Before introducing the concept of FIDO2, it’s worth giving a short and brief introduction explaining passwords and problems related to them.
The biggest problem with passwords is the very basic one. Users simply have to create them, and they are extremely predictable in doing so. This easiness leads immediately to a thing called spray attacks. A spray attack means that cybercriminals basically ‘spray a password’ across multiple accounts. They are not focusing on one particular account, but rather shoot freely hoping to get some victim by luck. Attackers usually go for the low-hanging fruit by using all sorts of predictable passwords. Unfortunately, many times they succeed and gain access to someone’s account.
The other alternative attack is the so-called ‘brute force attack’. These types of attacks are much easier to recognize and easier to prevent. They are based on continuously attacking one particular account so network admins will easily see that something suspicious is going on.
Another problem with passwords is related to ‘a shared secret’. Passwords are shared secrets that a user gives to a relying party. That relying party is the resource a user is trying to access. That resource (an application) will assure you that it will store your details in a safe manner. However, password databases get hacked, stolen, and sold every day. User login info is sold on the Dark Web so cybercriminals can simply purchase it without making any effort.
Then, there’s phishing. Basically, a social engineered attack that makes the person think that what he or she does is perfectly fine. You get an email from your bank, your online service provider, or from your boss at work and you are asked to perform an action that seems perfectly reasonable and logical. People tend to think they don’t get easily tricked and misled, but most people can be wrong. Well engineered phishing attacks can trick even people that work in IT related businesses.
All security professionals agree about one thing. We need to educate users about using passwords and about ways to increase cybersecurity on a personal level. Passwords can get breached easily and so-called multi-factor authentication (MFA) or two-factor authentication (2FA) is an absolute must if you want to make sure your online resources are better protected.
MFA can eliminate the vast majority of sign-ins with compromised passwords. The MFA is simply providing that additional layer of protection. So in case of ‘spray attacks’ with MFA they simply can’t happen. Even using the very basic and quite old MFA approach based on SMS is sufficient to protect from these types of attacks.
For high-value accounts it’s worth considering a more advanced approach to MFA based on authenticating apps or email push notifications.
These methods can trick you as well into the comfortable feeling of total security. The problem is that if people get used to accepting push notifications they simply don’t double-check then and they may also accept a bad actor tricking you into thinking that that push notification came from a valid source, while in reality, you are giving an attacker the green light to go through your MFA. One of the nice things could be using something like an unauthentic trap that uses push notifications, people can just receive the notification and approve. The one thing I will say is don’t over prompt for an MFA. It’s all too easy, especially if you are using an authenticator wrap. You get prompted and say, “Oh, I approve” and then you get prompted again. You go approve. And before you know it, you’re not thinking about what you are being asked to approve? You’re simply approving. And of course, when you’re sitting on a beach on your holiday and you get prompted and you just approve, somebody attacked you.
And that’s the moment when we get to FIDO2 authentication also called WebAuth or Web Authentication standard. FIDO2 is a global standard of authentication built by the World Wide Web consortium. WebAuthn is one of two major components that together with Client to Authenticator Protocol (CTAP) makes up the FIDO2 standard. The FIDO2 standard allows users to take advantage of their common devices like laptops or smartphones and use them as local authenticators, rather than relying on traditional methods such as usernames and passwords.
FIDO2 is supported by all major platforms and browsers WebAuth uses public-key cryptography to keep user accounts safe from phishing attacks. Users can choose between internal or external authenticators, and easily log in across devices and services while maintaining a high-security level.
Secfense User Access Security Broker makes it possible to use any Multi-Factor Authentication method on any application. But when we are asked for advice we always mention FIDO2 and suggest our customers to familiarize with this standard. FIDO2 is the safest and most convenient way to take advantage of MFA protection. FIDO2 is also the best way to take advantage of microauthorizations, the functionality of Secfense broker that lets you add additional authentication requirements anywhere inside of the application.
Below you can find a video where you see how FIDO2 works and how it can be deployed and scaled on web applications with the user of Secfense security broker.
You can schedule a call with us below.
„We are faced with new challenges every day. We must always be one step ahead of the attackers and know what they are going to do before they do it. We are convinced that User Access Security Broker will bring security to a new level, both for those working at the office and from home. For us, working with Secfense is an opportunity to exchange experience with developers who put great value on out-of-the-box thinking.”
Business Continuity and Computer Security Officer
BNP Paribas Bank Polska
“Two-factor authentication is known to be one of the best ways to protect against phishing; however, its implementation has always been difficult. Secfense helped us solve that problem. With their security broker, we were able to introduce various 2FA methods on our web applications at once.”
Head of IT