26 Dec 2023
In this wild world of cybersecurity that we find ourselves in, organizations constantly seek robust solutions to combat threats like phishing. A breakthrough in this anti-phishing agenda is the adoption of FIDO2 keys for passwordless (unphishable) authentication! In this blog, we will explore how FIDO2 keys offer an unphishable credential, setting a new standard in secure authentication.
Why is FIDO2 Phishing Resistant?
FIDO2 keys are at the forefront of passwordless authentication, a technology that enhances security while simultaneously simplifying the user experience. FIDO2 keys are considered phishing-resistant because of how they protect the credentials. FIDO2 uses asymmetric cryptographic keys that consists of a public key and a private key that, through some mathematical magic, allows you to validate the user owns the private key without ever seeing the private key; this allows FIDO2 authentication to happen with the private key never leaving the FIDO2 key, making it impossible to steal the user credentials.
Is FIDO2 the Same as Smartcard Authentication?
While FIDO2 keys and smartcard authentication use the same cryptographic keys for authentication, they are different in the sense that smartcard authentication depends on a PKI to create the certificate and having your identity provider verify that is a valid certificate, while FIDO2 requires you to register each key with the identity provider. Each has their advantages and disadvantages.
FIDO2 Has Significantly Less Infrastructure than Smartcard Authentication
FIDO2 was created because, well, smartcards are hard. While that might sound like schoolyard slander, it’s true! With smartcards you used to need to deploy a metric ton of infrastructure to get them up and running – of course, since FIDO2 is still not supported everywhere, if you want to use smartcards, now with EZCMS, EZCA, and Entra ID, you can implement smartcards without needing to deploy all that infrastructure.
FIDO2 Simplifies the Authentication Process
The goal of FIDO2 is to simplify the authentication process while maintaining high security standards. By reducing the need for additional hardware and software components, FIDO2 makes secure authentication much more straightforward and user-friendly.
Final Thoughts on FIDO2 Keys Being Unphishable
FIDO2 keys represent a significant leap forward in the fight against phishing. By providing a secure and direct link to the user’s device and reducing the complexity of the authentication process, FIDO2 offers a solution that is both unphishable and user-friendly, a rare yet incredibly welcome feat. As organizations continue to face sophisticated cyber threats, adopting FIDO2 keys for passwordless authentication emerges as a wise and effective strategy to safeguard your organization’s digital assets and maintain user trust.
While FIDO2 is a great authentication method, it is still not supported in legacy systems and, for some reason, in iOS devices. The best way to adopt FIDO2 keys and bolster your organization’s security posture, though, is to use FIDO2 + smartcard authentication in the same key, which gives you the ultimate authentication experience.
If you’re reading this and still on the fence about whether you should implement FIDO2 keys and unphishable credentials in your organization, feel free to schedule a FREE consultation with one of our ex-Microsoft identity experts for an analysis of your unique situation and how FIDO2 keys can help!
You Might Also Want to Read
FAQs
FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor. They're commonly USB devices, but they can also use Bluetooth or near-field communication (NFC).
What is FIDO2 credentials? ›
FIDO2 cryptographic login credentials are unique across every website, never leave the user's device and are never stored on a server. This security model eliminates the risks of phishing, all forms of password theft and replay attacks.
Is Microsoft Authenticator FIDO2 compliant? ›
Microsoft Entra ID currently supports device-bound passkeys stored on FIDO2 security keys and in Microsoft Authenticator.
Why is FIDO2 phishing resistant? ›
It is phishing-resistant because it does not share user credentials between services. FIDO2 uses WebAuthn APIs and public key cryptography to store credentials as encrypted public and private key combinations.
How safe is FIDO2? ›
FIDO2 passwordless authentication significantly boosts login security by relying on unique passkeys. With FIDO2, hackers can't easily gain access to this sensitive information through phishing, ransomware, and other common acts of cybertheft.
What are the disadvantages of FIDO2? ›
Disadvantages and Challenges of FIDO2
Additionally, FIDO2 does not safeguard against timing vulnerability attacks (an attack that links stored user accounts in vulnerable authenticators). Since FIDO2 relies on a computer or system's authenticators, there is a lack of physical protection.
Is FIDO2 more secure than MFA? ›
Advantages of FIDO2 over other MFA methods
Private keys on the client side are usually protected with biometric authentication (for example, a fingerprint) or a PIN. Another benefit is that FIDO2 uses individual keys for each service and application.
What is the difference between FIDO2 and security key? ›
FIDO allows organizations to apply the WebAuthn standard by using an external security key, or a platform key built into a device, to sign in without a username or password. FIDO2 security keys are an unphishable standards-based passwordless authentication method that can come in any form factor.
Are passkeys FIDO2? ›
For enterprises that use passwords today, passkeys (FIDO2) provide a seamless way for workers to authenticate without entering a username or password. Passkeys provide improved productivity for workers, and have better security.
How do I allow FIDO2 Authenticator access? ›
Click User Security Policies > User Account Settings. Select Yes in the Enable FIDO2 Authentication drop-down box. Select Yes in the Enable security key enrollment drop-down box. Enter a name in the FIDO2 Security Key Display Name field.
Single factor login with FIDO2 offers strong authentication as a single factor. In many cases, this single factor authentication is more secure than other forms of two-factor authentication (such as SMS), as there are no secrets that can be phished remotely when using FIDO2.
What is the weakest authentication? ›
Least Secure: Passwords
- The vulnerabilities of passwords. ...
- Passwords as part of MFA. ...
- Single Sign-On and password managers aren't a complete fix. ...
- SMS and email OTPs are weaker. ...
- Authenticator tokens are a better OTP option. ...
- Fingerprint scans are secure when data is stored properly. ...
- Facial recognition continues to improve.
The YubiKey 5 Series is a hardware based authentication solution that offers strong two-factor, multi-factor and passwordless authentication with support for multiple protocols including FIDO2, U2F, PIV, Yubico OTP, and OATH TOTP.
Does passkey override 2FA? ›
If you use two-factor authentication (2FA), passkeys satisfy both password and 2FA requirements, so you can complete your sign in with a single step. If you don't use 2FA, using a passkey will skip the requirement to verify a new device via email. You can also use passkeys for sudo mode and resetting your password.
Is YubiKey FIDO compliant? ›
FIDO Alliance manages functional certification programs for its various specifications (e.g. U2F and FIDO2) to validate product conformance and interoperability. A FIDO2-certified device, such as a YubiKey 5 Series security key, has gone through a full FIDO certification program and successfully meets all requirements.
How do I remove FIDO2 from YubiKey? ›
To view and/or delete a passkey stored on your YubiKey, do the following:
- Plug your YubiKey into your device, click the menu icon in the upper left corner of the app, and select Passkeys. ...
- Enter your FIDO2 PIN and click Unlock. ...
- To delete a passkey, click on it to open its Details tab.
- Click Delete passkey under Actions.
FIDO2 advantages
Replaces weak passwords with strong hardware-based authentication using public key crypto to protect against phishing, session hijacking, man-in-the-middle, and malware attacks. No secrets are shared between services.
What is an example of a FIDO2? ›
What are some examples of FIDO2 authentication methods? Biometric-capable devices and platform authenticators: These are built-in authenticators that require a biometric, PIN, or passcode. Examples include Apple's Touch ID and Face ID, Windows Hello, or Android fingerprint and face recognition.
What is 2 factor authentication credentials? ›
Two-factor authentication (2FA) is a security system that requires two separate, distinct forms of identification in order to access something. The first factor is a password and the second commonly includes a text with a code sent to your smartphone, or biometrics using your fingerprint, face, or retina.
