FIDO2 Protocol | Password-less World

FIDO Alliance

FIDO alliance, standing for “Fast IDentity Online”, is an organization to promote standard protocols (set of rules for telecommunications and computer networking) between terminals and cloud. FIDO's goal is to achieve "Password-less World", since more than 80% of today's cyber attacks involves users passwords and multi factors authentication (MFA) can protect more than 98% of whole cyber attacks.

FIDO alliance proposed UAF(Universal Authentication Framework) and U2F(Universal 2nd Factor) protocols in 2014 and 2016, which bring Password-less login with smartphones and 2 step verification with password and external devices on PC, respectively.

FIDO2 Configuration

FIDO2 has been developed by employing WebAuthn on Web Browsers such as Edge, Firefox and Google Chrome in order to achive FIDO password-less Login from Web Browsers in March 2019. FIDO2 protocol consists of 3 funcitonal modules as Authenticator, Client and Server as shown in (a) of Figure, where WebAuthn is a protocol between Client and Server and CTAP is a protocol betwenn Client and Authenticator. In this Figure,

(b) is configuration for FIDO2 security key with external physically separated dongle

(c) is configuration for FIDO2 Windows Hello, where authentication is conducted with fingerprint reader and Software Authenticator

(d) is configuration for FIDO2 Android Smart Phone, where authentication and client function is done on smart phone software on Android OS with built in Fingerprint sensor.

Detail Protocol

FIDO2 consists of fingerprint authentication and public key infrastructure (PKI). Fingerprint authentication is a technology that determines whether an input fingerprint is a registered fingerprint by reading the fingerprint with a fingerprint sensor and comparing its feature points with registered data. On the other hand, the public key cryptographic infrastructure allows the device side to digitally sign the document created on the server side (which is called a challenge because it is a different document for each authentication) using the private key on the device side. A technology that verifies using a public key and determines whether a signature is created on the device side. The purpose is to verify the identity of the server, so fingerprint authentication and electronic signature on the device side must be linked. For this reason, these two operations are performed in a secure area called a secure element (SE) in the device, and a digital signature is executed only when fingerprint authentication is successful. FIDO2 protocol From these principles, FIDO2 is executed as shown above. (The numbers in the figure and the following numbers match)

It will be the procedure.Since the challenge is a randomly generated random number, the data passing through the communication path is different for each authentication. As a premise, (1) a registered fingerprint is stored in the device. (2) The user's private key / public key pair is secretly generated in the device, the private key is stored in the device, and the public key that may be disclosed is sent to the server side for storage. (3) Other user names are also stored on the server side. These conditions are necessary. Therefore, before starting authentication for the first time, you will need to perform a "user registration" task. (important point) 1. The challenge includes a server name and user ID in addition to a random number. Browsers and devices check them.2. Attestation is a method by which an authentication server authenticates a device. The device creates a signature based on the Attestation private / public key pair and signature creation data, sends the public key and signature to the server, verifies the signature using the public key, and device Authenticate,

FIDO Alliance

FIDO2 Configuration

Detail Protocol

editor

Related Posts

Vlog4. Edge-to-Azure ThinC Login Video

Vlog3. Setup Chrome-to-Gsuite ThinC Login Video

Vlog2. Chrome-to-Gsuite ThinC Login Video