I'm a big fan of learning by doing, and in many cases, it leads to something amazing. I can code, and my code works more or less as expected giving me a reason to create something new and experiment with the latest technologies. During this process, challenges meet me, and you make discoveries. That's how I learn, and I assume many of us.
I wrote a lot of code during my software development career. Now I'm doing application and product security. At some point, I realized that psychological acceptance plays a crucial role in security.
After a while, many security controls started to irritate me as a regular user. I can understand why they are in place, but it doesn't change the fact that security is not a friend of usability and user experience. We used to think this way, but is it always the case?
You should create a strong password containing A, B, C, .., Z. Rotate it every X days, utilize password history, use min days to change, etc. Do you think you create a password compliant with any policy, try this. It's annoying, right?
But NIST studied and provided different password guidelines in 2020 (quick summary here). Complexity doesn't really help, but length does. No need to rotate a password if there is no evidence of compromise. Check for breached passwords. That's common sense and improved user experience. I like it.
Passwords are not terrible, but they are hard to use correctly. If you care about security, you will use a password manager, unique passwords per site, strong passphrase, disable auto-completion in a browser on a page load, etc. Passwords are easy to transfer - it is the main pros but also the con.
There are three authentication factors: something you know, something you have, and something you are. When you add a second factor, it becomes 2FA / MFA (2-factor or multi-factor authentication). It is the best security practice, and it will effectively protect your accounts. So passwords are something you know, security keys / one-time codes - something you have, biometrics (fingerprints, face, retina) - something you are.
Why do we need extra protection? Because password hygiene is hard, we want a safety net to protect against data breaches, exposure in log files, phishing attacks, etc. An additional layer of protection helps to reduce the risk level. Keep in mind that in some cases, a successful phishing campaign can bypass 2FA if a user is tricked into providing a 2FA code or approving a push notification.
If you use a password manager extension in a browser, you will most likely detect that you are not on a legit website. It is a part of the auto-fill functionality. This functionality is super helpful to protect against phishing attacks, but it is recommended to disable auto-fill on a page load and click on this button manually. Why does a phishing attack fail? Credentials stored in a password manager are bound to the website (origin). If the origin is different, the password manager will have 0 matches and nothing to fill. A user may still find credentials manually, but it is a different story.
The same situation happens with FIDO U2F security key (for example Yubikey). A user login is bound to the origin, meaning that only the real site can authenticate with the key. I will not cover the case when you need to change the origin on purpose, yes, it has this limitation 😊
FIDO stands for Fast Identity Online. The FIDO Alliance is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords. I already mentioned FIDO U2F as the most secure second factor. It relies on a private key (public key cryptography) that never leaves a device. But U2F is not the only technology provided by the FIDO Alliance. Please meet FIDO2.
The FIDO Alliance developed FIDO Authentication standards based on public key cryptography for authentication that is more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage. FIDO Authentication enables password-only logins to be replaced with secure and fast login experiences across websites and apps.
FIDO2 consists of two main parts: CTAP2 and WebAuthN. For simplicity, CTAP2 protocol handles communication between a browser and a device (authenticator, e.g. Yubikey), and WebAuthN describes communication between a browser and a relying party (FIDO2 Server). WebAuthN is more known than FIDO2, so you likely heard about WebAuthN rather than FIDO2.
FIDO2 effectively moves 2FA on the user side. It is very similar to a chip-and-pin credit card. A security device will store a private key (something you have), and you will need to unblock the device to use it with something you know (PIN) or something you are (biometrics). You perform a transaction with a credit card with your PIN, and the card has a special chip that cryptographically signs each transaction. What will happen if you enter the PIN 3 times incorrectly? The card will be blocked. Yubikey will erase a security key after 8 bad attempts to unblock it with the PIN. It means that you can have a relatively short PIN code that is easy to remember and type and be secure.
You don't need a security key to use FIDO2! A security key is a roaming authenticator, but you can also use any platform authenticator: a desktop, a laptop, an Android or IOS phone. If the platform supports it, you are good to go - simply enable Windows Hello or biometrics on your phone. Using a security key is always a good idea, but you can add another platform authenticator as a backup or vice-versa.
Having a secondary device is crucial. If you lose your device, you will lose your account. FIDO has great technology to help you with that - passkeys, but it has own limitations. I want to focus on the end game - device-bound credentials. But we need to address handling multiple devices problem.
Many libraries are available to support FIDO2, but still, it is not easy to build a final solution. I played with FIDO2 a lot and decided why not to try providing a service instead of a library.
Fido2me = FIDO2 + OAuth Server. A user authentication gateway to a passwordless world. Try at Fido2me.com
Why not have FIDO2 social login?
It is open sourced and available at Github (please visit the link to read more details). It is the opinionated implementation of user-friendly FIDO2 Server. It supports multiple authenticators (devices) and CIBA (Client Initiated Backchannel Authentication) to be able to sign in from external devices (you may or may not to add them as trusted authenticators). If you are using Chrome you can try to add new phone (passkeys flow) but don't forget to enable bluetooth on both devices (laptop/desktop + phone).
A gateway will be useless without users and integrated applications. If you have some knowledge about using social providers or generic OAuth2 integration, you are good to go. Create a confidential (public client will be available soon) client, copy Client ID / Client Secret, and use your existing experience. Fido2me is just another OAuth server.
But to be a social provider, Fido2me needs to be much greater. It requires a community of users and builders.
If you want to play with FIDO2 and Fido2me, learn more, provide feedback, or say nah - do not hesitate to contact me (leave a comment or add a reaction) or open a new Github discussion.
I believe FIDO2 is really awesome, and at least I will help promote it!