Passwordless future using FIDO2 & WebAuthn

No matter how strong your firewalls are, how powerful your IDS & IPS systems are and how secure your system architecture is, humans are and always will the weakest link in cybersecurity.

"The weakest link in the security chain is the human element" - Kevin Mitnick

And it's easy to see why. Passwords are one of the easiest and most common ways to authenticate users. However, as last few years have shown, service providers tend to store your passwords insecurely and people tend to use the same password for multiple services which means if that one set of credentials gets compromised in a breach, the attacker could use these credentials on other services to gain access with minimal effort.

In this blog we'll be discussing how web standards like FIDO2 & WebAuthn are shaping up the future by reducing the risk of human error in security.

What are WebAuthn & FIDO2?

FIDO2 is a phishing proof, passwordless authentication protocol developed as a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C), and the main goal of this project was to create a strong authentication standard for the web. In March 2019, W3C announced that WebAuthn is now the official web standard for password-free login.

At its core, FIDO2 consists of a mixture between the W3C WebAuthn standard and the FIDO Client to Authenticator Protocol (CTAP). FIDO's CTAP is mostly based on work that was done for the Universal 2nd Factor (U2F) standard.

CTAP are a set of low level protocols that allow the communication between the device and the authenticators over NFC/USB/Bluetooth Low Energy. We currently have two CTAP Protocols, CTAP1 & CTAP2. CTAP1 is basically the formal name for U2F whereas CTAP2 is an upgrade over its predecessor; it offers additional attestations, extensions and offers backwards compatibility with CTAP1.

The difference between CTAP1 & CTAP2 is that CTAP1 external authenticators only work as a second factor of authentication. Whereas, CTAP2 external authenticators can be used for both first factor and second factor authentication, hence completely eliminating the password dependency. One example of this is plugging in your hardware token (first factor) and using its biometric factor to authenticate (second factor).

How does FIDO2 work?

We have three major players in the FIDO2 Workflow:

• The WebAuthn Relying Party (The website we’re authenticating to)
• The client or the browser who will play the role of the middleman
• The FIDO2 Authenticator (Yubikey, USB Token, smartphone)

There are two types of workflow in FIDO2: Registration & Authentication. Registration would be enrolling a new key to your account for future use and authentication would be using that key to prove your identity. In this article, we'll be focusing on the authentication use case.

Here's how it generally works:

1. User visits the website and clicks on the login button.
2. The server generates a challenge and sends the browser a list of credentials that are registered to the user. It also contains information on the authenticator device (for example whether the device connects over usb or BLE, etc.)
3. Browser asks the authenticator to sign the challenge.
4. Authenticator requests the user to press a button, use biometrics, or other factors to verify.
5. A signed assertion is created using the private key and is sent to the relying party for verification.
6. The relying party verifies that the assertion contains the expected source and challenge and if everything is validated it, the authentication will be successful. If not, it will be prevented as it will be considered a phishing attack.

Passwordless improves security

In a traditional authentication, the user types in his credentials on the device/brower then the browser sends those credentials to the server for user verification. However that's not the case for passwordless authentication where no password is sent over the internet.

Only the assertion generated by the authenticator is sent to the Relying Party (server) and the authentication is done on the authenticator level using a pin, biometrics, etc. From a security perspective, the passsword can't be technically leaked or bruteforced since there's no password to compromise. This user friendly process drastically reduces the risks associated to human error in cybersecurity.

Microsoft is leading the march toward a passwordless future

Much of the groundwork for a passwordless future has been completed with big providers such as Microsoft, Google & Apple already supporting it on their devices and software.

Microsoft are leading the way for a passwordless future with their Yubikey partnership, where users can now login to their microsoft accounts with the Yubikey security keys. And they pretty much affirmed their vision with Microsoft CISO Bret Arsenault claiming last month that passwords, by themselves are useless.

Microsoft's first move started with the introduction of Windows Hello, which adds a biometric sensors to verify the user's identity. Microsoft then introduced the Authenticator app which acts as an extra layer of security and allows the users to login to their desktops using their phones. And with the release of Windows 1903 in May, Windows Hello is a FIDO2 Certified authenticator!

Finally,

As cyber attacks have shown, whether in the initial compromise or down the stream of the killchain, there was always some use of a password in the attack landscape, therefore eliminating the human risk factor is crucial for the future of cybersecurity and passwordless authentication looks like the way to go.

However, FIDO2 is still not supported everywhere, which means that there is work to be done by the websites themseles to fully implement this type of authentication. And the work doesn't stop at the code implementation, services have to think of backup plans in case the authentication with FIDO2 fails to work (biometric sensors fails to recognize the user for example), there is the user education on the advantages of such technologies. And should we force all PC owners to buy hardware tokens? All of this remains to be seen.

Feel free to comment on this article, would gladly discuss any related matter down below.