Lead Image © lassedesignen, 123RF.com
Secure authentication with FIDO2
Replacements
Moving away from passwords to improve account security is a recurring theme for administrators and security researchers. On the Internet, the password as a knowledge-based factor of authentication still dominates the login methods of online services. Password managers are increasingly relieving the burden on users as a weak point in password selection. However, despite all technical support, many users still use passwords that are easy to remember and therefore easy to crack. Projects like Have I Been Pwned [1] or the researchers of the University of Bonn in their EIDI (effective information after a digital identity theft) project [2] follow a reactive approach to account security; web development needs to focus more strongly on alternative authentication methods.
Back in December 2014, the FIDO Alliance published the FIDO Universal Authentication Framework (FIDO UAF) standard, which was intended to enable passwordless authentication. Since the release of the FIDO2 standard with the Web Authentication (WebAuthn) and the Client to Authenticator Protocol (CTAP) components [3], all the major browsers have gradually introduced support for the Web Authentication JavaScript API and the use of security tokens over CTAP.
FIDO2 Functionality
Fortunately, FIDO2 is very straightforward and, although it mainly uses cryptographic keys, quite easy to understand. Before you can log in to a web service as a user, you first need to go through a registration process. During this process, you generate the cryptographic key material – a public and a private key – on a secure device known as the authenticator. The public key is transmitted later to the application server for authentication. The key is stored there and linked to your user
...
Buy this article as PDF
(incl. VAT)
Buy ADMIN Magazine
US / Canada
UK / Australia
Related content
-
Secure passwordless logins with FIDO2 and LDAP
Log in to your account securely without a password with LDAP and a schema to establish the objects and attributes required for FIDO2 authentication. -
Passkeys eliminate the need for password-based authentication
Passwords are becoming a thing of the past. We look into the basic weaknesses of passwords, explain what passkeys are all about, and assess their practicality. -
Multifactor authentication from FIDO
The FIDO Alliance is working to build open solutions for the future of authentication. -
Hardening SSH authentication to the max
Public key authentication further supplemented with one-time password or hardware authentication methods improves SSH security while offering genuine convenience. -
Single sign-on with Keycloak
Google and Facebook are two of the biggest providers for single sign-on on the web, with OAuth2 and OpenID, but if you don't want to put your customers' or employees' data in their hands, Red Hat's Keycloak software lets you run your own operations with the option of integrating existing Kerberos or LDAP accounts.