Before introducing the concept of FIDO2, let us briefly explain passwords and problems related to them.
The biggest problem with user-created passwords is their predictability. All too often, they are simple and easy to guess, which makes them vulnerable to spray attacks. A spray attack is when cybercriminals try applying popular passwords across a large number of accounts hoping for a match. Admittedly, this method is far from being sophisticated and is based on luck. Unfortunately, cybercriminals often succeed and break into accounts guarded by weak passwords.
Another type of attack used against password-protected accounts is the so-called “brute force attack.” This type is much easier to recognize and prevent since cybercriminals who use brute force continuously try various means to hack a single account. This gives network admins more time to detect suspicious behavior and take appropriate measures.
Yet another problem with passwords is that they are a “shared secret.” In the best-case scenario, a password is always known to the user and to the relying party. That relying party is the resource the user is trying to access. The resource (an application) will assure the user that it will securely store their data. However, password databases are hacked, stolen, and sold every day. User login credentials can be auctioned on the Dark Web, so cybercriminals can simply purchase them without much effort.
Then, there is phishing: an attack based on social engineering that convinces the victims they should disclose sensitive information. It may take the form of an email that appears to have been sent by your bank, your online service provider, or by your boss and asks you to perform an action that seems perfectly reasonable and logical. People tend to think they are not easily manipulated and misled, but in fact, we are not so hard to deceive. Well-engineered phishing attacks can even trick people who work in the IT industry.
All security professionals agree about one thing: the industry needs to educate users on using passwords and on ways they themselves can increase cybersecurity. Passwords can be breached easily; therefore, multi-factor authentication (MFA) or two-factor authentication (2FA) is an absolute must if you want to make sure your online resources are better protected.
MFA can eliminate the vast majority of sign-ins with compromised passwords, as it provides additional protection that secures authentication against spray attacks. Even the approach that utilizes SMS, one of the oldest and most basic MFAs, is sufficient to protect from this type of attack.
Although, whenever high-value accounts are on the line, it is worth considering the MFA approach that is more advanced and utilizes authenticating apps or email push notifications.
Nonetheless, these methods come with their own risk of creating a false sense of total security. Users can easily get used to accepting push notifications and stop double-checking the legitimacy of incoming requests. As a result, they may inadvertently accept requests from hackers and help them pass MFA.
One solution to this problem is to keep the number of prompts to a minimum. This way, each received notification will be seen as relevant and will not be easily disregarded as an unnecessary hurdle. It is important to prevent users from forming a potentially dangerous habit of instinctively hitting the accept button whenever they receive a push notification since such behavior could lead to a successful cyberattack.
With that in mind, let us now introduce FIDO2 authentication, also called WebAuthn or the Web Authentication standard. FIDO2 is a global standard of authentication developed by the World Wide Web Consortium, comprising two major components: WebAuthn and Client to Authenticator Protocol (CTAP). The FIDO2 standard allows users to use their common devices, such as laptops or smartphones, as local authenticators rather than rely on traditional methods, such as usernames and passwords.
FIDO2 is supported by all major platforms and browsers. WebAuthn uses public-key cryptography to keep user accounts safe from phishing attacks. Users can choose between internal or external authenticators and easily log in across devices and services while maintaining a high security level.
Secfense User Access Security Broker makes it possible to use any multi-factor authentication method on any application. However, we always advise using the best method available on the market. At this moment, there is no better option than FIDO2. FIDO2 is the safest and most convenient way to take advantage of MFA protection. It also supports microauthorizations, a feature available in Secfense broker that lets you add additional authentication requests anywhere inside of the application.
Watch the video below to learn how FIDO2 works and how it can be deployed and scaled on web applications with Secfense User Access Security Broker.