Authentication Through the Ages Until FIDO
- Thamindu Jayawickrama
- Senior Software Engineer - WSO2
Fast IDentity Online (FIDO) is a term that’s commonly used in the passwordless-authentication space. In this post, we’ll discuss how passwordless-authentication mechanisms first emerged, and also learn how FIDO authentication works.
What is authentication?
Authentication is the process of determining whether someone (or something) is who they claim to be. For example, when you access a software application or cloud system, you may enter your username and password, or use a social login. The system will then authenticate your details and log you in.
The move towards FIDO
Passwords were first introduced in 1961 with the purpose of preventing access to files stored on a computer system, by anyone other than the person who owned it. At that time, passwords were stored in a plaintext file that could be easily accessed. As a solution to this, encryption and cryptography techniques were introduced to prevent storing passwords in plaintext. Over time, passwords evolved to have more secure encryption methods and stronger policies. Up until a few years back, many computer systems were only using password-based authentication, where users had simple passwords (e.g. “123456,” “password,” or even their name) as credentials for login systems.
With the growth of password-guessing attacks and account takeovers, systems had to integrate stronger password policies which included a minimum number of characters, numerals, special characters, etc. in their password. The need for this became even more necessary when vendors started moving towards cloud-based systems. But, even with stronger policies in place, there was a tendency for users to pick weak passwords for their accounts, as well as reused the same password across many sites. This led to account takeovers through credential stuffing attacks. Credential stuffing is a type of cyber attack where attackers use lists of compromised credentials to gain access to an account. These accounts were also vulnerable to brute-force password guesses via software applications or algorithms with weaker passwords in place. It didn’t help that stronger passwords, created by following modern password policies, were much harder to memorize.
With the advancement of technology, dynamic passwords were introduced to combat security issues. Dynamic passwords are one-time passwords that change based on variables like time, location, or physical updates. SMS OTPs, TOTPs, and email OTPs are the most common dynamic passwords available today. It is not uncommon to use dynamic passwords together with other authentication factors as a form of multi-factor authentication (MFA). This has strengthened the security to the accounts and resources, protecting users against most security attacks.
However, users can still be vulnerable to phishing attacks. Phishing attacks are socially-motivated attacks that target a user’s inattention rather than targeting the technology. With phishing attacks, it doesn’t matter how strong a password is, or what password policies are in place to protect accounts, hackers are still able to gain access within seconds
FIDO helps to solve many of these problems by eliminating the use of passwords completely, and uses public-key cryptography.
Public key cryptography
Public key cryptography or asymmetric cryptography, is an encryption technique that uses a mathematically-related and non-identical key pair to sign or encrypt data. These two keys are referred to as public key (shared with the other party) and private key (kept in private). The public key is used to encrypt data and can only be decrypted using the corresponding private key.
It is computationally infeasible to compute the private key using the corresponding public key. Hence, the public key can be freely shared, allowing the intended parties to encrypt only the data that the party with the private key can decrypt.
In digital signing, the sender signs data using the private key and the receiver verifies it using the public key. Signing is nothing but hashing the string or the message using the private key.
FIDO in layman’s terms
FIDO, which stands for ‘Fast Identity Online’, is a set of open standards developed to provide a fast, simple, and stronger form of authentication, by eliminating the use of passwords. These standards were developed by the FIDO Alliance. FIDO consists of two ceremonies (events); registration and authentication.
Registration ceremony is generating a key pair and storing one in the server. Since this is public-key cryptography, the key shared to be stored in the server is the public key. To start the registration ceremony, an authenticated user will give some indication that they want to register a security key. This could be by clicking a button on the UI or by sending an API call. Then, the server will send a challenge to the authenticator device (security key) after performing the necessary validations. This challenge is a random string with a predefined length. The authenticator device will first prompt the user verification which could be either a fingerprint scan, camera scan, PIN, etc. The authenticator device will then generate a new key pair and sign the challenge using the public key. Signed challenge, along with the generated public key, will be sent back to the server as the response. Then the server will perform the necessary verifications and store the received public key.
Authentication ceremony is the event where authentication happens using a registered security key or device. To start with the authentication ceremony, a user will indicate that they want to log in using a FIDO security key. The server will then generate a random challenge and send it to the authenticator device. The authenticator will verify the user identity (using biometrics, PIN, etc.), and upon successful verification, will sign the challenge using the stored private key and send it back to the server. The server will then verify the challenge using the stored public key and authenticate the user for the requested service.
FIDO is when this is put into hardware and protocol. Communications are embedded with other information related to the user, security key, and the server when this is integrated into the actual flow. FIDO protocol insists on performing some verification steps on the registration (attestation) and authentication (assertion) payloads.
FIDO flow works very well for those who want to get passwordless experience. It is fast, simple, and strong, but the only downside is that the user has to carry a small security device in order to log in with FIDO. A majority of users are hesitant to buy a special device for authentication. Considering this limitation, FIDO Alliance introduced a new protocol called FIDO2, built on top of the existing FIDO flow and incorporating the Webauthn API. WebAuthn API allows credential-management operations with platform authenticators through supported web browsers. Platform authenticators are security devices (such as fingerprint scanner, Touch ID, Face ID, etc.), which are built into laptops and mobile devices. With FIDO2, users are able to gain a passwordless login experience, with the built-in biometric features on the devices.
We hope this blog post was able to give some insight on how FIDO passwordless authentication first emerged, and how it works. If you’re interested in learning more about the terminology and concept, we recommend reading the FIDO specifications available on the FIDO Alliance website.
If you are interested in passwordless authentication, and would like to test out passwordless authentication in your organization or applications, we recommend trying out Asgardeo; an identity as a service (IDaaS) solution that enables developers without security expertise to easily embed customer identity and access management (CIAM) features into their apps within minutes.