What is FIDO2?
At the RSA Conference 2018, Microsoft and Google demonstrated the new FIDO2 authentication capabilities they have recently implemented in their core products. Here we will discuss what FIDO2 is, and how you can leverage it. Before we do that, let’s take a step back and see how FIDO2 fits into the broader set of FIDO passwordless authentication standards.
Whether you’re a developer, IT Manager or end-user, you’re familiar with the problems with passwords. They tax end-users, make your infrastructure vulnerable, and are susceptible to scalable attacks. Nok Nok Labs founded the FIDO Alliance in 2013 and brought its key inventions to create a framework of FIDO standards to help eliminate passwords.
With FIDO, end users get simple and unphishable authentication appropriate to their use case, developers get a single API that shields them from the complexity of authenticators and security mechanisms, and IT operators get a single backend that can select the right authenticator for a user by policy regardless of end-user platform or use case.
FIDO makes it possible to deliver strong authentication to users at population scale and changes the economics of authentication. FIDO protocols are now widely deployed commercially to over 3 billion users by the world’s largest Payments, Banking, Insurance, and Telecom companies. So far, FIDO protocols have addressed the mobile use case at scale across all operating systems and allowed authentication in browsers and on non-mobile devices through the use of the phone or a USB token as an authentication factor.
To reach an even wider audience, Nok Nok Labs has worked with Google, Microsoft and a few other partners to bring FIDO natively into Browsers and Operating systems. This new effort, best understood as “FIDO for Browsers”, sits next to the existing FIDO protocols that can be thought of as “FIDO for Mobile Apps”. The new work provides a standard API that allows users to log in with FIDO in a browser without a password and to use phones or tokens as authenticators.
Here you see a high-level architectural view of FIDO2:
Here you see the 3 components on the client side:
- The Web browser that implements the WebAuthn API and connects to the FIDO2 subsystem of the underlying operating system.
- Authenticators that the subsystem accesses to verify the user.
The server side has the relying party’s web application connected to a FIDO2 Server, for example, from Nok Nok Labs.
Platform support for FIDO2 and WebAuthn is evolving. It is supported on Edge, Chrome, and Firefox browsers, and in Android apps. WebAuthn is a W3C approved standard. Over time the list of platforms and browsers should expand, so stay tuned! You can also try out FIDO now.