Authentication through the Ages till FIDO
FIDO is a common term we always hear in the context of passwordless authentication. In this blog post, I’m going to take a historical journey on how the path created towards a passwordless authentication mechanism and then discuss how FIDO authentication works.
Let’s first look at how authentication methods evolved over time starting with simple passwords. But first what is authentication? Authentication is the process of determining whether someone or something is actually who they claim they are. For example when you are accessing a software application or a cloud system, you may enter the username and password or click on a social login option button. At that time the system will check your authentication details and logs you into the system. Aaaand !!! That is authentication.
Way Towards FIDO
Around 1961, passwords were introduced to prevent accessing files stored in a computer system by someone other than the person who owned it. At that time simply the passwords were stored in a plain text file that someone could have been easily accessed and read. As a solution for this, encryption and cryptography techniques were introduced to prevent storing passwords in plaintext. Then over time passwords evolved with more secure encryption methods and stronger policies. Up until a few years back, many computer systems were only using the password-based authentication method. At that time most of the users were using simple passwords like “123456”, “password” or some part of their name as credentials for login systems.
But with the growth of password guessing attacks and account takeovers, systems started to integrate stronger password policies like a minimum requirement for the number of alphabetic characters, digits, special characters, etc in a password. The requirement rose much faster when more and more vendors started moving towards cloud-based systems. But even with these stronger policies in place, users still tend to pick bad passwords for their accounts. Not only that, but many users had reused the same password in many sites. Both of these situations led to account takeovers through credential stuffing attacks. Credential stuffing is a type of cyber attack where attackers use lists of compromised credentials to gain access to someone else’s account. Also these accounts were vulnerable to brute force password guesses via software applications or algorithms when weaker passwords were in place. Another aspect is that stronger passwords created according to these modern password policies were much harder to memorize.
With the evolution of technology, dynamic passwords were introduced to mitigate these security issues. Dynamic passwords are one-time passwords that change one from another based on variables like time, location or physical updates. SMS OTP, TOTP and email OTP are the most common dynamic password strategies in place today. The common behavior is to use dynamic passwords in conjunction with some other authentication factor as a form of multi-factor authentication (MFA). This has added a stronger form of security to the accounts/ resources where the users were protected against most of the security attacks.
However, the users were still vulnerable to phishing attacks. Consider a busy day at the office in which you are overwhelmed with work. You suddenly receive an email saying your password is compromised in a recent database breach and click on this link to set a new password. You’ll probably click on the link and the navigated site asks for your old credentials and a new password. The site is very much identical to the system you were using and without much hesitation, you will enter the requested details. Then the site will prompt for an OTP which you have enforced as a second-factor authentication method. When you enter the code, behind the scenes someone else has gained access to your account and who knows what will happen next. It’s hard to pay attention to figure out whether the site is real or not, whether the domain name matches, whether the URL seems correct, etc considering the situation users are in.
Phishing attacks are socially motivated attacks that target users’ inattention and fear rather than targeting the technology. With phishing attacks, It doesn’t matter how strong a password is, or what techniques are engaged to protect accounts or resources, hackers are able to gain access in seconds by fooling users. This is where FIDO comes in.
FIDO tries to solve many of these problems by eliminating the use of passwords completely and using public-key cryptography which utilizes a mathematical concept.
Public Key Cryptography
Public key cryptography or asymmetric cryptography is an encryption technique that uses a mathematically related and non-identical key pair to sign or encrypt data. These two keys are referred to as public key and private key in which the private key is kept in private and the public key is shared with the other party. The public key is used to encrypt data while it can only be decrypted using the corresponding private key.
It is computationally infeasible to compute the private key using the corresponding public key. Hence the public key can be freely shared allowing the intended parties to encrypt data that only the party with the private key can decrypt.
Digital signing is similar to this but works oppositely. The sender signs data using the private key and the receiver verifies it using the public key. Signing is nothing but hashing the string or the message using the private key.
FIDO in Layman’s Terms
FIDO which stands for Fast Identity Online is a set of open standards developed to provide a fast, simple and stronger form of authentication eliminating the use of passwords. These standards are developed by the FIDO alliance.
FIDO terminology consists of two ceremonies (events); registration and authentication.
Registration Ceremony
Registration ceremony is nothing but generating a key pair and storing one in the server. Since this is public key cryptography, the key shared to store in the server is the public key. To start with the registration ceremony, an authenticated user will do some indication that they want to register a security key. This could be clicking a button on the UI or sending an API call. Then the server will send a challenge to the authenticator device (security key) after performing necessary validations. This challenge is a random string with a predefined length. The authenticator device will first prompt for the user verification which could be scanning a fingerprint, looking into a camera, entering a pin, etc. The authenticator device will then generate a new key pair and sign the challenge using the private key. Signed challenge along with the generated public key will be sent back to the server as the response. Then the server will perform necessary verifications and store the received public key.
Authentication Ceremony
Authentication ceremony is the event where authentication happens using a registered security key/ device. To start with the authentication ceremony, a user will do some indication that they want to login using a FIDO security key. The server will then generate a random challenge and send it to the authenticator device. Authenticator will verify the user identity (using biometrics, pin code, etc) and upon successful verification, will sign the challenge using the stored private key and send it back to the server. Server will then verify the challenge using the stored public key and authenticate the user for the requested service.
FIDO is when this is put into hardware and protocol. Communications are embedded with some other information related to the user, security key and the server when this is integrated into the actual flow. Also FIDO protocol insists on performing some verification steps on the registration (attestation) and authentication (assertion) payloads.
FIDO2
FIDO flow works very well for those who want to get passwordless experience. It is fast, simple and super strong. But the user has to carry a small security device whenever he wants to login with FIDO. However the majority of users don’t want to buy a special device for their authentication purposes. Considering this limitation, FIDO alliance introduces a new protocol called FIDO2 which is built on top of the existing FIDO flow incorporating the webauthn API. Webauthn API allows to perform credential management operations with platform authenticators through supported web browsers. Platform authenticators are the security devices (fingerprint scanner, touch ID, face ID, etc) which are built into laptops and mobile devices. With FIDO2, users are able to gain passwordless login experience with their device’s built in biometric features.
Final Thoughts!
I hope you are able to gain some insight on how FIDO passwordless authentication came into place and how it works. If you’re interested to learn more about the terminology and concept, I recommend reading the FIDO specifications available at FIDO alliance’s official site.
Also If you’re keen on trying out a passwordless authentication experience or want to integrate passwordless authentication into your organization or applications, I recommend trying out Asgardeo; a next generation IDaaS (Identity as a Service) solution developed by WSO2. You can learn more on this by reading my previous article on Asgardeo passwordless authentication.
