FIDO’s Shield Against Advanced Threats and Malicious Activities
With everyone moving towards cloud based service platforms, the use of passwords are getting increased day by day. On the other hand, online security attacks are getting increased at a similar rate and more and more people are caught into account takeovers and data breaches. It no longer matters how strong authentication mechanisms a system or website uses, sophisticated attacks like phishing attacks are able to catch many people by exploiting their weaknesses. Even if someone is able to get away from phishing attacks, still his/ her passwords could get exploited in a data breach of a bad system. That person could have severe issues if he/ she reuses the same set of passwords through different portals.
FIDO which stands for Fast Identity Online is a standardized protocol developed to provide a passwordless authentication experience. It relies on state-of-the-art public key cryptography concepts to provide a secure authentication. In my previous article, I had described how FIDO authentication came into place and how it provides a secure passwordless authentication experience. If you’re new to the FIDO terminology or not much aware of how FIDO authentication works, I recommend you read my previous article before going through this.
FIDO Security Aspect
FIDO servers must perform cryptographic verifications and data assertions in order to ensure the integrity and correctness of the communication medium and the authenticator device. These include signature verification, syntax verification, policy assertions, certificate verification, etc. However in this article I’m not going to focus on them, rather going to discuss some of the verification that are intended to prevent common security attacks.
1. Public Key Cryptography
When registering a FIDO security device, it generates a new public-private key pair and sends the public key to the relying party (server). The process is not that simple. It involves user verification steps and signing a challenge sent by the server.
In FIDO, the private key will never leave the security device and it is computationally infeasible to compute the private key using the associated public key. If you’re using a well reputed security device, you don’t have to worry about private keys getting exposed because the vendors must have used a much secure chip technology to make sure that’s impossible. Therefore it doesn’t matter whether a fraudulent user gets access to the public key, he neither will be able to get access to the private key nor authenticate using it.
2. User Verification and Multi-Factor
FIDO security keys require a pin and/ or a bio-metric verification to perform an authentication. The generated private key will only be unlocked after performing a successful user verification. If you’re familiar with identity and security concepts, you may already know that there are three factors of authentication; something you know, something you have and something you are. Multi factor authentication is about bringing at least two of these factors to the authentication flow to make it more secure. FIDO flow always utilizes two or more authentication factors in one clear cut. Having possession of a security key is one factor; something you have. Entering a pin code is another factor; something you know. Having bio-metric verification is the remaining factor that is something you are.
3. Origin Verification
Each of the keys generated during security key registration is associated with an AppID which is simply a URL indicating the target for the credential. By default the audience of the credential is restricted to the same origin of the AppID. That means FIDO authentications can only be performed in sites with the same origin as the key registration. However the relying parties can decide to apply a larger audience so that registrations and authentications can be performed through sub domains.
In phishing attacks, attackers try to get user credentials submitted on fraudulent sites which are almost similar to the sites users intend to visit. Phishing attacks try to target user’s inattention and fear rather than targeting technology. It’s hard to pay attention to figure out whether the site is real or not, whether the domain name matches, whether the URL seems correct, etc considering the situation users are in. With FIDO, phishing attacks and man-in-the-middle attacks are no longer possible as the passwords are eliminated completely and the authentication is bound to the registered origin. That means, it doesn’t matter if you use your FIDO key on a fake site, authentication will surely fail.
4. Trusted Origins
The relying parties should only allow key registrations and authentications through a set of predefined trusted origins. FIDO key registration and authentication requests outside these trusted origins should not be accepted by the server.
5. Signature Counter
FIDO terminology uses a signature counter that gets incremented in every signature operation. This counter provides protection against cloned authenticators. If someone uses a cloned authenticator, that will include a counter value equal or lower to the counter that the server had stored given that the original authenticator had been authenticated with the relying party at least once after the cloning. When the counters don’t match, the relying parties can identify that the FIDO credential had been cloned, however it cannot distinguish which the cloned authenticator is.
This provides a way to at least identify a cloned authenticator is being used on a relying party, however it is not a perfect solution for the said problem.
6. Authenticator Attestation
Authenticator attestation is about validating the authenticator model identity during security key registration. It allows relying parties to cryptographically verify that the authenticator being used is what it claims to be and is a certified device that can be trusted. This involves sharing a data structure called attestation statement that the relying parties can use to derive characteristics of the authenticator security. However attestation validation is NOT A MUST requirement in FIDO terminology and 99% of the relying parties doesn’t require it.
6.1 FIDO Metadata Service (MDS)
When performing FIDO attestation validations, relying parties require up-to-date valid information about authenticators and security keys. FIDO metadata service aka MDS is a centralized repository that stores metadata statements about trusted FIDO devices. Relying parties can use the data obtained from FIDO MDS to validate authenticator attestations and prove the genuineness of the device models.
I hope you’re able to gain some basic understanding of how much protection that the FIDO provides during user authentication. I won’t say FIDO is super secure or impossible to hack; however it is one of the most secure authentication mechanisms out there today; probably the most secured one. It provides a significant level of protection compared to other popular authentication methods.
