man touching digital security graphic

FIDO2 and Public Key Infrastructure (PKI) Explained

FIDO2 is a series of specifications designed to create an authentication protocol for the web and online services. FIDO2 makes use of public-key cryptography and other technologies to provide strong authentication when logging into online services from a desktop or mobile device. Let’s dig into common questions around FIDO2: what it is, how it works, and its relationship with PKI.

Where Does FIDO2 Come From?

Launched in 2014, FIDO2 is an acronym for Fast Identity Online version 2. Updated in 2018, FIDO2 improves on the original FIDO guidelines known as U2F (universal two-factor). FIDO2 is receiving rapid industry adoption and has been deployed by several leading tech companies for employee two-factor authentication (2FA). This simple approach using FIDO2 security keys has proven to be an effective defense against phishing attacks and password theft. [svg:53768]

What is FIDO2?

FIDO2 is a standards protocol put in place by the FIDO Alliance in partnership with the World Wide Web Consortium (W3C). This industry standard allows people and IoT devices to identify and authenticate themselves to online services, especially from a modern web browser like Chrome, Edge, Firefox, or Safari. FIDO2 provides a relatively easy way to prevent damage from phishing attacks and stolen or misused user passwords and is built on:

  • W3C Web Authentication (WebAuthn) specifications
  • FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP)

FIDO2 uses asymmetric (public-private) key pairs to establish identity when accessing a FIDO-enabled web service including enterprise-wide Single Sign-On (SSO). The asymmetric key pair is generated on the FIDO2 device, typically a USB security key or smart badge. The private key is securely bound to the device. The simplicity and low cost of FIDO2 is largely driving its popularity amongst enterprises as a way to very quickly deploy 2FA.

What is PKI?

By contrast, PKI has been around much longer and has a couple of primary use cases. Following the public disclosure in 1976 of both secure key exchange and asymmetric key algorithms by Diffie, Hellman, Rivest, Shamir, and Adleman, the PKI infrastructure has been and still is the backbone of secure communications between end-users and internet services. Since the mid-1990s PKI has been widely deployed by government agencies to:

  • Authenticate identity and provide access management
  • Encrypt documents and data
  • Encrypt end-to-end communications over insecure networks

PKI relies on the services of a “trusted” Certificate Authority (CA) to create, distribute and manage the lifecycle of the cryptographic keys through digital certificates. Many large enterprises are using PKI for identity management and document control, however, the perceived cost and complexity of managing the CA infrastructure has dampened its appeal except for those enterprises under stringent, high-security requirements.

How Do FIDO2 and PKI Work Together?

Moving forward FIDO2 and PKI will likely coexist as complementary technologies. For example, an employee could use a FIDO2 token as a second authentication factor to logon to the corporate network while browser to web server transactions continue to be secured by PKI. The PKI market is also experiencing growth as a method to secure the identity of IoT devices. In 2018 as a response to the U.S. Commission on Enhancing National Cybersecurity, FIDO’s Public Policy and Privacy Working Group (P3WG), released a white paper titled “Leveraging FIDO Standards to Extend the PKI Security Model in United States Government Agencies,”. NIST SP 800-157 specifies process flows for using FIDO as a “lightweight” extension of its public key infrastructure while still maintaining full PKI for high-security assets.

The Advantages of FIDO2 Authentication

FIDO2 addresses the issues found with using traditional authentication methods. It provides simpler, stronger user authentication with the following benefits:

  • Elimination of risk related to phishing attacks and password theft
  • Ease in deployment with minimal changes to the IT environment
  • Easier management without a complex CA or crypto keys, unlike PKI
  • Convenience for customers and consumers with frictionless and intuitive authentication methods
  • Simple addition to online services and legacy applications through a standardized web API

To further explore a passwordless FIDO2 approach download our ebook. Get the latest blogs on identity and access management delivered straight to your inbox.

John MacInnis, CISSP, is a Vertical Market Director for Identity and Access Management (IAM) Solutions. A SW engineer by trade, he has a background in cybersecurity and has held product management and marketing positions at Philips Healthcare, Cisco, Intel and Phoenix Technologies.