FIDO Passkeys with Asgardeo

Photo by FLY:D on Unsplash

“In March 2022, FIDO Alliance and the W3C WebAuthn working group proposed a new version of the WebAuthn specification where they claim to resolve common usability issues with FIDO while ensuring a high level of security. This has started to gain significant attention in the identity domain during the past couple of months especially with the joint announcement from Google, Apple and Microsoft on their extended support for the FIDO passwordless standard.”

It’s 2022 and there are many forms of authentication methods available. But still passwords are the most common of them all. Passwords are good, but they always come with security issues and usability problems when it comes to the real usage. For example consider a modern website which has enforced strong password policies like minimum number of characters, different character combinations, etc. Can you securely remember it? Most people try to write them down in a piece of paper or a book or store it in their personal mobile or laptop. Well! if somebody else gets access to that, you’re hacked. Also many online users try to reuse the same password across many sites. Breach in one system could expose all of your accounts and any of the stored information.

Well of course you can stay protected using advanced authentication methods such as multi step based authentication, adaptive authentication and federated authentication. But still the security risk exists to some extent. If you’re caught for a phishing attack, many of these advanced authentication methods cannot protect you.

But what if we can completely eliminate passwords and move to a phishing resistance authentication method? If you’re been digging in the identity domain you may have already heard of passwordless authentication and of course the term FIDO. There we can gain seamless login experience using a FIDO based security key or an in-built bio-metric authenticator like your mobile’s fingerprint scanner or windows hello.

However when it comes to the real usage, FIDO is not very popular. In fact only few online users use FIDO based authentication methods. This is mainly due to few reasons.

  1. None of us want to buy an extra device for authentication and carry it everywhere unless we are involved with a high security job or a project. This problem is solved mostly with FIDO2 where it uses WebAuthn API and platform authenticators.
  2. Even with FIDO2, credentials are being stored in a browser or a device where most of the time the authentication cannot work across browsers and devices.
  3. We cannot reuse the same credentials when a device is lost or switching to a new device. For example when moving to a new mobile.

WebAuthn level 3 to the rescue

In March 2022, FIDO Alliance and the W3C WebAuthn working group proposed a new version of the WebAuthn specification where they claim to resolve these usability issues while ensuring a high level of security. This has started to gain significant attention in the identity domain during the past couple of months especially with the joint announcement from Google, Apple and Microsoft on their extended support for the FIDO passwordless standard. WebAuthn level 3 proposes a new scheme named “multi device FIDO credential” where a credential can survive a device loss. This change has to be provided by the authenticators and operating systems itself. The three big giants announcement has gained a significant attention because with this, the key syncing would work across multiple platforms too.

Even Though this is referred to as “multi device FIDO credentials” in the white paper published by FIDO Alliance, many platform vendors are calling them “passkeys”. In this blog post also here onward I’m going to use the popular term; passkeys.

With passkeys, the end user experience (UX) is much improved and would be very similar to that of using a password manager app. All that an end user has to perform to authenticate is to select the already registered passkey just like picking their password from a password manager app. Also like a password manager app, the underlying operating system (OS) will take care of syncing the keys between devices. In order to sync keys between devices from different vendors, the proposal suggests an approach utilizing a standardized Bluetooth protocol. With this, an already registered device with passkeys can facilitate authentication to the new device. Even Though we are sharing keys between different devices, this would still be phishing resistance as Bluetooth is a proximity-based protocol.

What are passkeys

A passkey is a cryptographic FIDO login credential bound to an authenticator and an origin. As same as a typical FIDO key, a passkey will be generated and unlocked upon a user verification such as fingerprint or facial recognition. A passkey is nothing but a private and a public key pair where the private key will never be revealed. Passkeys are end to end encrypted so that they cannot be read by OS platforms while syncing across different devices.

How passkeys work?

The passkey flow works exactly the same as typical FIDO flow when signing in with the same device. A challenge is shared in between the authenticator and the server and verified using public key cryptography. If you’re interested in learning more on how FIDO authentication works, I recommend you reading my previous article “Authentication through the Ages till FIDO”.

In cross-device authentication/ registration, the client application (i.e. the web browser you’re trying to sign in with FIDO) will first generate a QR code containing a URL that encodes a pair of encryption keys. The QR code will be scanned using the authenticator (the mobile with the passkey) and upon successful completion, a Bluetooth advertisement containing the routing information for a network relay server will be created. This relay server will be picked by the authenticator/ mobile device. These two steps will produce the end to end encrypted key agreement between the client and the authenticator. Then both client and the authenticator will connect to the relay server and perform standard FIDO CTAP operation.

FIDO passkeys in cross-device flow

Passkey Authentication on Asgardeo

Asgardeo is a next generation IDaaS (Identity as a Service) solution developed by WSO2. It provides FIDO2 based passwordless authentication allowing application developers to easily implement secure authentication mechanisms into their applications. Asgardeo utilizes the latest FIDO2 specification and supports most of the FIDO2 supported platform authenticators. Passkeys are currently available only in some of the mobile devices as a developer feature. Once the technology is released later this year, you should be able to use passkey authentication for Asgardeo hosted applications.

But for now as a beta feature you can try out passkey authentication with Asgardeo. If you have an iOS 15 device with the latest OS update you’ll be able to try out passkey authentication by enabling the developer mode (you have to connect your device with xcode in order to enable the developer mode. Then enable the “Syncing Platform Authenticator’’ from settings).

FIDO passkey authentication in Asgardeo

Refer Asgardeo official documentation to learn on how to setup FIDO2 passwordless login into your applications. Please feel free to reach WSO2 Collective on stackoverflow for any of your concerns.

Final Thoughts!

FIDO is there for a while and is super secure and most importantly, it is phishing resistant. But was not much popular due to its usability issues. With passkeys we can see some potentially better and more sensible solution to the usability issue and can hope for a promising future without passwords. Eliminating passwords won’t be easy and of course it will not disappear overnight. It will take some time for the real transformation to happen and for the majority to get access to the latest mobile devices and operating systems that support FIDO passkeys.

--

--

Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Thamindu Dilshan Jayawickrama

Thamindu Dilshan Jayawickrama

Software Engineer at WSO2 Inc. | B. Sc in Engineering (Hons), Computer Science and Engineering, University of Moratuwa