This page (revision-3) was last changed on 29-Nov-2024 16:16 by -jim

This page was created on 29-Nov-2024 16:16 by unknown

Only authorized users are allowed to rename pages.

Only authorized users are allowed to delete pages.

Page revision history

Version Date Modified Size Author Changes ... Change note
3 29-Nov-2024 16:16 5 KB -jim to previous
2 29-Nov-2024 16:16 5 KB -jim to previous | to last
1 29-Nov-2024 16:16 1 KB unknown to last

Page References

Incoming links Outgoing links
WebAuthN
WebAuthN

Version management

Difference between version and

At line 16 added 31 lines
[FIDO2] is the newest [FIDO Alliance] [specification] for authentication standards, and [WebAuthn] is a web-based API that allows websites to update their login pages to add FIDO-based authentication on supported browsers and platforms. This is an evolving security ecosystem that will make crossing the bridge to passwordless easier. Cloud-first organizations, or one that has a mix of cloud and on-premises infrastructure can pursue a FIDO2 passwordless strategy. Organizations with cloud-based applications like [Office 365] or other [SaaS] applications, and using any of the existing Identity Providers can consider a FIDO2 passwordless approach.
Since arriving on the scene, the FIDO Alliance has published three specifications:
* Universal 2nd Factor ([U2F])
* Universal Authentication Framework ([UAF])
* [FIDO2], which comprises
** Web Authentication ([WebAuthN])
** Client to Authenticator Protocol 2 ([CTAP2]).
!! FIDO 1.0: U2F and UAF
In [2014|Year 2014], [FIDO] published the Universal Authentication Framework (UAF), which was intended to implement passwordless authentication through biometrics. They then added Universal 2nd Factor (U2F), developed by [Google] and [Yubico] as a more secure replacement for traditional OTP-based two-factor authentication (2FA). U2F included its own client-side protocol, Client to Authenticator Protocol (CTAP), which could be used to authenticate a token via USB, near-field communication (NFC), or Bluetooth.
By doing this, FIDO 1.0 implemented public-key encryption in a way that overcame the inherent vulnerabilities of OTPs sent across insecure networks. Instead of a simple pin, a private/public key pair was created during registration for a service, with the private key secured on the user's token or device, and never transmitted. This meant there was nothing to intercept and steal. All the service provider retained was the public key associated with the user.
Nevertheless, FIDO 1.0 was still two protocols built to do different things and created in the interests of two different players—an industry alliance backed by [PayPal] ([UAF]), and [Google] ([U2F]). But one big name was missing ([Apple]), and set about implementing their own biometric authentications, namely Touch ID and later Face ID. The risk was that [FIDO] would become fragmented, with the user experience dictated by platforms and devices.
On the plus side, [UAF] had embedded support for biometric authentication inside mobile devices, while [U2F] was supported natively inside the world's most popular web browser, [Chrome]. This meant that FIDO authentication wasn't something users had to enable or download—it was an embedded capability, of which many already had access.
!! FIDO2 and [Web Authentication API]
[FIDO2] is a further development of [Google] and [Yubico]’s U2F protocol with an expanded version of [CTAP], now called [CTAP2].
While U2F was designed to act as a second factor for passwords, FIDO2’s purpose is to allow [Passwordless Authentication]. It does this via a new [Web Authentication API] ([WebAuthN]). This [API] allows web applications to use [Public Key] [encryption] and [Authenticators] directly. So where FIDO1.0 still required usernames and passwords, FIDO2 has created the architecture needed to do away with traditional credentials.
WebAuthn with CTAP2 has two important capabilities. First, it's backwards-compatible and complementary to U2F and UAF, so anyone using those technologies can continue to do so even as efforts shift to WebAuthn and CTAP2. Second, WebAuthn has been adopted by the World Wide Web Consortium (W3C), meaning it’s an open web standard, rather than one backed by just a handful of companies.
Browser support for WebAuthn has been added to Chrome, Firefox, and Edge.
How will WebAuthn improve on FIDO 1.0 from the user’s point of view? By making authentication universal, easy-to-use, and allowing everyone to move beyond passwords (an authentication that has become a global security weakness). However, challenges remain, such as overcoming a lack of awareness about the need for authentication, and the perception that UAF and U2F were only intended for businesses and power users.
This can be overcome by brands and service providers offering WebAuthn as a default option. The challenge over the next two years will be to get more ordinary web users to switch from passwords to WebAuth—it’s just a matter of trust.
[{$applicationname}] strongly supports open standards such as [FIDO2] and [WebAuthN].
This page (revision-3) was last changed on 29-Nov-2024 16:16 by -jimTop