How Does FIDO2 Work

To be able to connect to any platform, it is necessary to have a good password that protects us from intruders. But passwords by themselves will not prevent some attack methods that can steal them, such as Phishing or brute force. To prevent someone from being able to enter an online service if they guess the password, two-step authentication is a good option. But different authentication standards have also emerged. In this article we are going to talk about what FIDO2 is and why it is so interesting.

What is FIDO2?

The usual thing is to have a username and put a password. For example to enter social networks such as Facebook, access mail or start a device. What the FIDO2 standard allows is to be able to set aside this traditional method, but without putting security at risk. It is based on two-factor authentication and uses security keys.

FIDO’s name comes from Fast Identity Online and is formed by an alliance of some of the best-known platforms worldwide: Google, Amazon, Facebook or Mozilla, among others. In addition, the WebAuthn standard and the CTAP protocol are also part of it . It is based on the previous standard U2F and UAF, both made by FIDO.

Now, how exactly does it work? Its objective is to allow us to authenticate ourselves on the Internet , for example when using an application or entering a website, without having to enter a password. For this we can use a small security key that connects via USB and NFC connection. But you can also use the mobile phone to authenticate.

Basically it will allow you to use your mobile, for example, to authenticate yourself on the Internet and carry out transactions, log in, etc. Instead of having to put a password, you identify yourself by this means. For this you can use the fingerprint on the phone, for example. The main change from FIDO2 was that this authentication can also be enabled in web environments.

How does it work

The first thing necessary is to create a registry in a platform or application compatible with FIDO2. For example the program to enter the bank or Facebook. This will generate a pair of keys: one private and one public FIDO2. The first will be saved on the device and the second, the public one, will be stored in the database of that service to which we registered. The private will only be available on the client side.

The first time you enter that application, you will have to put the traditional credentials. That is, you will have to put your username and the password that you have created. With that key you will always be able to enter. But once you enter, the program will give you the option to enable access through biometric data. It is at this point that the cryptographic keys are exchanged.

From there, once you have configured the option to access with biometric data , you will be able to log in simply by entering your fingerprint or facial recognition. You enter the browser or application and the fingerprinting process will automatically exit and the cryptographic data will be exchanged to authenticate the user based on FIDO2.

Logically, if you are going to enter that application from another device, you will have to put the traditional password or configure another authentication method there. The same would happen if you reset that mobile to factory settings or uninstall the program and reinstall it, since you would have to configure it again with these same steps.

where is it used

Possibly you use FIDO2 in your day to day or at least have used it once. Every time you use the mobile phone to enter a social network or bank account and put your fingerprint, it is based on this protocol. Also when using facial recognition or if you have an external token. It is based on biometric data that is stored on the mobile, computer or any compatible device. When you register your fingerprint, it is stored in the system for later use.

It is also used to make online payments , purchases or recharge virtual cards. In these cases you will also have to authenticate yourself, so that the process is carried out, and you can do it with these methods without having to enter a traditional password.

This is useful since it is not necessary to enter the password every time we enter online platforms. Authentication is done locally, with the information stored, and also with that second authentication factor, which would be a fingerprint or facial recognition, for example. It is a safe process and one that is present in more and more services.

Keep in mind that it is not available in all types of applications, but its use is increasing. Surely you can see it in the program of your bank, in some social network that you use and the like.

What advantages does it have

You may be wondering what advantages this type of authentication has over traditional passwords. The truth is that there are several interesting points that make the FIDO2 protocol very useful today, but it will be more useful as more services join and support this functionality to authenticate.

The first clear advantage is convenience and speed . Think about having to enter the password every time you access Facebook, bank account or any such application. You will lose time and you will also have to remember what the access code is. Instead, thanks to FIDO2 you simply have to put the fingerprint or facial recognition, in addition to being able to use a security key, and thus log in quickly.

Another positive point is security . On the one hand, we are going to avoid having to expose the passwords so much by not having to constantly log in with them. This will reduce the risk of suffering a Phishing attack or being the victim of a keylogger that can record access codes. Thanks to this protocol, those keys will only be unlocked on that specific device.

Although in relation to the two previous advantages, a third would be the ability to use the same authentication for many applications . That is, for example you could have five bank accounts and each of them have a different password (which would be correct). You would have to put each of those keys to enter. Instead, thanks to this protocol, all you have to do is put your fingerprint or use facial recognition and you will be able to enter all of them in the same way.

Conclusions

As you have seen, FIDO2 is an authentication protocol that is used to put aside traditional passwords and be able to authenticate ourselves in web applications with total security, comfort and speed. It serves to authenticate us on a device simply using the fingerprint or facial recognition, among others.

Although it is already widely used, it is certain that in a few years its use will become even more widespread. We will have more compatible applications and therefore we will be able to use more the different alternatives to traditional passwords that we can use on mobile devices or on the computer to enter online accounts.