Password-free authentication – FIDO2 and WebAuthn


© Lead Image © Studio Porto Sabbia,

© Lead Image © Studio Porto Sabbia,

Article from Issue 218/2019

FIDO2 authentication with WebAuthn may be sounding the end of the password age.

Fido was a loyal soul – the name literally means faithful, loyal, trustworthy [1]. The mongrel found its way to the Lincoln household and quickly became a family member. Dirty paws, sleeping on the sofa – the dog was allowed to do everything (Figure 1). He even shared his master's fate: Only a few months after the fatal assassination of US President Abraham Lincoln, a drunk stabbed him [2].

Figure 1: Loyal to the death: Abraham Lincoln's dog Fido.

In 2012 a new player, the FIDO (Fast IDentity Online) Alliance [3] – not to be confused with Fidonet [4], a bulletin board system (BBS) from the 1980s and 1990s that older readers will remember as popular with hackers and geeks – came onto the market (see the "The FIDO Alliance" box).

The FIDO Alliance

The beginnings of the non-profit FIDO Alliance date back to 2009, with roots in biometrics and PayPal environments. Since its founding in July 2012, more than 250 industry representatives have gathered under its roof [5], including financial institutions, computer hardware and processor manufacturers, software and information companies, security organizations, and, since October 2015, the German Federal Office for Information Security. In 2013, work began on a passwordless authentication protocol.

According to the FIDO Alliance, 3.5 billion user accounts worldwide use FIDO authentication, 80 percent of available mobile devices support the process, and more than 400 FIDO-certified devices are available.


According to the FIDO Alliance website, their goal is to combine transaction-secure, strong authentication with good usability while preventing fraud and providing the provider with the most efficient and uniform authentication mechanism possible.

The approach aims to combine biometrics and two-factor authentication, which is achieved when a user deposits a key on a server and then confirms subsequent requests through a local challenge-response mechanism by pressing a button or providing some other proof of physical presence (e.g., a fingerprint reader) to activate a service. According to the FIDO Alliance website, Google was one of the first companies to use authentication with tokens successfully.

Unlike traditional authentication methods, two-factor methods, such as those developed by Yubico [6], do without a central server. It was an urgent concern of Jakob Ehrensvärd, company CTO, to develop a decentralized authentication mechanism that does without shared secrets that communication partners need to safeguard. At the same time, however, he wanted it to be possible to use arbitrary services while ensuring the anonymity of the users (i.e., enabling any number of identities for any user).

In 2014, the FIDO Alliance simultaneously completed version 1.0 of the Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) protocols. In the years that followed, numerous client and server implementations appeared. At the same time, the Alliance gathered new members from the IT security, finance, software, and biometrics sectors. The first test and certification program appeared in 2015, followed by mobile implementations for iOS and Android, but also using contactless approaches with Bluetooth and near field communication. Microsoft started with Windows 10, and the Japanese provider NTT Docomo enabled its 65 million customers to log in without passwords.


In November 2015, Allianz submitted the design for FIDO2 to the World Wide Web Consortium (W3C). Just three months later, the W3C announced the establishment of a working group. Their goals were to promote standardization for strong authentication mechanisms of web browsers and websites based on the FIDO2 web APIs.

The goal of the Web Authentication Working Group is to create a client-side API for web applications and to make e-payments with biometrics and other secondary factors both more secure and simpler, because most smartphones already have fingerprint readers and similar modules on board.

This scheme ensures greater user satisfaction and protects the authenticity of the credit card holder better than ever before, say FIDO and EMVCo, whose six members (American Express, Discover, JCB, Mastercard, UnionPay, and Visa) oversee "… the requirements for global interoperability between chip-based payment applications and acceptance terminals to enable secure contact and contactless transactions and other emerging payment technologies" [7].

In late 2016, the FIDO Alliance became the largest ecosystem for authentication standards. More than 200 certified solutions are now available, and thanks to Facebook integration, more than three billion people have access to secure login procedures. In March 2018, the W3C finally presented version 2 as a W3C Candidate Recommendation [8].

In addition to the FIDO classics UAF and U2F, FIDO2 now includes the Client to Authenticator Protocol (CTAP) and the WebAuthn protocol as specifications for integration in browsers and web applications [9] (Figure 2).

Figure 2: On the client device, the CTAP library uses an authentication method, whereas the browser uses WebAuthn to ensure secure communication with a web application or platform. Ideally, the user simply chooses a previously set up authentication method.Image ©


The entire operation needs to be simple and transparent for the user. Figure 3 shows the two variants, with a biometric feature on a smartphone (top) and USB tokens, smart cards, embedded secure elements, or trusted platform modules (bottom) as local device authentication. In the background, the new standard uses public key cryptography, which in combination with the local 2FA mechanisms also seems to arm the procedure well against any kind of phishing.

Figure 3: The FIDO alliance promises easy authentication in the future. Image ©

In the simplest case, the client device registers with the server using a public key. From that point on, the local device authentication can activate the private key to carry out the desired authentication.

Usually the server will prompt the user to select an appropriate authentication method and device for both sides. The client library then generates the special key pair for this combination of local device, online service, and user account. The public key, also linked to the user account, then ends up on the server. The server does not receive any information about the local links on the customer side, so anyone breaking in would not be able to find out which authentication type the customer has chosen.

In detail, the registration process is as follows: The server sends a challenge to the user to log in as before (i.e., on the device and with the procedure that allows the keys to be read). If the client succeeds, it signs the challenge with its private key and sends the whole thing to the server. The server then only needs to check whether the public key matches the signature and then logs the user on. Alternatively, it triggers a requested process. The user can also store several keys on suitable media, which can then be use as required.

Buy this article as PDF

Express-Checkout as PDF
Price $2.95
(incl. VAT)

Buy Linux Magazine

Get it on Google Play

US / Canada

Get it on Google Play

UK / Australia

Related content

  • FIDO Alliance Formed to “Revolutionize” Online Authentication

    Forget passwords – several Internet companies have formed the FIDO (Fast IDentity Online) Alliance, which they say will replace passwords with safer and easier to use authentication methods.

  • Industry Giants Announce a Fix for the Password Mess

    FIDO alliance declares the beginning of the end for old-style login authentication.

  • OpenSSH Now Supports FIDO/U2F Security Keys

    SSH users can now add FIDO/U2F to the list of supported multi-factor authentication tools.

  • Linux News

    Jailbreak Spat

    • White House goes on record in support of freedom to jailbreak cell phones
    • News Bites

    10 RHEL 6.4 Released

    • Yahoo ends telecommuting,
    • Canonical UDS
    • LG purchases WebOS from HP

    11 Passwords Passé

    • FIDO alliance seeks new authentication methods
    • Largest Mersenne prime discovered
  • NEWS

    In the news: Zorin OS 15.2 Now Available; Firefox to Get an Additional Sandbox Layer; Microsoft Defender ATP is Coming to Linux; South Korean Government Considers Move to Linux Desktop; OpenSSH Now Supports FIDO/U2F Security Keys; and System76 Launches New AMD Threadripper Machine.

comments powered by Disqus
Subscribe to our Linux Newsletters
Find Linux and Open Source Jobs
Subscribe to our ADMIN Newsletters

Support Our Work

Linux Magazine content is made possible with support from readers like you. Please consider contributing when you’ve found an article to be beneficial.

Learn More