This post is about security keys and passwordless authentication. A popular implementation of this is YubiKey, which has just announced biometrics capabilities.
YubiKeys aren't a hardware token. They're a radical shift in the fundamentals of how we do trust, authentication, and identity. You can even code-sign your docker images with them! It supports OTP (One-Time Password), PKI (Public Key Infrastructure, used for encryption and authentication), and
I'm going to focus on implementation with the standard/open API
WebAuthn work together to implement strict controls and checks that provide better guarantees about trust and identity. They also enable passwordless multi-factor authentication that, at least so far, completely mitigates phishing attacks. It seems to have eliminated an entire class of security threat.
How often do we see an entire threat vector eliminated? Once or twice in a lifetime?
Here's a little background with a high-level description of how it works.
FIDO ("Fast IDentity Online") Alliance is an open industry association focused on authentication an identity.
FIDO members include (from the Wikipedia page):
FIDO was founded by Agnitio, Infineon, Lenovo, Nok Nok Labs, PayPal and Validity Sensors. By the end of September 2016, FIDO members totaled more than 260, including a board made up of the Aetna, Alibaba Group, Amazon, American Express, ARM, Bank of America, BC Card, Broadcom, CrucialTec, Daon, Egis Technology, Feitian, Gemalto, Google, HYPR, Infineon, Intel, ING, Lenovo, MasterCard, Microsoft, Nok Nok Labs, NTT DoCoMo, NXP Semiconductors, Oberthur Technologies, PayPal, Qualcomm, RSA, Samsung Electronics, Synaptics, USAA, Visa, VMware, OneSpan and Yubico. A full list of members is available on the official website.
FIDO's released the
U2F (Universal 2nd Factor) protocol and submitted it to
W3C (World Wide Web Consortium, an internet standards organization) as a proposed standard. The official, published standard is now called
Yubico, the company that makes the YubiKey, is a "Board Level Sponsor" of the FIDO Alliance and (I believe) the first authenticator solution to support
WebAuthn standard starts with the user registering their authenticator (such as YubiKey). Once that device is initially associated with an owner/identity, there is an initial registration that occurs seamlessly per application/service.
From a high-level perspective, the process looks like this:
No password, PIN, or anything else has been exchanged or can be phished/spoofed.
After the initial registration, we can authenticate. Conceptually, the process looks like this:
That last point is a very crucial distinction and why YubiKey/WebAuthn hard counter phishing attacks. The YubiKey has the server/relying party's domain and info from registration stored directly. If an attacker tries to trick the user into entering credentials into a spoofed site, the authenticator fails the verification check, helping to eliminate the weakest-link - untrained or careless users, or even experienced users duped by a sophisticated counterfeit.
So, the service and the user mutually can be confident of their authenticity/integrity, and that the interactions are intentional via multi-factor authentication.
Hopefully, this has helped bring some awareness and understanding, and hopefully, excitement about how game-changing this is!