The ultimate guide to passwordless authentication FIDO2: What is it and how does it work?

The FIDO2 passwordless authentication standard has revolutionized the cybersecurity landscape by eliminating the dependency on passwords and offering a robust, convenient, and foolproof alternative.

Passwordless authentication: The next big thing

Let’s face it – relying solely on passwords is like leaving the front door of your digital fortress wide open. Verizon’s 2019 report highlights the significant consequences of weak and compromised passwords, with up to 80% of security breaches due to weak or compromised passwords.

Not only is password-based authentication vulnerable to attacks, but it also causes inconveniences for individuals and businesses. Remembering complex characters for different accounts is a real pain, not to mention the regular resets and forgotten password-related issues, which can be quite frustrating.

The FIDO2 technology, developed by international security experts, is a new approach to authentication that aims to eliminate all the problems with password dependence.

So what is FIDO2? Why is FIDO2 revolutionizing the way organizations and individuals worldwide authenticate online? 

What is FIDO2?

FIDO2 stands for Fast IDentity Online 2, which is a global standard for authentication based on the latest security specifications developed by the FIDO Alliance.

FIDO2 marks a paradigm shift away from traditional password-based authentication methods, instead leveraging PIN codes, biometric factors (like fingerprints or facial recognition), or physical interactions with FIDO2 devices.

By utilizing these techniques, FIDO2 activates a secret key stored securely on the user’s local device, such as a computer, phone, or USB. This approach enhances authentication security significantly, providing a robust and resilient mechanism that reduces reliance on vulnerable passwords.

A brief history

In 2012, the FIDO Alliance was established, bringing together prominent technology leaders including PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, Agnito, and others. Their shared vision aimed to revolutionize authentication standards by eliminating the reliance on passwords. To do that, the FIDO Alliance created a standardized set of security specifications that operate on an open mechanism, are scalable, and can be universally adopted at no cost.

In 2014, the initial version of the FIDO passwordless protocol was released, marking a significant milestone in the development of a new era of authentication.

In 2016, the World Wide Web Consortium (W3C), the international standard organization for the World Wide Web, officially recognized and standardized FIDO authentication in web browsers and platforms. This propelled the widespread adoption of FIDO as an internationally accepted security standard, ensuring its safe and extensive use by users worldwide.

The year 2018 witnessed the official release of the FIDO2 standard, the latest advancement in the FIDO framework.

In 2022, Apple, Google, and Microsoft made a joint commitment to develop passwordless authentication features based on the FIDO2 standard across all their platforms, reaffirming the industry’s recognition of FIDO2 as a pivotal authentication technology.

By 2023, the FIDO2 standard had achieved global coverage, with numerous prominent companies, such as Adobe, Amazon, Apple, CVS Health, Dashlane, DocuSign, Google, Hyatt, Instacart, Kayak, LY Corporation, Mercari, NTT DOCOMO, Nintendo, 1Password, PayPal, Shopify, and TikTok, implementing the FIDO2 standard for passwordless authentication and actively encouraging users to adopt it for their services.

The FIDO Alliance now boasts over 250 members, including government organizations and leading global entities in technology, finance, banking, telecommunications, and e-commerce sectors. 

How does FIDO2 passwordless authentication work?

FIDO2 authentication eliminates the need for passwords by relying on passwordless authentication factors called passkeys. 

There are two main types of passkeys:

• Device-bound passkey: Also known as a FIDO2 security key, it is a physical device that can be connected to the user’s login device (e.g., desktop computer, laptop) via USB, NFC, or Bluetooth. The security key serves to verify the user’s identity and grant access to online services.

These hardware security keys are portable and can be used with multiple devices. Examples: USB security keys, smartphones with FIDO2 authentication apps.

FIDO2 security keys are considered highly secure because they store the user’s secret information internally, preventing exposure or leakage over the network. This makes them difficult to steal or attack.

• Synced passkey: In contrast to device-bound authentication, a synced passkey is integrated into the user’s login device (e.g., computer, smartphone). This enhances convenience, particularly for subsequent logins after registration.

Synced passkeys utilize common biometric authentication methods such as facial recognition, fingerprint scanning, or PIN entry, which are performed directly on the login device.

Examples: Google Passkey, Facebook Passkey, the VinCSS FIDO2 app,…

By leveraging these passkey types, FIDO2 authentication provides a secure and password-free login experience, enhancing convenience and mitigating the risks associated with traditional password-based authentication methods.

FIDO2: Under the hood

FIDO2 operates on the principles of public key cryptography protocols.

During the registration process, a unique key pair is generated by the user’s FIDO2 device. This pair consists of a private key and a public key. The public key is shared with the server system and the online service provider, while the private key remains securely stored on the user’s device.

When starting a login, the system sends a challenge to the user, requesting a digital signature that can only be completed using their private key.

Users can confirm their ownership of the FIDO2 private key through various methods, such as entering a PIN or utilizing biometrics like fingerprints or voice recognition.

As the private key is stored exclusively on the user’s device and is never transmitted over the network, no unauthorized entity can gain access to the private key and use it to sign the digital challenge on behalf of the user.

The FIDO2 authentication standard offers several significant benefits:

• Security: FIDO2’s strong security layer revolves around the private key, which remains unique for each login session and never leaves the user’s device or gets stored on servers. This approach provides robust protection against risks like fraud, password theft, and system attacks. It also prevents service providers from tracking user activities on websites. According to Microsoft, passwordless authentication reduces the risk of identity theft by 99.9%.
• Convenience: FIDO2 eliminates the reliance on passwords, freeing users and organizations from the need to remember or frequently change passwords. This reduces the cost and effort associated with password-related tasks, allowing businesses to focus on essential operations and management. Employee productivity is enhanced by eliminating the time and effort spent on password-related issues. The authentication experience becomes faster and smoother, with options like facial or fingerprint scanning taking just a few seconds. According to Cybersecurity Insider, FIDO2 improves the user experience by 64% when logging into online services.
• Scalability: FIDO2 is supported by popular web browsers and operating systems such as Windows, macOS, ChromeOS, Linux, iOS, and Android. This broad compatibility enables users to easily utilize FIDO2 on various devices and applications. As an open standard, FIDO2 allows businesses and organizations to deploy it flexibly to meet scalability and development needs. With FIDO2, businesses can provide secure, highly reliable, and convenient login experiences for employees, customers, and partners.

Vietnam embraces the “passwordless” wave

In Vietnam, there is a growing interest in “passwordless” authentication as businesses become more aware of cybersecurity and open to adopting advanced global security technologies.

VinCSS is the sole Vietnamese representative to become a member of the FIDO Alliance. Collaborating with renowned global entities like Sony, Huawei, and IBM, VinCSS contributes to the shared mission of fostering a secure digital environment.

VinCSS has achieved a significant milestone by being the pioneer in Vietnam to develop the VinCSS FIDO2 Ecosystem, comprising seven security solutions that are FIDO2-certified, showcasing our commitment to intellectual advancements in the field.

VinCSS’s FIDO2-compliant security products have been widely adopted by numerous Vietnamese and international businesses, as well as millions of individual users globally. These products offer a reliable and efficient authentication experience, effectively addressing concerns about cyberattacks in the digital realm.

VinCSS stands out among a select group of 13 companies worldwide that possess a robust authentication key and a FIDO2-certified authentication server.Book a VinCSS FIDO2 demo here.