in federation environments.