FIDO2

FIDO2 is a standard of FIDO Alliance and the W3C , a strong authentication solution in Web realized.

A server initially sends a request. The FIDO2 key now generates a public and a secret key from a secret initial key (Secret) and the server address, the public key is transmitted to the server, which saves it and can thus clearly identify the FIDO2 key in the future. The FIDO2 key can identify itself to each server with an individual key without the server (operator) being able to draw any conclusions about other login options with the same FIDO2 key. To protect against misuse of the FIDO2 key, it can also be secured biometrically or with a password (called a PIN here).

At its core, FIDO2 consists of the W3C Web Authentication Standard ( WebAuthn ) and the Client to Authenticator Protocol (CTAP) from the FIDO Alliance. FIDO2 is based on earlier work by the FIDO Alliance, namely the Universal 2nd Factor (U2F) authentication standard . With the release of FIDO2, U2F was renamed to CTAP1.

Taken together, WebAuthn and the corresponding Client-to-Authenticator Protocol (CTAP) of the FIDO Alliance specify a standard authentication protocol in which the endpoints consist of two elements:

1. User-controlled, embedded (bound) cryptographic authenticators, such as biometrics or PIN, or external (roaming) authenticators, such as FIDO security keys , mobile devices, wearables, etc.
2. A trustworthy WebAuthn remote station, which is also called a FIDO2 server.

A web user program such as a browser , together with a WebAuthn client, forms an intermediary between the authenticator and the trusted remote station. A single WebAuthn client device can support multiple WebAuthn clients. For example, a laptop can support multiple clients: one for each compatible user program running on the laptop. To do this, the user agent must implement the WebAuthn JavaScript API.

As the name suggests, the Client-to-Authenticator Protocol (CTAP) allows a compatible cryptographic authenticator to interact with the WebAuthn client. The CTAP specification refers to two versions of the protocol: CTAP / U2F and CTAP2. An authenticator that implements one of these protocols is called a U2F authenticator or FIDO2 authenticator.

There are also backward compatible authenticators that implement both protocols:

1. CTAP1 enables the use of existing FIDO-U2F devices (e.g. FIDO security key) for authentication on FIDO2-capable browsers and operating systems via USB, NFC or BLE for two-factor authentication.
2. CTAP2 enables the use of external authenticators (FIDO security keys, mobile devices) for authentication on FIDO2-enabled browsers and operating systems via USB, NFC or BLE for passwordless two- or multi-factor authentication.

Android received FIDO2 certification in February 2019 .

Web links

• Explanations for beginners to FIDO1 / U2F and FIDO2 , FIDO Alliance (English)
• Password-free login thanks to FIDO2 , Jürgen Schmidt, heise online August 19, 2019
• Fido2: This is how the password successor works , By c't authors Ronald Eikenberg and Jürgen Schmidt, Der Spiegel October 20, 2019

Individual evidence

1. ↑ FIDO2: Moving the World Beyond Passwords . FIDO Alliance. Accessed January 30, 2019.
2. ↑ Specifications Overview , FIDO Alliance , accessed January 28, 2020
3. ↑ Web Authentication: An API for accessing Public Key Credentials Level 1 . World Wide Web Consortium (W3C). Accessed January 30, 2019.
4. ↑ Client to Authenticator Protocol (CTAP) . FIDO Alliance. February 27, 2018. Retrieved January 30, 2019.
5. ↑ Google looks to leave passwords behind for a billion Android devices. Where Android's going, you won't need passwords. cnet.com