Security Awareness: FIDO (Fast Identity Online) Authentication

Security Awareness: FIDO (Fast Identity Online) Authentication

By Rebecca Tague, Security Analyst

20 Jan, 2023

Cybersecurity is an important topic that is constantly evolving. Q2 Security Analyst Rebecca Tague tackles the subject of FIDO (Fast Identity Online) authentication. Read the first blog in this series, Security Awareness: Cybercrime Gangs to State-Sponsored Hacks, and check back next week as Rebecca looks at Business Email Compromise attacks.

Within our fast-paced, technology-filled world, users have more than 90 online accounts on average. Out of these accounts, passwords are typically reused 51% of the time. This statistic makes it easy to imagine that most data breaches are caused by something intended to make us safer: passwords.
 
The FIDO Alliance (FIDO) offers alleviation from the world's reliance on these recycled passwords by leveraging user authentication, identity verification and binding, and the Internet of Things (IoT). FIDO has developed the FIDO Authentication standard based on public key cryptography for authentication, which is objectively easier for consumers to use than traditional passwords. In short, this type of authentication enables biometric systems and multi-factor authentication to verify a user's identity with multiple data points. 
 
How does this work? A set of cryptographic keys is generated, so private passwords are kept on your device's hardware while your public password is saved within the online service. To log in, you must verify private and public passwords. This action is accomplished by using a mobile phone as a secondary device to authenticate the private password, along with a traditional public password. As a result, the user's privacy and credentials have an extra layer of protection with little impact on the user experience. 
 
FIDO authentication is different from a traditional push notification from an authentication application. Push notifications have been used within social engineering attacks, like the recent Uber breach. A contractor's push notifications were spammed repeatedly until they accepted one, resulting in a bad actor logging into their account and accessing confidential corporate information.
 
Additionally, FIDO Authentication can be integrated with leading federal protocols, including SAML, OIDC, and Oauth, in the following ways:
  • A SAML Service Provider (SP) requests from the SAML Identity Provider (IDP) that user authentication be FIDO-based
  • A SAML IDP returns a SAML Assertion to the SP indicating that user authentication was performed using FIDO
  • A OIDC RP requests from the OIDC Provider that authentication be FIDO-based
  • An OIDC Provider returns a token to the RP indicating that user authentication was performed using FIDO and how
  • FIDO could be leveraged in OAuth2 environments for user authentication before user consent and authorization to access a protected resource

Relevant ResourcesLearn more about Q2's fraud, risk and compliance solutions
 
Sourceshttps://www.bbva.com/en/what-is-fido-the-new-standard-for-online-authentication/

https://fidoalliance.org/fido-and-federation-protocols-tech-note/

https://media.fidoalliance.org/wp-content/uploads/Enterprise_Adoption_Best_Practices_Federation_FIDO_Alliance.pdf