FIDO stands for Fast Identity Online. The FIDO Alliance was created with the main objective to eliminate the use of password over the Internet. Many industry leading online websites, PC manufacturers and other software and hardware vendors actively participate in the development of the FIDO standards. The FIDO Universal Second Factor (U2F), FIDO Universal Authentication Framework (UAF) and FIDO2 WebAuthn protocols have resulted from the work done by the alliance to standardize hardware and software around authentication in an effort to replace traditional usernames and passwords. The typical FIDO U2F implementation is to use a USB token as a 2nd factor for authentication to websites. You would still use your username and password, but then you would also be required to insert the token and authenticate the token before you can login. FIDO UAF implementations are typically done using a mobile phone as your authenticator. An application running on the phone can be notified when you are trying to login to a website and you are prompted to authenticate on your phone before you can login. OmniDefend’s mobile authenticator uses the FIDO UAF protocol and we will be doing another blog article on this later – so stay tuned. This article is going to focus on the FIDO2 WebAuthN standard and how OmniDefend takes advantage of this security standard.Read more
Technical information about OmniDefend
In the past, single sign-on (SSO) was typically achieved only through “password fill”, where the SSO software would prompt the user the first time he or she visits a website to enter their password. Then the next time the user visits the site, the SSO software detects that there is a password saved and either automatically fills in the user’s password or prompts the user to authenticate before filling in the password. Softex’s OmniPass software and password save feature in Chrome, Edge and Firefox, are just some example of these SSO password managers. SAML was born from the idea that instead of saving a user’s username and password, a website that needed to login a user (“Service Provider”) could talk securely with the SSO software (“Identity Provider”), so the SSO software could authenticate the user’s identity and securely send back information about the user that authenticated so that the website could just login that user without any password. As long as the website were to “trust” the SSO software, this could be achieved.Read more
We have all used a website that allowed you to “Sign-in with Google” or “Sign-in with Facebook” instead of creating yet another username and password for that you have to remember. But have you ever wondered how this is implemented? Well this is where OpenId Connect comes to the rescue.
OpenId Connect was developed to allow website developers to enable single-sign on from a variety of different “identity providers” using a common API. Let’s say you are a developer creating a new website called acmeproducts.com. Now, instead of asking the user to create an account where he has to provide a specific username and password along with his name, address, and other personal information, you can now use OpenId Connect to request that information from the user’s favorite identity provider (e.g. Google or Facebook) where the user has already provided that information.Read more
OAuth 2.0 is an authorization protocol that allows a user to authorize access to data and APIs (resources) from one application to another. Even though OAuth 2.0 is not an authentication protocol, often times the user must be authenticated by the application providing access before access to resources can be authorized. In a nutshell, using the OAuth 2.0, protocol, a website that a user is trying to log into (also known as a service provider), can request authorization of the user to an identity provider (i.e. the SSO server). The identity provider can authenticate the user as it wants and can even prompt the user to authorize the access to the service provider. The service provider then receives an access token which can be used to call APIs or access the user’s data or identity information so the user can be logged into the website and can perform the operations required in the website.
You can read a more in-depth explanation of OAuth 2.0 in this Medium article. OmniDefend fully implements the OAuth 2.0 protocol and you can use OmniDefend to perform SSO to applications that support the protocol. In addition, if you are developing your own application, you can use the OAuth 2.0 protocol to allow users to use OmniDefend authentication to log into your website in a secure way.