DISCLAIMER I’m not a FIDO expert. I understand the principles and the concepts, but I have no experience with the minute details. I’ve done my best to read as much as I can, and I believe everything here is accurate, but I may have made the odd mistake, and if I have, I apologise!
The Problem to be Solved — Passwords Don’t Work on the Web!
- Passwords are secrets we entrust to websites so they can authenticate us.
- We have no choice but to trust that the website will properly protect the password. There is no way for users to validate what websites do with passwords 🙁
- Passwords can be well protected — use a strong salted hashing algorithm with high-quality entropy
- In reality, we now know many websites do an extremely poor job of protecting passwords, hence the billions of breached passwords freely available on the web, and, the prevalence of password stuffing attacks (trying breached username+password combinations on un-breached sites).
- To be safe, we must use unique passwords for every web site we have an account on.
- Humans are not equipped to generate or store tens or even hundreds of unique passwords!
- Identity Providers (sign in with X) help somewhat, but are not universally supported, raise privacy concerns, and still involve trusting the provider with a password they have to keep secret. It also concentrates risk.
- Password managers & generators help manage the problem, but they can be daunting to regular folks
- In reality, most people have very bad password hygiene, weak passwords re-used widely!
Enter Two-Factor Authentication (2FA)
- When it first became clear passwords were no-longer secure enough for the really important stuff, the solution was to augment them with a so-called second factor to get us to 2FA.
- In the 2FA philosophy there are three classes of factor:
- something you know (a password or pass-phrase)
- something you have (like a hardware token or cryptographic key)
- something you are (biometrics)
- In general, sites implemented 2FA as a password and a token or biometric, i.e. something you know with something you have or something you are.
Goodbye 2FA, Hello MFA
- While 2FA was a big improvement in terms of security, it proved very cumbersome for users. The result was reluctant, slow, and limited adoption.
- Multi-Factor Authentication (MFA) is the logical evolution of 2FA and aims to increase security while simultaneously lowering the burden on users.
- MFA uses as many factors as possible, including very weak factors, to build up a total confidence level that must cross a threshold appropriate to the context.
- All tasks and data are not equal, so context really does matter!
- The first login from a new device should raise more suspicions than the 500th login from the same device. A site should raise the bar in terms of required confidence for a first login.
- Viewing your balance on your bank’s web interface should require a high level of confidence, but not nearly a much as the act of setting up a new outbound transfer template!
- To build up its confidence level MFA can rely on many factors, both explicit and implicit.
- Explicit factors can include all the things that were commonly used for 2FA — passwords, security questions, request for factual information the user should know, short PINs, hardware tokens, one-time codes from a generator of some kind, one-time codes sent to the user in some way, approval prompts, device verification procedures, and more.
- Users would be encouraged to set up multiple explicit factors (either by carrot or stick depending on the context).
- Implicit factors are things like the presence or not of a browser cookie, whether or not the request is coming from a previously used device, whether or not the request is coming from a previously used IP address range, whether or not the request is coming from a city, county, or country the users usually connects from. Whether or not it’s realistic for the user to have travelled from their previous location to this location in the amount of time that has elapsed, and so on.
- AI often plays a part in interpreting implicit factors.
- MFA is often very configurable, especially in corporate contexts, where some users, some servers, some data, and some physical locations are treated differently to others.
- MFA generally results in users being asked to jump through more hoops when it really matters, but fewer on average.
- With MFA users tend to be asked for their password much less frequently, so a long strong password becomes much less burdensome.
- Strong explicit factors will always add more confidence than implicit factors, so MFA does not remove the need for them.
- Hardware tokens and mechanisms for securely recognising a device as trusted are particularly powerful MFA factors, and that’s where cryptography comes into our story!
Cryptography to the Rescue! — Asymmetric (AKA Public/Private Key) Crypto
- An asymmetric key-pair consists of two long random-looking keys.
- Anything encrypted with one key from the pair can only be decrypted with the other key from the pair.
- When a key-pair is generated we arbitrarily choose one to keep secret and never share with anyone, and name it the Private Key. The other one them becomes the matching Public Key.
- Public/Private key-pairs can be used for secret-less authentication
- The website stores my public key (not a secret!)
- When the website needs to authenticate someone claiming to be me it generates a large random number and encrypts it with my public key. This encrypted number is now a challenge which only the owner of the private key can solve!
- I’m handed the challenge, I can easily decrypt the challenge since I have my private key, and I then return it to the website.
- The website verifies the solution to the challenge is correct, and then knows I’m me.
A Little History — FIDO
- FIDO was the first attempt at using asymmetric crypto for authentication on the web.
- FIDO stands for Fast IDentity Online, and is an open suite of protocols managed by the FIDO Alliance.
- You’ll find a full list of FIDO Alliance members on their website, but it includes really big names like Google, Facebook, PayPal, Amazon, Intel, Microsoft, Visa, Mastercard & Mozilla.
- FIDO provided a standard protocol for allowing certified hardware tokens to authenticate users to websites
- FIDO tokens store private keys in an un-retrievable form but provide APIs for passing challenges to them and retrieving the responses.
- FIDO tokens come in two common forms; USB & BlueTooth (e.g. Ubikeys)
- Browsers need to support the FIDO protocol for websites to be able to interact with the tokens. This is not a particularly complex task though — the browser simply has to act as a bridge between the website and the locally connected USB/Bluetooth device.
- FIDO was not intended to replace passwords, but to augment them as a very strong second factor for 2FA, hence the creators billing it as a Universal Second Factor.
- FIDO only supported hardware tokens, and could not be used to build a trust relationship between a website and a computer or mobile device
- One FIDO hardware token contains one private key, and hence has one public key, so if you used the same token on multiple sites, you share the same public key with multiple sites, which could allow tracking! A separate hardware token per site works fine when you only use them for work and maybe internet banking, but it was a solution that could not scale to cover the majority of people’s internet activities!
Enter FIDO2, WebAuthn & CTAP
- FIDO2 is a collective term for the newest suite of protocols published by the FIDO Alliance. Including:
- WebAuthn — an API browsers and apps can use to access FIDO2 authentication
- CTAP (Client to Authenticator Protocol) — the protocol FIDO2 uses to interact with FIDO hardware tokens and with other devices
- FIDO U2F (Universal Second Factor) — the original FIDO 2FA using USB and BlueTooth tokens.
- FIDO UAF (Universal Authentication Framework) — a new framework which uses asymmetric cryptography in conjunction with secure enclaves like TPMs on PCs and the Secure Enclave on iOS devices to authenticate computing devices to online services. I.e., to securely create a trust relationship between your computer, phone, or tablet, and a website or cloud service.
- With UAF a private key is securely stored in the secure enclave and the public key is sent to the online site or service.
- The website sends a challenge to the device, which passes it into the secure enclave where it gets decrypted, and the result gets returned to the site/service.
- The local device is responsible for controlling access to the secure enclave, usually via biometrics of some form.
- Windows 10 is already certified for FIDO UAF, and the versions of macOS and iOS currently in beta support the protocol.
- Unlike FIDO U2F hardware tokens, FIDO UAF devices can store many private keys in their secure enclave, so UAF uses a separate key-pair for each site/service.
- A website or service can arbitrarily many trust relationships to an account. I.e. you can add your laptop, desktop, phone, and tablet as trusted devices on a single account.
- In terms of existing FIDO U2F keys, nothing really changes with FIDO2, you can keep using your existing token with your existing services, and, you can still get new tokens.
- The big change is UAF which will allow any device that supports it to effectively act as a hardware token, or, to be considered trusted by a website. This allows some very user-friendly workflows, e.g.
- Securely signing in to apps or websites on a trusted device with just a fingerprint scan or face recognition
- Using your computer, phone, or tablet to confirm a login from an un-trusted device with just the touch of a finger or a glance at a camera.
- Because arbitrarily many devices can be trusted, and because it uses cryptographically strong key-pairs, FIDO UAF is stronger than a password and can replace passwords are the primary form of authentication in an MFA world!
So, with all that said, what is the hope for FIDO2? Over time we may get to a point where passwords go away completely, but I think they’ll remain as a factor for some time to come. I’m not sure people are ready to do without them yet! What I hope to see the barriers to MFA plummet, and for people to be asked for their passwords less and less so they are more and more happy to have strong passwords. Finally, I want to have an IDP that leverages FIDO and respects my privacy to really reduce my reliance on separate accounts all over the place.