FIDO2 passwordless authentication works by generally using passkeys as the first and primary factor for account authentication. In short, when a user registers with a FIDO2-supported online service, the client device registered to perform the authentication generates a key pair that works only for that web app or website.
The public key is encrypted and shared with the service, but the private key remains securely on the user’s device. Then, each time the user attempts to sign in to the service, the service presents a unique challenge to the client. The client activates the passkey device to sign the request with the private key and return it. This makes the process cryptographically protected from phishing.
Types of FIDO2 authenticators
Before the device can generate a unique FIDO2 set of passkeys, it must confirm that the user who is requesting access isn’t an unauthorized user or type of malware. It does this with an authenticator, which is a device that can accept a PIN, biometric, or other user gesture.
There are two types of FIDO authenticators:
Roaming (or cross-platform) authenticators
These authenticators are portable hardware devices that are separate from users’ client devices. Roaming authenticators include security keys, smartphones, tablets, wearables, and other devices that connect with client devices through the USB protocol or near-field communication (NFC) and Bluetooth wireless technology. Users verify their identities in a variety of ways, such as by plugging in a FIDO key and pressing a button or by providing a biometric, such as a fingerprint, on their smartphone.Roaming authenticators are also known as cross-platform authenticators because they allow users to authenticate on multiple computers, anytime, anywhere.
Platform (or bound) authenticators
These authenticators are embedded in users’ client devices, whether a desktop, laptop, tablet, or smartphone. Comprising biometric capabilities and hardware chips for protecting passkeys, platform authenticators require the user to sign in to FIDO-supported services with their client device then authenticate through the same device, generally with a biometric or a PIN.
Examples of platform authenticators that use biometric data include Microsoft Windows Hello, Apple Touch ID and Face ID, and Android Fingerprint.
How to register and sign in to FIDO2-supported services:
To take advantage of the increased security that FIDO2 authentication offers, follow these basic steps:
How to register for a FIDO2-supported service:
- Step 1: When registering with a service, you’ll be prompted to choose a supported FIDO authenticator method.
- Step 2: Activate the FIDO authenticator with a simple gesture that the authenticator supports, whether entering a PIN, touching a fingerprint reader, or inserting a FIDO2 security key.
- Step 3: Once the authenticator is activated, your device will generate a private and public key pair that is unique to your device, account, and the service.
- Step 4: Your local device securely stores the private key and any confidential information pertaining to the authentication method, such as your biometrics data. The public key is encrypted and, along with a randomly generated credential ID, registered with the service and stored on its authenticator server.
How to sign in to a FIDO2-supported service:
- Step 1: The service issues a cryptographic challenge to confirm your presence.
- Step 2: When prompted, perform the same authenticator gesture used during account registration. Once you have confirmed your presence with the gesture, your device will then use the private key stored locally on your device to sign the challenge.
- Step 3: Your device sends the signed challenge back to the service, which verifies it with the securely registered public key.
- Step 4: Once finished, you’re logged in.