Password-free authentication – FIDO2 and WebAuthn
Trustworthy

© Lead Image © Studio Porto Sabbia, 123RF.com
FIDO2 authentication with WebAuthn may be sounding the end of the password age.
Fido was a loyal soul – the name literally means faithful, loyal, trustworthy [1]. The mongrel found its way to the Lincoln household and quickly became a family member. Dirty paws, sleeping on the sofa – the dog was allowed to do everything (Figure 1). He even shared his master's fate: Only a few months after the fatal assassination of US President Abraham Lincoln, a drunk stabbed him [2].

In 2012 a new player, the FIDO (Fast IDentity Online) Alliance [3] – not to be confused with Fidonet [4], a bulletin board system (BBS) from the 1980s and 1990s that older readers will remember as popular with hackers and geeks – came onto the market (see the "The FIDO Alliance" box).
The FIDO Alliance
The beginnings of the non-profit FIDO Alliance date back to 2009, with roots in biometrics and PayPal environments. Since its founding in July 2012, more than 250 industry representatives have gathered under its roof [5], including financial institutions, computer hardware and processor manufacturers, software and information companies, security organizations, and, since October 2015, the German Federal Office for Information Security. In 2013, work began on a passwordless authentication protocol.
According to the FIDO Alliance, 3.5 billion user accounts worldwide use FIDO authentication, 80 percent of available mobile devices support the process, and more than 400 FIDO-certified devices are available.
FIDOsophy
According to the FIDO Alliance website, their goal is to combine transaction-secure, strong authentication with good usability while preventing fraud and providing the provider with the most efficient and uniform authentication mechanism possible.
The approach aims to combine biometrics and two-factor authentication, which is achieved when a user deposits a key on a server and then confirms subsequent requests through a local challenge-response mechanism by pressing a button or providing some other proof of physical presence (e.g., a fingerprint reader) to activate a service. According to the FIDO Alliance website, Google was one of the first companies to use authentication with tokens successfully.
Unlike traditional authentication methods, two-factor methods, such as those developed by Yubico [6], do without a central server. It was an urgent concern of Jakob Ehrensvärd, company CTO, to develop a decentralized authentication mechanism that does without shared secrets that communication partners need to safeguard. At the same time, however, he wanted it to be possible to use arbitrary services while ensuring the anonymity of the users (i.e., enabling any number of identities for any user).
In 2014, the FIDO Alliance simultaneously completed version 1.0 of the Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) protocols. In the years that followed, numerous client and server implementations appeared. At the same time, the Alliance gathered new members from the IT security, finance, software, and biometrics sectors. The first test and certification program appeared in 2015, followed by mobile implementations for iOS and Android, but also using contactless approaches with Bluetooth and near field communication. Microsoft started with Windows 10, and the Japanese provider NTT Docomo enabled its 65 million customers to log in without passwords.
FIDO2
In November 2015, Allianz submitted the design for FIDO2 to the World Wide Web Consortium (W3C). Just three months later, the W3C announced the establishment of a working group. Their goals were to promote standardization for strong authentication mechanisms of web browsers and websites based on the FIDO2 web APIs.
The goal of the Web Authentication Working Group is to create a client-side API for web applications and to make e-payments with biometrics and other secondary factors both more secure and simpler, because most smartphones already have fingerprint readers and similar modules on board.
This scheme ensures greater user satisfaction and protects the authenticity of the credit card holder better than ever before, say FIDO and EMVCo, whose six members (American Express, Discover, JCB, Mastercard, UnionPay, and Visa) oversee "… the requirements for global interoperability between chip-based payment applications and acceptance terminals to enable secure contact and contactless transactions and other emerging payment technologies" [7].
In late 2016, the FIDO Alliance became the largest ecosystem for authentication standards. More than 200 certified solutions are now available, and thanks to Facebook integration, more than three billion people have access to secure login procedures. In March 2018, the W3C finally presented version 2 as a W3C Candidate Recommendation [8].
In addition to the FIDO classics UAF and U2F, FIDO2 now includes the Client to Authenticator Protocol (CTAP) and the WebAuthn protocol as specifications for integration in browsers and web applications [9] (Figure 2).

Operations
The entire operation needs to be simple and transparent for the user. Figure 3 shows the two variants, with a biometric feature on a smartphone (top) and USB tokens, smart cards, embedded secure elements, or trusted platform modules (bottom) as local device authentication. In the background, the new standard uses public key cryptography, which in combination with the local 2FA mechanisms also seems to arm the procedure well against any kind of phishing.

In the simplest case, the client device registers with the server using a public key. From that point on, the local device authentication can activate the private key to carry out the desired authentication.
Usually the server will prompt the user to select an appropriate authentication method and device for both sides. The client library then generates the special key pair for this combination of local device, online service, and user account. The public key, also linked to the user account, then ends up on the server. The server does not receive any information about the local links on the customer side, so anyone breaking in would not be able to find out which authentication type the customer has chosen.
In detail, the registration process is as follows: The server sends a challenge to the user to log in as before (i.e., on the device and with the procedure that allows the keys to be read). If the client succeeds, it signs the challenge with its private key and sends the whole thing to the server. The server then only needs to check whether the public key matches the signature and then logs the user on. Alternatively, it triggers a requested process. The user can also store several keys on suitable media, which can then be use as required.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Direct Download
Read full article as PDF:
Price $2.95
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Find SysAdmin Jobs
News
-
CarbonOS: A New Linux Distro with a Focus on User Experience
CarbonOS is a brand new, built-from-scratch Linux distribution that uses the Gnome desktop and has a special feature that makes it appealing to all types of users.
-
Kubuntu Focus Announces XE Gen 2 Linux Laptop
Another Kubuntu-based laptop has arrived to be your next ultra-portable powerhouse with a Linux heart.
-
MNT Seeks Financial Backing for New Seven-Inch Linux Laptop
MNT Pocket Reform is a tiny laptop that is modular, upgradable, recyclable, reusable, and ships with Debian Linux.
-
Ubuntu Flatpak Remix Adds Flatpak Support Preinstalled
If you're looking for a version of Ubuntu that includes Flatpak support out of the box, there's one clear option.
-
Gnome 44 Release Candidate Now Available
The Gnome 44 release candidate has officially arrived and adds a few changes into the mix.
-
Flathub Vying to Become the Standard Linux App Store
If the Flathub team has any say in the matter, their product will become the default tool for installing Linux apps in 2023.
-
Debian 12 to Ship with KDE Plasma 5.27
The Debian development team has shifted to the latest version of KDE for their testing branch.
-
Planet Computers Launches ARM-based Linux Desktop PCs
The firm that originally released a line of mobile keyboards has taken a different direction and has developed a new line of out-of-the-box mini Linux desktop computers.
-
Ubuntu No Longer Shipping with Flatpak
In a move that probably won’t come as a shock to many, Ubuntu and all of its official spins will no longer ship with Flatpak installed.
-
openSUSE Leap 15.5 Beta Now Available
The final version of the Leap 15 series of openSUSE is available for beta testing and offers only new software versions.