By David Turner, Director of Standards Development, FIDO Alliance
Today we are announcing enhancements to two of the core FIDO protocols, the Client To Authenticator Protocol (CTAP) v2.1 and WebAuthn Level 2 – which collectively comprise FIDO2. Both are significant advances in extending FIDO’s capabilities specifically for enterprise users and supporting more complex application use cases. These enhancements come at an appropriate time, given the increased demand and rate of adoption for FIDO methods as the pandemic and remote work continues throughout the world.
The FIDO2 WebAuthn protocol is a set of application programming interfaces (APIs) that describe how to enable authentications inside browser sessions. Level 2 is the latest version of the standard, which is maintained by the W3C organization and was released in April. This standard makes it easier to write web applications that use FIDO Authentication, which is now supported across the five major endpoint operating systems (Windows, MacOS, Linux, Android, ChromeOS, and iOS).
There are six major improvements that we are announcing today:
Enterprise attestation
Today’s announcements increase support for enterprise management of devices and users. The CTAP and WebAuthn protocols have added features that make it easier for enterprises to add specific user identity data during the registration process, so corporate administrators can more easily track key distribution and usage. Because these features can reveal some private user information – information that they would have divulged anyway to their employer – this feature is not available directly to consumers’ authenticators. Instead, authenticators must be pre-programmed (before credential registration) with these enterprise attestations by the enterprises themselves.
Cross-origin iFrame support
This feature allows web-based ecommerce transactions to be completed within pop-up windows on a browser, something that was forbidden in earlier FIDO versions as a way to protect potential man-in-the-middle and man-in-the-browser attack scenarios. The new standards make a very safe, secure and encrypted way to accomplish these transactions, without revealing data pulled from multiple domains such as the originating vendor, the user’s bank account, a credit card issuer, and so forth. It also helps in situations when users are connecting via bandwidth-limited circumstances (such as via Bluetooth or poor Wifi signals) to keep the authentication workflow moving without a lot of back-and-forth network traffic and latency delays.
Support for Apple Attestations
FIDO Alliance has been pleased to have Apple as a contributing member for the past 18 months. This feature adds support for Apple’s method of doing attestation on their devices using the WebAuthn protocols.
Better biometric management
The CTAP v2.1 additions include better biometric enrollment and management features, so that users can register multiple fingerprints and other bio-markers. Additionally, enterprises can set minimum PIN lengths. As more mobile devices include facial and fingerprint recognition, this keeps FIDO current with the latest authentication technologies.
Large blob support
An alternative to running a centralized authentication service, this feature includes a way to store things like certificates that may be necessary for other authentication scenarios, such as using encrypted SSH connections.
Resident credential improvements
Now called discoverable credentials, this enables passwordless workflows to re-authenticate a user. The authentication dialog automatically finds and applies an existing credential and asks for user confirmation, thus making FIDO easier to use.
Always Require User Verification
This feature allows a user to protect the credentials on their authenticator with some form of user verification independent of the Relying Party. Platform authenticators and other authenticators with the feature enabled will always perform user verification. Some certification programs such as US FIPS 140-3 prohibit the authenticator performing signing operations without authentication.