The dawn of FIDO authentication

Although traditional MFA is a critical component of online security, it is far from perfect, and, in recent years, cracks in its protection have revealed themselves. Common forms of traditional MFA include one-time passwords (OTPs) via tokens and apps, app-based push notifications, and short messaging service (SMS) or voice codes.

One issue with OTPs is the susceptibility to phishing and man-in-the-middle attacks. Neither token nor app-based implementations provide any resistance to entering their codes into attacker-owned websites. These sites can merely relay user-entered passwords and codes to the true websites and compromise the account. This weakness is one reason why many organizations instead use app-based push notifications.

Although more resistant to phishing, app-based push notifications suffer from the issue of MFA fatigue, also known as push fatigue. Since users receive an interactive prompt to approve login for every successful password entry, an attacker can repeatedly trigger the prompt until the user is fatigued or annoyed enough to simply approve the login. One method of mitigating fatigue is to increase security education. However, this approach is not foolproof because, of course, users retain free will. Another mitigation technique is to include a number that must be matched on the login screen and on the approval device. While a more concrete solution than increasing security education, it can still be circumvented through more advanced phishing sites that relay the number or through additional social engineering. It also adds another step to the login process, which can hinder user satisfaction.

A downside of all MFA solutions that rely purely on apps is the susceptibility to malware and general device compromise. While a token can only be directly stolen, a smartphone could be remotely compromised by an attacker to approve incoming malicious download requests. Even worse, if an MFA app is based on OTPs, seeds used to generate codes can be fully extracted and used without continued connection to the victim device.

SIM swapping

The most common forms of MFA are codes sent over SMS. Many services even use SMS to reset passwords or as a sole authentication factor. This has given rise to the prolific SIM swapping attack that exploits the trust placed in mobile networks. The attack is relatively straightforward and relies on changing the subscriber identity module (SIM) or embedded SIM associated with a phone number. This method redirects all calls and texts from the victim’s phone to the attacker’s phone and effectively locks out the real user. Although this attack could be performed by physically stealing a SIM card or by an insider threat, it is typically executed through social engineering directed at an end user or a mobile network carrier. All an attacker needs prior is the victim’s phone number and a few personal details.

This type of attack is so simple that it could be performed by a 15-year-old – and has been. SIM-swapping attacks also entered the public eye in 2019 through a high-profile hack of the Twitter chief executive officer’s account, yielding 20 minutes of offensive tweets until access was wrestled back. In a 2022 report, the Federal Bureau of Investigation’s Internet Crime Complaint Center noted that 2,026 people fell victim to SIM swapping, resulting in nearly $73 million in losses. Clearly, SMS services should not be given the trust and roles they are afforded for securing the online world.

FIDO protocols

Given the weaknesses of traditional MFA, the Cybersecurity and Infrastructure Security Agency is urging implementation of a more secure protocol: FIDO. FIDO is an open standard of authentication protocols that can replace and complement traditional password-based login. The standard is defined by the FIDO Alliance, which was founded in 2012 and comprises hundreds of companies, including Microsoft, Google, Amazon, and Visa. The alliance documents the technical specifications of the standard and operates industry certification programs to ensure interoperability. It has contributed to broad industry adoption in enterprise web environments including Microsoft Azure™, Microsoft Active Directory, and Google Workspace™, as well as everyday consumer websites such as the Amazon™ e-commerce store.

The FIDO standard is composed of three separate specifications: Universal Authentication Framework (UAF), Universal 2nd Factor (U2F), and FIDO2. UAF was released in 2014 with the aim of providing passwordless authentication. Few services and browsers implemented the feature, possibly because of lower perceived demand time and the requirement of physical security hardware. Released at the same time, U2F aimed to provide MFA to complement traditional passwords and saw modest adoption in browsers and services over time.

Although less relevant, the two standards established the core architecture shared by FIDO2. Asymmetric cryptography is the heart of every FIDO standard. Each FIDO-compatible device uses challenge-response techniques and contains private keys that are never transported in unencrypted form. At a basic level, these techniques operate by the server sending a challenge that the client signs (encrypts) using the private key associated with the credentials. The server then verifies the signed challenge by checking if it can be decrypted using the known associated public key.

CTAP and WebAuthn

FIDO2 was created as a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C) in 2019. It is composed of two substandards, FIDO Client to Authenticator Protocol (CTAP) and Web Authentication API (WebAuthn). The CTAP standard includes the previous U2F standard under the name CTAP1 and a new standard for FIDO2 named CTAP2.

Unlike CTAP1, CTAP2 can provide either passwordless or multifactor functionality. WebAuthn defines the API for using FIDO devices implementing CTAP. It represents the interface that browsers and websites use for creating, managing, and checking credentials. This standardized API led to widespread browser and website support and the internal adoption of security keys by high-value targets including Google and Microsoft.

FIDO standard specification

FIDO authenticators

A FIDO authenticator is a piece of hardware or software that proves users’ identities tied to private keys. All authenticators fall into one of two categories: roaming or platform. Roaming authenticators include traditional FIDO options such as USB tokens and can be moved between client devices. Platform authenticators are built into devices and software and cannot be simply moved. No standards govern the storage of credentials within platform authenticators, so implementations vary from Apple iCloud Keychain^® to personal computer trusted platform modules.

All forms of FIDO prove “something you have” because users must possess a private key, but other types of authentications can be added. Many solutions allow adding PINs and biometrics as additional layers and prove “something you know” and “something you are," respectively. Biometrics can be implemented on dedicated hardware, such as the Kensington VeriMark™ Fingerprint Key, or use existing components of client devices, much like how iCloud Keychain interfaces with Apple Face ID^® and Apple Touch ID^®. The WebAuthn standard is written in such a way that biometrics are verified on the client device itself and only success is sent. This abstraction prevents unchangeable biometric information from being captured in transit. WebAuthn also enables websites to require advanced authentication, such as biometrics, without the cost of implementing the functionality themselves.

FIDO authentication credentials

FIDO authenticators support two types of credentials: discoverable and nondiscoverable. A discoverable credential is persistently stored within the authenticator alongside all details needed to apply it, including the associated user ID and website. Website-relevant credentials can be identified prior to any interaction (passwordless) and without the transmission of encrypted keys. The number of discoverable keys that an authenticator can store is finite, and many popular hardware authenticators have a limit of 25. However, some products, such as 2023 revision of the Google Titan™ security key, support up to 250.

An authenticator can generate an infinite number of nondiscoverable credentials, but they must be stored by the website and redownloaded during authentication. To secure this process, the key is encrypted before transmission and storage using a master private key that never leaves the authenticator. The encrypted key is downloaded and decrypted whenever it is to be used, and although this process is robust, it is still inherently less secure than discoverable keys. Like additional biometric and PIN factors, websites can require the exclusive use of discoverable credentials through WebAuthn.

FIDO credential types

Like traditional authentication, FIDO authentication uses a two-process model to manage credentials. When a user visits a website supporting FIDO authentication, the registration process establishes credentials by exchanging keys using the following steps:

1. The website sends the client its authentication policy and a challenge.
2. The client identifies all roaming and platform authenticators.
3. The user selects an authenticator.
4. The authenticator generates and assigns a public and private key pair for the credentials.
5. The client sends the server the public key and the challenge signed by the private key.

When a user attempts to authenticate to a site, the login process proves the possession of credentials through challenge and response. Nondiscoverable credentials follow a similar process except the username must be sent by the user prior to retrieving and decrypting the site-stored keys. Following are the steps included in determining discoverable credentials:

1. The website sends the client a challenge and specifies the desired credential.
2. The client identifies the authenticator matching the desired credential.
3. The user performs additional actions to prove presence and identity such as providing a button press, biometrics, or a PIN.
4. The user selects from the matching credentials presented by the authenticator.
5. The client sends the server the challenge signed by the private key of the credential.
6. The server verifies the signing using its stored public key.

FIDO authentication process

FIDO authentication benefits

The WebAuthn API implemented by browsers includes an origin field that represents the URL with which that credential is associated. A website cannot specify a desired credential during the login process without including an origin. WebAuthn-compliant browsers will only allow a login to occur if the origin specified matches the URL of the site sending the request. This requirement prevents social engineering attacks such as man-in-the-middle techniques that plague traditional OTP MFA. It also helps prevent fatigue attacks because users must visit a site to connect their authenticator. Additionally, when hardware tokens are used, FIDO is resistant against malware due to internal keys and physical button-press requirements.

Physical FIDO authentication can provide great benefit to high-value targets. After requiring the use of physical security keys in 2017, Google reported not suffering a single successful phishing attack against more than 85,000 employees. Six years later, Google distributed 100,000 security keys to high-risk individuals in support of global democracies.

Phishing FIDO

Although FIDO represents a great stride in the evolution of authentication, it is not a security fix-all, and threat actors have developed attacks to bypass it. One such attack is a phishing technique that takes advantage of common FIDO website configuration weaknesses. The attack is similar to other phishing techniques in which an attacker prepares a malicious fake site that can relay entered information to the real site in order to gain access.

The fake site cannot relay FIDO authentication because it has a nonmatching origin URL, but it can fake a FIDO authentication and then ask the user for an additional factor that can be relayed such as an SMS code or OTP. A 2021 study found that 55% of users interpret additional factor requests as an extra layer of security, and simply oblige thinking along the lines of “two is good, so three must be better.” This downgrade is possible because many sites allow and encourage the addition of a weaker factor to prevent lockout if a FIDO authenticator is lost. A simple remediation is to allow FIDO as a sole factor; however, the additional cost and complexity of account recovery must be considered.

It is important to note that this type of attack is not enabled by a weakness of the FIDO standard itself but rather of implementation. When a standard is relatively secure, it is often easier for attackers to identify holes in systems that use the standards. As vendors transform FIDO standards into real-world solutions, they introduce opportunities for misconfigurations and side channel attacks. For example, according to one report, while the Google Titan security key’s U2F design is secure, researchers were able to clone it by measuring electromagnetic radiation from the purpose-built chips. Despite these attacks, FIDO still provides superior protection than traditional MFA and should be used.

Enterprise adoption

Despite its advantages and success stories, FIDO adoption has been slow in the enterprise. One major contributing factor is the prevalence of support. Until recent years, single sign-on support was limited, and only the Google Chrome™ browser provided platform authentication functionality. Support has also been slow to spread to all mobile applications and legacy desktop environments. Another major factor is the complexity and cost of managing advanced authentication on an enterprise environment scale. Although a wide variety of authenticators exists, no simple means to synchronize and register platform authenticators does.

Successful companies typically follow a common strategy of distributing standard roaming credentials to all employees, which can be made easier through automated delivery services. Once roaming authenticators are distributed as the standard form of authentication, employees are allowed to bootstrap additional platform factors such as Microsoft Windows Hello™ and Touch ID for a faster user experience. This process requires significant IT resources to educate users and track enrollment. Once the enrollment reaches a critical level, a hard transition is enforced, with weaker authentication methods cut off.

The future of FIDO authentication

The simplification of FIDO authentication management is on the horizon with the arrival of WebAuthn 3, which is set to be implemented as passkeys by industry giants like Apple, Microsoft, and Google. WebAuthn 3 is currently in draft form and allows the use of platform authenticators as roaming authenticators and platform credential syncing. WebAuthn 3 simplifies the enterprise bootstrapping process but introduces an issue in how it does not describe the method in which credentials are synced. Vendors are responsible for implementing the synchronization, which could introduce vendor lock-in and increase the attack surface area. Additionally, hardware backing can only be required through an extension, and many keys need to rely on traditional storage encryption, which makes them ripe post-exploit targets for attackers.

Despite these changes, FIDO authentication remains phishing resistant and will become increasingly accessible. While any form of MFA surpasses KBA alone, the threat landscape evolves rapidly. From push fatigue attacks to SIM swapping, traditional MFA alone cannot provide long-term security. Although cost and support might represent hurdles to many businesses and individuals now, these barriers likely will fall in coming years as WebAuthn 3 is implemented. Embracing FIDO authentication in all road maps is not just a wise choice; it’s an essential one.

Microsoft, Azure, and Windows Hello are trademarks of the Microsoft group of companies.
Apple, Face ID, iCloud Keychain, and Touch ID are trademarks of Apple Inc., registered in the U.S. and other countries and regions.