Essentially identity protection by password is a failing concept as passwords get re-used very often as more and more services require user identification – even for newspapers! FIDO2 is a project by the FIDO Alliance and the World Wide Web Consortium (W3C) to substantially enhance the security of web application authentication. FIDO2 offers a comprehensive solution to this problem as it is
- more convenient: a single push of a button or a fingerprint read
- more secure: identity theft becomes a relic of the past and
- there is no need for a central identity provider (like Google, Facebook, etc) that the world has to trust.
Especially in times, where the need for working from home becomes essential for businesses around the globe more companies are using cloud-based services like Google Docs or Microsoft Office 365. In this case, Identity protection is highly relevant as there is no networking border (like firewalls or physical networks) that serves as an additional layer for data theft/manipulation in case of identity theft.
2-Factor Authentication (2FA) can help to keep companies to stay secure, with 2FA it is harder for an attacker to steal accounts, even if the attacker knows the password. Still, some 2FA solutions like the typical mobile Authenticator apps (or Tokens) which usually implement TOTP are still vulnerable to phishing.
In contrast to that FIDO2 gives companies and users a highly secure option for a passwordless login or 2FA – both have very few realistic attack vectors. One would be stealing a physical device or compromising the security of the client – but as a decent security advisor, we would also like to mention other attack options. FIDO2 is also a quite cost-effective solution as most mobile phones (all Android 7 and Apple mobiles) as well as all modern Windows PCs (TPM ready) or OSX PCs come already with integrated FIDO2 capabilities; USB FIDO2 keys are on the market for as little as €10.
The following guide gives administrators and users the required settings to enable FIDO2 protection – but is by far no complete FIDO2 Explanation.