FIDO2: The End of Passwords is Near
There have been bold claims of killing passwords off for years. Recently there's been a lot of buzz about a potentially viable solution: FIDO2...
Scott Brady
- •
- Job Role
- Security Consultant
Please consider the envrionment before printing
Bad actors will try to get you to reveal personal information that can then be used to impersonate you or steal money. This personal information could be usernames and passwords, credit card information, bank details or any other information useful to the attacker.
In a phishing attack, the attacker will attempt to lure you to a website that appears exactly like a site you might use frequently. For example, they could create a fake website that looks exactly like your banking site. They then get you to enter your banking details, such as username and password. They can then steal and use these details on the real banking site to impersonate you and access your accounts.
While training users can help, it's simply not enough. It is standard behaviour for people to open emails and click on links within those emails. Teaching people to be vigilant helps, but we are asking people to go against their normal daily practices by asking them not to open emails or click on those links.
However, there are ways to mitigate this.
When a user inputs their username and password, they are entering something they know. All an attacker has to do is to capture this information to learn these details. With multi-factor authentication, another layer (or factor) is added to this; something that the user has, which is much harder for an attacker to steal.
The second factor is typically a token generated when needed by a user, and unique to that user at that time.
The generator could be hardware-based, and many companies use this for access to internal applications. When logging in, the user has to insert a card or a key that will generate a token.
Tokens can also be generated in software and entered as part of the login process. These token generators often run as apps on mobile devices and are freely available. Many websites now enable two-factor authentication (2FA) by default, and more still have it as an option. We would strongly recommend that developers enable 2FA on their sites, or on any site that users visit that stores personal or financial information.
Be aware that 2FA does not prevent phishing attacks. However, it is an extra barrier for the attacker as even if they manage to steal your password, they still need to access the 2FA value to login to the site.
Attackers can still get around 2FA by simply:
There are tools that will help you do this, such as Evilginx (pronounced Evil Jinx). Evilginx acts as a reverse proxy, which means it sits between the user’s browser and the real website.
This approach means Evilginx can relay all the requests from the browser to the website, and all the responses from the website to the browser, while also capturing the data from this session. This includes any 2FA data and cookies that are sent. If the user is not aware this is happening, then there is not much the user can do to prevent this. For example, they may not have not checked the address bar, or whether the address of the fake site is configured to look like the real site (e.g. by using certain Unicode characters).
However, there are things that developers can do in code to mitigate this. You can put in JavaScript that reads the address of the site that the browser is using, and if that address does not match the site address, then the site can be prevented from working, and/or warn the user. Be aware, however, that Evilginx sees all the data flowing from the server to the client, and so can detect this JavaScript code and change it on the fly. To prevent this, you need to create dynamically obfuscated JavaScript.
You can imagine that this is an arms race between attackers and defenders, and as a developer, you need to be constantly aware of these attacks. For more information, there is an excellent video by Kuba Gretzky - Phishing Through Modern 2FA Defences With Evilginx
So, if 2FA is open to attacks, what can you do? Well, a better way to mitigate attacks is to use FIDO.
FIDO stands for Fast IDentity Online and is a free and open standard developed by the FIDO alliance. It uses public key cryptography for authentication, and when using FIDO you don’t need to use passwords.
FIDO is hardware-based; it could be a device that plugs into a USB port on your computer or some other device that you own, such as a mobile device. It could even be integrated into your computer, such as Touch ID, Face ID or Windows Hello. These are known as Platform Authenticators.
Each time you register with a new site, the device generates a public/private key pair, known as a ‘passkey’. It sends the public key to the site and stores the private key in the device. When you subsequently log on to the site, the site sends a challenge that is:
If the challenge has been signed successfully, then the site knows that the ‘correct’ user has logged in.
If your site is set up to use FIDO for authentication, then there is no way for an attacker to create a fake site and get the user to send their FIDO credentials to that site. This is because the FIDO credentials are scoped to a site. If you have set up FIDO for https://google.com, say, then the device would never identify https://gogle.com as being correct since the sites are not the same.
Many companies, such as Google, Apple and Microsoft, now offer FIDO as an option.
This is a genuine concern. If you lose your device, you lose access to your passkeys. To help mitigate this, the FIDO alliance introduced multi-device FIDO credentials, which allow your passkeys to be stored and shared on multiple devices. The devices will take care of synchronization, and you should be able to store your passkeys on all devices that use the same account (for example from Apple, Google or Microsoft). Password managers such as 1Password and Dashlane also support passkeys.
If you are looking for support and guidance with the implementation of FIDO, or MFA or need free advice, don't hesitate to reach out via [email protected] or contact us.