There have been bold claims of killing passwords off for years; however, recently there’s been a lot of buzz about a potentially viable solution: FIDO2. After hearing a lot about all things FIDO and WebAuthn at the European Identity & Cloud Conference, and Identiverse, I decided to take a look into the new standards and how they could be applied to IdentityServer4.
The basic idea behind FIDO is that we take phishable, shared secrets (i.e., passwords) and replace them with unphishable, public key cryptography. This involves the generation of a unique private and public key pair per relying party website and using those keys to sign and verify attestations. Keys are stored on a FIDO authenticator, which could be your mobile phone or dedicated hardware such as a security key.
FIDO has been kicking around for a while now, however, thanks to the new FIDO2 standards (with WebAuthn soon to be ratified by W3C), FIDO2 authenticators are being brought to every major browser and platform. That said, Google has been a major proponent of the earlier FIDO U2F specification and recently reported that since requiring all employees to use security keys in early 2017, not one of the 85,000 of them had been successfully phished.
If you’re interested in learning more about FIDO and how you could adopt it in your Identity solution, then please get in touch at firstname.lastname@example.org.