How FIDO2 affects the future of MFA

Password-only access has been outdated for some time, but some MFA methods have also come under criticism recently. The FIDO2 authentication standard, which competes with the TOTP method, is intended to provide a remedy.

Is multi-factor authentication (MFA) not as secure as expected? Several blog posts have already dealt with this question. This is how we have shown which attacks on MFA you should know about and how you can protect yourself from them. This article deals with the FIDO2 standard. It is considered safer than most other MFA methods. But is that really true?

Word has spread about the security risks associated with passwords. They are either insecure and easy to remember – or safe and hard to remember. They are also relatively easy to steal and reuse. MFA or 2FA (two-factor authentication) addresses these risks by introducing another factor that a cyber attacker does not have.

However, not all MFA procedures offer a satisfactorily high level of protection. For example, SMS or proprietary authenticator apps based on non-public standards should only be used in the absence of alternatives. Things are much better with the proven TOTP method.

What is FIDO2?

FIDO2 is another method in the pipeline that also promises higher security. FIDO2 is a standard of the FIDO Alliance (Fast Identity Online), which was founded a little over ten years ago in February 2013. Their goal is to develop modern authentication standards “to reduce the world's over-reliance on passwords.” The first supporters included the German chip manufacturer Infineon and the Chinese IT giant Lenovo. Later, IT companies such as Google, Microsoft and Yubico joined. Since 2015, the Federal Office for Information Security (BSI) in Germany has also been part of the alliance.

The first standards included the FIDO Universal Second Factor (FIDO U2F) and the FIDO Universal Authentication Framework (FIDO UAF). FIDO2, the organization's third standard, was based on FIDO UAF.

FIDO2 is based on asymmetric encryption with a private and public key. The procedure eliminates the need for classic passwords. When logging in, the server sends a challenge to the client, the client signs the challenge with its private key and sends it back. The server then validates the response with the public key. If it is correct, the client can log in.

Advantages of FIDO2 over other MFA methods

FIDO2 works completely without passwords and we have already explained this benefit. Private keys on the client side are usually protected with biometric authentication (for example, a fingerprint) or a PIN. Another benefit is that FIDO2 uses individual keys for each service and application. Unlike passwords, which can be used multiple times, this is not possible with authentication via FIDO2. As a FIDO2 key is always related to the domain used, phishing tricks such as strongly similar names can no longer be used to defraud users.

FIDO2 consists of three steps:

  1. First, the user registers with a service or an application where they want to authenticate via FIDO2. In doing so, they create a new key pair on their device, which consists of a private and public key.
  2. The private key remains on the user’s device while the public key is transmitted to the server.
  3. The challenge-response procedure is used for logging in. This requires the user to approve the action, for example via PIN or fingerprint. This is not an automated process by design.

A further development of the FIDO2 method is passkeys, which have already been integrated into operating systems and browsers by Microsoft, Apple and Google, among others. Here, the keys are no longer necessarily bound to a specific client. For example, Apple syncs keys via its own iCloud.

Disadvantages compared to the TOTP method

Another option for secure authentication via MFA is the TOTP (Time-based One-Time-Password) method. With TOTP, the  authenticator app on a smartphone generates a time-limited one-time password that the user enters in addition to their username and password when logging in. An advantage over passwords is that TOTP codes can only be used once and automatically expire after they have been used.

However, TOTP codes have the disadvantage that they have to be entered on a website, for example, so that there is still a risk of phishing attacks. However, due to the time limit of the codes, these attacks have to be done in real time, which is a high hurdle for most attackers.

Compared to FIDO2, the TOTP process offers a number of advantages. It works on any platform –  only an authenticator app on a smartphone is required. On the other hand, if a FIDO2 security key is lost, users can no longer access linked accounts initially.  FIDO2 is also far from as widespread as the TOTP process. So far, only relatively few applications and services are already using the standard of the FIDO Alliance.

Although FIDO2 offers a higher level of security than TOTP, it is far less flexible than the time-limited one-time passwords. Which method is chosen thus depends on customer requirements with regard to these factors and other aspects such as user-friendliness and implementation.

Read more in this post