FIDO Passkeys with Asgardeo

Photo by Mikhail Nilov

In March 2022, the Fast IDentity Online (FIDO) Alliance and the W3C WebAuthn working group proposed a new version of the WebAuthn specification where they claim to resolve common usability issues with FIDO while ensuring a high level of security. This has gained significant attention in the identity domain during in the past especially after the joint announcement from Google, Apple and Microsoft on their extended support for the FIDO passwordless standard.

A diverse range of authentication methods have been developed in recent years, but standard password authentication remains the most popular option amongst them. While passwords serve their purpose, they also come with additional security and usability issues. If a company enforces strong password policies on their websites (such as a minimum number of characters, character combinations, etc.), it would be fairly difficult for users to remember it. Many choose to write their passwords down or store it on their personal devices. The issue is that if someone gets access to your passwords, you’re likely to get hacked. Many online users also tend to reuse the same password across many websites. This means that a security breach in one system could possibly expose all of your other accounts as well.

One way to stay protected is by using advanced authentication methods such as multi-step authentication, adaptive authentication, and federated authentication. However, a security risk is still a possibility with these advanced authentication methods, especially if you fall victim to a phishing attack.

In an ideal scenario, we would eliminate passwords altogether, and use phishing-resistant authentication methods. By now, you may have already heard of passwordless authentication and FIDO. FIDO enables a seamless login experience by using either a FIDO security key or an inbuilt biometric authentication such as your mobile fingerprint scanner or Windows Hello.

Despite its appeal, there are in fact only a few online users of FIDO authentication methods. This is mainly due to a few reasons:

1. People are reluctant to buy a device for authentication which they have to carry around everywhere, unless they are involved with a high-security job or project. This problem is addressed with FIDO2, which uses WebAuthn API and platform authenticators.
2. Even with FIDO2, credentials have to be stored on a browser or a device, where the majority of time the authentication does not work across browsers or devices.
3. Reusing the same credentials is not possible when a device is lost or when you switch to a new device. 

WebAuthn level 3 to the rescue

In March 2022, FIDO Alliance and W3C WebAuthn Working Group proposed a new version of the WebAuthn specification where they claimed to resolve the usability issues while ensuring a high level of security. This has been gaining attention in the identity domain in recent months, especially with the joint announcement from Google, Apple and Microsoft on their extended support for the FIDO passwordless standard. WebAuthn level 3 proposes multi-device FIDO credential in which a credential can survive the loss of a device. This change is provided by the authenticators and operating systems. The announcement by the three big giants is gaining significant attention as the key syncing works across multiple platforms as well.

Even though this is referred to as multi-device FIDO credentials, in the white paper published by FIDO Alliance, many platform vendors refer to them as passkeys.

With passkeys, the end user experience is improved and it would be very similar to using a password manager app. The end user has to select the registered passkey, similar to picking their password from a password manager app. Also similar to a password manager app, the underlying operating system takes care of syncing the keys between devices. In order to sync keys between devices from different vendors, the proposal suggests an approach that utilizes a standardized Bluetooth protocol. With this, a registered device with passkeys can facilitate authentication to the new device. Even though keys are shared between different devices, this would still be phishing resistant as Bluetooth is a proximity-based protocol.

What are passkeys

A passkey is a cryptographic FIDO login credential bound to an authenticator and an origin. Similar to a typical FIDO key, a passkey is generated and unlocked upon a user verification such as fingerprint or facial recognition. A passkey is a private and public key pair where the private key is never revealed. Passkeys are end-to-end encrypted so that they cannot be read by OS platforms while syncing across different devices.

How do passkeys work?

The passkey flow works just like a typical FIDO flow does when signing in with the same device. A challenge is shared in between the authenticator and the server, and verified using public key cryptography. 

In cross-device authentication/registration, the client application (i.e. the web browser used to sign in with FIDO) will generate a QR code containing a URL that encodes a pair of encryption keys. The QR code will be scanned using the authenticator (the mobile with the passkey) and upon successful completion, a Bluetooth advertisement containing the routing information for a network relay server will be created. This relay server will be picked by the authenticator/mobile device. These two steps will produce the end-to-end encrypted key agreement between the client and the authenticator. Both the client and authenticator will connect to the relay server and perform a standard FIDO CTAP operation.

FIDO passkeys in cross-device flow

Passkey authentication in Asgardeo

Asgardeo is a next generation identity as a service solution developed by WSO2. It provides FIDO2-based passwordless authentication, allowing application developers to easily implement secure authentication mechanisms into their applications. Asgardeo utilizes the latest FIDO2 specification, and supports most of the FIDO2 supported platform authenticators.

You can tryout passkey authentication on Android, iOS or macOS devices for Asgardeo hosted applications. Refer to the official documentation to check whether your device supports FIDO2 passkeys.

FIDO passkey authentication in Asgardeo

Refer the Asgardeo official documentation to learn on how to set up FIDO2 passwordless login to your applications. Reach out to WSO2 Collective on Stack Overflow if you have any questions.

Final thoughts

While FIDO is secure and most importantly phishing resistant, it’s not a very popular choice due to its usability issues. With the introduction of passkeys, the usability issue is resolved, and we can look forward to a promising future without passwords. Eliminating passwords certainly won’t be easy and may take some getting used to. It will take time for us to see a real transformation take place, as well as for users to get access to the latest mobile devices and operating systems that support FIDO passkeys.