Andrew Shikiar, Senior Director of Marketing, FIDO Alliance
It was a productive week at the RSA Conference 2018 where a dominating theme centered on FIDO2 Authentication, a major standards milestone in the global move toward simpler, stronger authentication on the web. An abundance of FIDO members were in attendance exhibiting their security solutions, including those with FIDO® Certified solutions for current and planned offerings inclusive of FIDO2 Authentication.
FIDO2 Authentication has garnered support from Google Chrome, Microsoft Edge and Mozilla Firefox as we move away from the era of being dependent on passwords and into a more ubiquitous, phishing-resistant, strong authentication means to protect web users worldwide. The FIDO2 Project includes two game-changing standards that will alter the way users access and safeguard themselves on the web: WebAuthn and Client to Authenticator Protocol (CTAP). Concurrent to the forthcoming introduction of FIDO2 certification testing is the introduction of a FIDO Universal Server certification. More details follow below:
WebAuthn is a collaborative effort with the World Wide Consortium (W3C) based on Web API specifications
The FIDO Alliance and W3C stakeholders worked together to craft WebAuthn. It works by defining a standard API that can be incorporated into both web browsers and web platform infrastructure to afford users new methods of secure authentication on the web directly from their browser as well as across sites and devices. Web security is a constant source of risk for users, and WebAuthn is a hefty step toward a more secure user experience without reliance on passwords that are easily compromised. Passwords are to blame for some 80 percent of breaches, and in response, major browser platforms are moving to erase this dependency.
Client to Authenticator Protocol (CTAP) Strengthens External Authentication
External communicators, such as security keys or mobile phones, can now communicate stronger authentication credentials locally over USB, Bluetooth or NFC directly to the user’s internet access device via PC or mobile phones.
The FIDO Universal Server will ensure consistent user experience across authenticator types
FIDO is pleased to introduce a new Universal Server certification for servers that can interoperate with all FIDO authenticator types (FIDO UAF, FIDO U2F, WebAuthn, CTAP). This is anticipated to be a best practice for service providers who want to ensure that all of their consumers can leverage FIDO Authentication.
The buzz around the FIDO2 release was felt throughout RSA as we spoke with FIDO Alliance members and other conference attendees. The week was capped off by a standing-room-only session on Friday led by Google (Sam Srinivas, product management director, Google Cloud – and FIDO President) and Microsoft (Dave Bossio, group program manager, Microsoft – and FIDO Vice President) called “Replacing Passwords with FIDO2 Authentication,” which was moderated by FIDO Alliance executive director Brett McDowell.
The presenters covered how FIDO’s modern authentication ecosystem is leading the charge in browser and online platforms and the movement away from password-based authentication. Google and Microsoft security team leaders debuted the newly available authentication options built around FIDO2 and W3C standards in their browsers and other core products.
At the heart of the session was a series of demos that showcased biometric and second factor authentication scenarios across browsers (Chrome, Edge and Firefox) and operating environments (Windows 10 and Android). FIDO members Nok Nok Labs and Yubico provided the Universal Server and FIDO2 Security Keys, respectively, that underpinned the demos.
If you weren’t one of the 300+ in attendance but want to get all of the details, please be sure to register for our FIDO2 webinar on May 16, 1pm ET, which will recap the session – including the FIDO2 demonstrations.