Going Passwordless with FIDO2
There are plenty of articles on why one should go passwordless. I will not reinvent the wheel here. You can check this article for a primer. For those of you who are lazy to click on the link, here is an over-simplified summary:
What I hope to do with this article is to talk about how FIDO2 works and other things to keep in mind on your journey towards a passwordless enterprise.
The FIDO2 flow makes use of two protocols:
- WebAuthn is the JS API used during the communication between the Resource Provider (RP) and the client (like browsers).
- CTAP2 (Client to Authenticator Protocols) enables the communication between clients and authenticators (like security keys or on-device-biometrics) via NFC/BLE/USB.
There are two types of authenticators:
- Platform authenticators are authenticators built into the devices such as Windows Hello on Windows, Biometrics/TouchID/FaceID on phones.
- Roaming authenticators are authenticators that are portable and external to a device that can be connected to a laptop/smartphone such as security keys .
The FIDO2 flow is sexy. It is based on Public Key Cryptography (no shared secrets).
It comprises of two sub-flows:
- First time user registration
- Subsequent user authentication
- User initiates the registration/sign-up process on the website
- The website sends some parameters such as which cryptography mechanism to use and type of authenticators to use to the authenticator via the client
- Authenticator asks user to physically allow or deny the request for creation of credentials
- Upon approval, the authenticator does the required computation based on the parameters received, sends a public key back to the RP and stores the private key locally
- The RP stores the public key in it’s FIDO server and associates it with the particular user
- User initiates the login process
- The resource provider(RP) presents a challenge to the authenticator which has a dedicated private key for each RP
- The authenticator prompts the user in order to verify that there is indeed a user
- User responds to the gesture with a tap on the security key + PIN or by providing biometrics
- Upon receiving this verification, the authenticator signs the challenge with it’s private key and sends it back to the RP
- The FIDO server of the RP then uses the public key associated with this user to verify the signed response
- Upon successful verification, the user is logged in into the website
Juxtapose this against the boring password-based flow and you will appreciate the sexiness even more.
Password based flow:
- You type the password stored in your brain (unless you are a using password manager) on the browser webpage
- The password is sent over the network to the application which validates it against its password database
How boring. (Not to mention insecure)
In case an employee’s authenticator is stolen/lost, how do you deal with account recovery?
- Encourage the enrollment of multiple authenticators during account registration. That way, employees will have a back up authenticator in case they lose their primary one.
- Encourage the use of platform authenticators. The likelihood of losing a smartphone/laptop is lower than that of a security key.
After spending months or even years setting up a working passwordless flow for employees in your organization, you finally crack it. You are elated and cannot wait to close the project.
Not so soon. Getting it to work is the easy part. The boss fight is yet to come.
The organizations that presented in the Authenticate 2020 conference like IBM, Microsoft and Target mentioned that adoption of the passwordless flow was the one of the most difficult challenges if not the most difficult challenge.
Here are some of the suggestions from them+my own ideas on how to defeat the boss:
- Build a micro portal that serves as an advertisement banner for passwordless in your enterprise.
- Link FAQs and user guides in this portal in order to make it easy for users to find information on going passwordless.
- Have an easy-to-recognize and easy-to-recollect URL for the portal such as gopasswordless.yourorg.com. This makes it easy for people to talk about the portal. Leverage that sweet power of word-of-mouth marketing.
- Have a self-service enrollment portal to make it easy for users to enroll and manage authenticators.
- Have nudges where ever possible. For example, in the login form (where they typically enter username and password) have a nudge that says ‘To learn more about passwordless click here’.
- Start with information workers first. They are the easiest to onboard.
- Distribute work devices which sport platform authenticators instead of procuring hardware tokens. This makes the enrollment process seamless and easy for employees. Having to deal with an external key is fussy. Employees are going to stay away from anything that is fussy. They already have enough of that in their lives.
Few things you need to watch out for:
- For passwordless, you need authenticators that support discoverable resident keys(RK). Non-RK authenticators can and should only be used for 2FA.
- Do not make any restrictions on what authenticators are allowed. Tying employees down to a particular brand or type of authenticator only slows down user adoption.
- Disable convenience PIN via GPO for Windows Hello for Business
- De-register lost keys to prevent misuse by a malicious entity.
- Have a reporting mechanism where the user can report the loss of an authenticator. This can be via a self service portal and/or the help desk.
- Ensure user awareness. If the user is not informed about the perils of not de-registering lost keys, the user will not care about de-registering/reporting.
What about the 2nd factor?
Passwords are the first factor. By going passwordless, what happens to the 2nd factor? Do you keep it? Or should you do away with it? Is it safe to do away with a 2nd factor?
Passwordless with FIDO2 is multi-factor by design.
The two factors are bundled together in the FIDO2 authentication process — what you know and what you have.
What you have: A security key/a platform authenticator. This confirms the user possession.
What you are/what you know: Your fingerprint or PIN. This confirms the user identity.
The journey to passwordless is long and arduous. However, it is a (mandatory) journey that is immensely rewarding.
[Having said that, passwords are still going to be around for the next few years. Until such a day arrives, be responsible and use a password manager. Need help picking one? Find my rookie analysis and recommendation here.]
Oh, and good luck with the boss fight. If you defeat it, that juicy chest of gold is yours for the taking.