FIDO 2.0 – standardized authentication

FIDO stands for Fast Identity Online. The FIDO Alliance was created with the main objective to eliminate the use of password over the Internet. Many industry leading online websites, PC manufacturers and other software and hardware vendors actively participate in the development of the FIDO standards. The FIDO Universal Second Factor (U2F), FIDO Universal Authentication Framework (UAF) and FIDO2 WebAuthn protocols have resulted from the work done by the alliance to standardize hardware and software around authentication in an effort to replace traditional usernames and passwords. The typical FIDO U2F implementation is to use a USB token as a 2nd factor for authentication to websites. You would still use your username and password, but then you would also be required to insert the token and authenticate the token before you can login. FIDO UAF implementations are typically done using a mobile phone as your authenticator. An application running on the phone can be notified when you are trying to login to a website and you are prompted to authenticate on your phone before you can login. OmniDefend’s mobile authenticator uses the FIDO UAF protocol and we will be doing another blog article on this later – so stay tuned. This article is going to focus on the FIDO2 WebAuthN standard and how OmniDefend takes advantage of this security standard.

Client side vs. Server side Authentication

Before we get into the details of how OmniDefend uses the FIDO2 standard, we need to understand the difference between client side and server side authentication. When trying to login to a website, you have two components, the client (the computer you are working on and accessing the website from) and the server(s) (the server(s) in the cloud that website you are accessing are running on).

Client–server model - Wikipedia
Client / Server architecture

In this picture, there are two ways authentication can be performed – on the client device or on the server device. In the case of the client side authentication, the user is prompted to authenticate on the device and the result of that authentication is sent securely to the server so that the server can do the login. This means the authentication template (e.g. your enrolled fingerprint template), any hardware needed for authentication (e.g. a fingerprint reader or token) and the authentication algorithm (e.g. fingerprint matching software) have to be on the client PC. In the server side authentication, the authentication template, and the authentication algorithm are on the server. The client PC is used to perform the parts of the authentication requiring the user (e.g. asking the user to place his finger on the fingerprint reader hardware connected to the client PC), but then the authentication information is sent to the server where the algorithm and template is used to do the authenticating of the user. So what does this mean:

Client Side Authentication Server Side Authentication
– authentication information (user info) never leaves the user’s PC
– need to enroll on each client separately (can’t roam from PC to PC)
– can only do 1:1 authentication (validation) so user may have enter his username before authenticating
– need to enroll only once, can authenticate on any computer.
– allows support for 1:N authentication (identify a user)
– authentication information is stored on a cloud server

OmniDefend can perform both client side or server side authentication. The FIDO2 protocol is a client side authentication protocol which requires a user to enroll on each PC or device on which he wants to authenticate. To use server side authentication in OmniDefend, you must use one of the other authentication modalities which can authenticate on the server itself.

FIDO2 Implementation in Windows, Android and iOS

The FIDO2 standard allowed the W3C standards body to implement the WebAuthN API that is now part of all the major browsers. Using this API, a website can have a standardized way of authenticating users without requiring the users (for the most part) to install any 3rd party client software on the the client PC. You can read the official WebAuthN standard here. When a website calls this API, what happens is different based on the device and browser from which you are browsing the website. On a Windows PC using Edge Chromium or Chrome browser, you will be prompted to authenticate using Windows Hello. This allows you to choose from the same authentication methods that you use to unlock your PC and can include fingerprint, face, PIN, smart card, token, password, or picture password. On an Android device this will invoke the Android Biometric authentication which can also include the fingerprint, face, PIN, etc, and again is tied in with the same method you use to unlock your phone. Similarly on an iOS based device, FIDO2 authentication will invoke iOS FaceId or TouchId depending on the Apple device you are using.

OmniDefend and FIDO2

When you configure OmniDefend authentication policies for an application or for the login to your portal, you can configure FIDO2 authentication as part of your policy.

Configure MFA policy for FIDO2 in OmniDefend

You will now have the option to use FIDO2 authentication to login to the specified application or website. In this case, we have configured the login to southwest.com (Southwest Airlines) to use FIDO2 and as you see below, when you invoke FIDO2 authentication in OmniDefend, you are prompted by Windows Hello to authenticate using the methods that are configured for your PC unlock.

Windows Security prompt when using OmniDefend

Similarly if you try to login to a site using OmniDefend SSO on an Android or iOS device, you will be prompted to authenticate with your fingerprint, face, PIN or other method you have setup to unlock your phone.

Ultimately, if you want to support strong authentication for login on a device like a phone or tablet where you can not connect an external authentication device (like an external palm vein scanner or fingerprint reader) or you want to keep all your authentication templates on the user’s computer or device and you never want that personal identifying authentication information to leave the user’s assigned device, then you can use OmniDefend FIDO2 authentication support to achieve your security goals.