Key-based multi-factor authentication is one of the best ways to secure access to data, to a network, or to a user account. Unlike a single-password system that grants total access if that one password is deciphered, multi-factor authentication requires more than one component to be present for full access, dramatically reducing the chances of phishing or other forms of identity theft to succeed.
Multifactor authentication can be faster, easier, and more secure than traditional single-password security systems using FIDO protocols and key pair technology.
What Is FIDO?
FIDO stands for Fast Identity Online. It is a global alliance of companies dedicated to establishing cryptographic security standards that can easily integrate into systems and with each other to eliminate the reliance on traditional knowledge-based systems (such as username/passwords). FIDO protocols embraced various security measures, including key-based biometrics such as fingerprints, voice and face recognition, security tokens, NFC cards, and other forms of key-based multi-factor authentication.
By ensuring that industry standards are established and observed, different security devices and software are compatible and interoperable, ensuring that no device or software will fail to work with another system.
What Is A Key Pair?
A key pair is a security measure that creates two digital “keys” that when used together (a “key-pair”) is used to securely grant account access in a phishing-resistant manner. There is a “public” key and a private “key” and both are required to access services successfully and read data. The public key is one that the user account uses to grant access (authenticaticates to the service that includes an encryption function, taking raw data that can be received or understood as is and encrypting it into an unreadable format.
The private key is the one that the user on a device uses for presentation and verification to decrypt data and make it once again readable. Both keys must be present for making data at rest readable to a system, and for granting access to services.
Under the FIDO protocol, a user goes through the normal registration procedure which creates a new user account while the system creates a public-private key pair for the account. Once registration is complete, any time a user wishes to access their account protected by the key pair, it requires logging in with which requires the public key, and then providing the private key to decipher the encryption and access the account and data protected within the account.
This is a much stronger form of protection against conventional phishing techniques or man-in-the-middle attacks that are used to steal user credentials, and access the “taken-over” account. By requiring two cryptographic keys, even if a bad actor can steal the public “account” key they can go no further because without the private key they cannot unlock the account or access its data.
If you’re interested in using FIDO key pairs and multi-factor authentication to protect users on devices accessing services and data, read here to learn more.