Password-free authentication – FIDO2 and WebAuthn
Trustworthy
FIDO2 authentication with WebAuthn may be sounding the end of the password age.
Fido was a loyal soul – the name literally means faithful, loyal, trustworthy [1]. The mongrel found its way to the Lincoln household and quickly became a family member. Dirty paws, sleeping on the sofa – the dog was allowed to do everything (Figure 1). He even shared his master's fate: Only a few months after the fatal assassination of US President Abraham Lincoln, a drunk stabbed him [2].
In 2012 a new player, the FIDO (Fast IDentity Online) Alliance [3] – not to be confused with Fidonet [4], a bulletin board system (BBS) from the 1980s and 1990s that older readers will remember as popular with hackers and geeks – came onto the market (see the "The FIDO Alliance" box).
The FIDO Alliance
The beginnings of the non-profit FIDO Alliance date back to 2009, with roots in biometrics and PayPal environments. Since its founding in July 2012, more than 250 industry representatives have gathered under its roof [5], including financial institutions, computer hardware and processor manufacturers, software and information companies, security organizations, and, since October 2015, the German Federal Office for Information Security. In 2013, work began on a passwordless authentication protocol.
According to the FIDO Alliance, 3.5 billion user accounts worldwide use FIDO authentication, 80 percent of available mobile devices support the process, and more than 400 FIDO-certified devices are available.
FIDOsophy
According to the FIDO Alliance website, their goal is to combine transaction-secure, strong authentication with good usability while preventing fraud and providing the provider with the most efficient and uniform authentication mechanism possible.
The approach aims to combine biometrics and two-factor authentication, which is achieved when a user deposits a key on a server and then confirms subsequent requests through a local challenge-response mechanism by pressing a button or providing some other proof of physical presence (e.g., a fingerprint reader) to activate a service. According to the FIDO Alliance website, Google was one of the first companies to use authentication with tokens successfully.
Unlike traditional authentication methods, two-factor methods, such as those developed by Yubico [6], do without a central server. It was an urgent concern of Jakob Ehrensvärd, company CTO, to develop a decentralized authentication mechanism that does without shared secrets that communication partners need to safeguard. At the same time, however, he wanted it to be possible to use arbitrary services while ensuring the anonymity of the users (i.e., enabling any number of identities for any user).
In 2014, the FIDO Alliance simultaneously completed version 1.0 of the Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) protocols. In the years that followed, numerous client and server implementations appeared. At the same time, the Alliance gathered new members from the IT security, finance, software, and biometrics sectors. The first test and certification program appeared in 2015, followed by mobile implementations for iOS and Android, but also using contactless approaches with Bluetooth and near field communication. Microsoft started with Windows 10, and the Japanese provider NTT Docomo enabled its 65 million customers to log in without passwords.
FIDO2
In November 2015, Allianz submitted the design for FIDO2 to the World Wide Web Consortium (W3C). Just three months later, the W3C announced the establishment of a working group. Their goals were to promote standardization for strong authentication mechanisms of web browsers and websites based on the FIDO2 web APIs.
The goal of the Web Authentication Working Group is to create a client-side API for web applications and to make e-payments with biometrics and other secondary factors both more secure and simpler, because most smartphones already have fingerprint readers and similar modules on board.
This scheme ensures greater user satisfaction and protects the authenticity of the credit card holder better than ever before, say FIDO and EMVCo, whose six members (American Express, Discover, JCB, Mastercard, UnionPay, and Visa) oversee "… the requirements for global interoperability between chip-based payment applications and acceptance terminals to enable secure contact and contactless transactions and other emerging payment technologies" [7].
In late 2016, the FIDO Alliance became the largest ecosystem for authentication standards. More than 200 certified solutions are now available, and thanks to Facebook integration, more than three billion people have access to secure login procedures. In March 2018, the W3C finally presented version 2 as a W3C Candidate Recommendation [8].
In addition to the FIDO classics UAF and U2F, FIDO2 now includes the Client to Authenticator Protocol (CTAP) and the WebAuthn protocol as specifications for integration in browsers and web applications [9] (Figure 2).
Operations
The entire operation needs to be simple and transparent for the user. Figure 3 shows the two variants, with a biometric feature on a smartphone (top) and USB tokens, smart cards, embedded secure elements, or trusted platform modules (bottom) as local device authentication. In the background, the new standard uses public key cryptography, which in combination with the local 2FA mechanisms also seems to arm the procedure well against any kind of phishing.
In the simplest case, the client device registers with the server using a public key. From that point on, the local device authentication can activate the private key to carry out the desired authentication.
Usually the server will prompt the user to select an appropriate authentication method and device for both sides. The client library then generates the special key pair for this combination of local device, online service, and user account. The public key, also linked to the user account, then ends up on the server. The server does not receive any information about the local links on the customer side, so anyone breaking in would not be able to find out which authentication type the customer has chosen.
In detail, the registration process is as follows: The server sends a challenge to the user to log in as before (i.e., on the device and with the procedure that allows the keys to be read). If the client succeeds, it signs the challenge with its private key and sends the whole thing to the server. The server then only needs to check whether the public key matches the signature and then logs the user on. Alternatively, it triggers a requested process. The user can also store several keys on suitable media, which can then be use as required.
Buy this article as PDF
(incl. VAT)
Buy Linux Magazine
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters
Support Our Work
Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.
News
-
Latest Cinnamon Desktop Releases with a Bold New Look
Just in time for the holidays, the developer of the Cinnamon desktop has shipped a new release to help spice up your eggnog with new features and a new look.
-
Armbian 24.11 Released with Expanded Hardware Support
If you've been waiting for Armbian to support OrangePi 5 Max and Radxa ROCK 5B+, the wait is over.
-
SUSE Renames Several Products for Better Name Recognition
SUSE has been a very powerful player in the European market, but it knows it must branch out to gain serious traction. Will a name change do the trick?
-
ESET Discovers New Linux Malware
WolfsBane is an all-in-one malware that has hit the Linux operating system and includes a dropper, a launcher, and a backdoor.
-
New Linux Kernel Patch Allows Forcing a CPU Mitigation
Even when CPU mitigations can consume precious CPU cycles, it might not be a bad idea to allow users to enable them, even if your machine isn't vulnerable.
-
Red Hat Enterprise Linux 9.5 Released
Notify your friends, loved ones, and colleagues that the latest version of RHEL is available with plenty of enhancements.
-
Linux Sees Massive Performance Increase from a Single Line of Code
With one line of code, Intel was able to increase the performance of the Linux kernel by 4,000 percent.
-
Fedora KDE Approved as an Official Spin
If you prefer the Plasma desktop environment and the Fedora distribution, you're in luck because there's now an official spin that is listed on the same level as the Fedora Workstation edition.
-
New Steam Client Ups the Ante for Linux
The latest release from Steam has some pretty cool tricks up its sleeve.
-
Gnome OS Transitioning Toward a General-Purpose Distro
If you're looking for the perfectly vanilla take on the Gnome desktop, Gnome OS might be for you.