Root Causes 231: What Is FIDO?

Episode Transcript

Lightly edited for flow and brevity.

• 

  Tim Callan

  In a recent episode we talked about Apple’s newly announced passkey initiative which makes it possible for people, using their own devices, to log into their consumer facing websites and their supporting consumer facing website in a truly passwordless manner, using PKI as the background technology that makes that happen. We alluded to similar initiatives from Microsoft and probably others, we dropped the term WebAuthn, and so what we want to do is we wanted to back up today and talk about these initiatives, talk about FIDO and WebAuthn and what they mean and how they work.

• 

  Jason Soroko

  Right on, Tim.What I’d like to do right here is let’s just first talk about FIDO, the FIDO Alliance.

  Let’s also tease out what the FIDO2 project is, and I’d like to introduce that by talking about a number of the standards that have fallen out of that – and by falling out I mean have been produced and have been used based on the work that the FIDO Alliance has done. So FIDO is an open industry association. I believe it was created in 2013. So it’s nearly ten years old, Tim. It’s been around a while, and you may have heard of standards such as UAF or Universal Authentication Framework; a U2F, Universal Second Factor; CTAP, Client To Authentication Protocol; and then more recently we’ve heard about WebAuthn also known as the W3C, Web Authentication Protocol.

  What’s interesting is that the FIDO2 project was really about saying okay, we’ve got an evolution of these standards through time. These things all kind of build on top of one another, I am definitely not going to go through the whole history of how these things, how these LEGO blocks all kind of connected together, but all those different acronyms I just rhymed off kind of led to this ecosystem now of allowing for device centric authentication using at the heart of it, public key cryptography.

• 

  Tim Callan

  FIDO, it’s spelled F-I-D-O, by the way, in case you don’t know. It’s all caps. That’s an acronym. What’s that stand for, Jay.

• 

  Jason Soroko

  It’s kind of an acronym. It basically means Fast Identity Online. But, I don’t know too many people who refer to it like that anymore. Maybe some people do. Certainly, it’s, it’s – that is an acronym that sometimes I remember and sometimes I don’t remember. I just call it FIDO. Sometimes when you search that term, there’s a lot of other companies out there commercial companies, especially in Canada, that are called FIDO, and it’s easy to mix up. So really what we are talking about is the FIDO Alliance, and that’s how to easily find that.

• 

  Tim Callan

  fidoalliance.org is the website there, but, go on.

• 

  Jason Soroko

  That’s right. So this device centric authentication – so, Tim, you and I, coming out of the PKI world, we deal with a lot of authentication technologies, and what’s different about FIDO is they were really thinking hard about how you do, from a non-centralized standpoint, utilize public key cryptography and build all these standards that are necessary to be able to have a device centric authentication world. In other words, we know we got to rid of passwords, and we know it takes a major ecosystem of standards and also, people buying into those standards in order to be able to remove passwords.

  With these announcements recently, Tim, I think we really are getting there. I think in the enterprise world, a lot of the centralized PKI technologies and other authenticators that are out there are – they’re good, and those are really good, and they absolutely have their purposes in controlled environments, but now we’re talking about authenticating for the general public. Authenticating where you don’t necessarily have control or know who your client is going to be in five minutes.

• 

  Tim Callan

  You have kind of a two-critical masses problem. Which is, if I have the consumer device, I’ve got to rely on the fact there’s enough support on the other side that it’s worth my while to build this capability in, and if I’m running a consumer facing service, I have to rely on the fact that there’s enough device support, that it’s worth my while to build this capability in.

• 

  Jason Soroko

  That’s exactly it, and now, the FIDO2 project, as I’ve said a few times now, it’s an evolution. It’s the Alliance has been around ten years, and only now, have the really big players fully bought in and are going to make it – basically, various FIDO protocols all work together within their operating systems and their devices so that you don’t even have to think very much as a consumer, you’re able to utilize these technologies, probably without even knowing it. Isn’t it the funny thing about PKI, Tim? It just, it just kind of works, and it works really well, I think that people when they start seeing the non-password world of the future, they’re going, they’re going to start buying in, ‘cause the user experience is great, even if they don’t realize how much better the security is. I think the user experience is just going to be that much better, too.

• 

  Tim Callan

  I mean, the user experience is great. With the big players coming now, like, all you need is Apple. Apple deciding to do this will put plenty of consumer facing services over the top, where they’ll say, that’s a significant enough percentage of my site visitors that I need to support this. Then if Microsoft is doing the same thing, between the two of them, the coverage you have is vast. If Android comes along, it’s even vaster.

• 

  Jason Soroko

  What I’d like to do, I would like to cover two side topics to this to really drive home what FIDO and all their protocols are doing and then I want to bring it right home about talking about how public key cryptography is really used within this. So, I rhymed off earlier a bunch of acronyms that basically constitute the building block protocols that are used by the FIDO Alliance, and what I’d like to now do is talk about how WebAuthn and CTAP, the Client To Authentication Protocol, work together to basically constitute an authentication protocol.

  What you first have to have is a user-controlled cryptographic authenticator. We are talking about Smartphone, hardware token, TPM, something containing a TPM, an embedded secure enclave, USB tokens, smart cards, NFC, Smartphones. A modern laptop which probably has a TPM if it’s running Windows, etc., etc. There’s a lot of places to put your secrets, and this is the point. This is the point. And by the way, there is a certification program. If you want to be labeled as FIDO compliant, there is a certification program out there. If you wanted to become a, say, a USB hardware token authenticator vendor, you could go off and build your design and get that certified by FIDO, and then you could say you’re a FIDO complaint authenticator. So that’s interesting. So that is the authenticator. That’s – I like to call it the thing that’s holding the keys, and isn’t it neat, Tim, that the form factors - FIDO choose to have a very vast array of form factors. That’s the one thing about FIDO that I give them a lot of credit for is they were essentially authenticator form factor agnostic, for a lack of a better term. I like that. I really like that because at that heart of it, really is about the cryptographic key pair and what’s that doing for you as a strong authenticator. Who cares where you put it, as long as it complies to, is this thing safe. Is it holding it? Is it holding the keys in a safe manner? And there’s a certain bar that you can’t go below if you want to call yourself FIDO compliant, which is a good thing.

  There’s the authenticator, the thing holding the keys. And then there is the WebAuthn relying party. That’s also known as the FIDO2 Server, and so, that server which is sitting out and basically being used by – that is the thing that is being used by the web app developer. The web app developer now will utilize, the actual user agent, which would be a browser alongside a WebAuthn client. Now a WebAuthn client really is just a blob of JavaScript code that is implementing the WebAuthn API. The reason why I’m making this distinction between the browser and the client, which is essentially the code, is that you can actually have on your machine more than one WebAuthn client, Tim. In other words, it’s very important to note, using our typical parlance, you can have more than one identity. In other words, you can register your device to many different websites, not just one. Therefore, there is a separation of the browser, which might be going to all of these websites and the actual client which is registered against specific websites.

• 

  Tim Callan

  So just so I understand, are we saying that I can have more than one user on the same home computer and they’re actually going to be able to say who they are when they go into their social media site?

• 

  Jason Soroko

  That’s the much more simplistic English way of saying it. You got it, Tim.

  There’s something interesting to note here, and this has to do with the history, and that’s why I brought up the history a little bit. Because of the evolution, there’s a lot of backwards compatibility because of some of the older protocols that were used, and so, there are at least a couple of combinations of authenticator protocols. In other words, the original CTAP, used along side UTF for applications that are UTF compliant which is the older protocol, as well as CTAP2, which is a new version of that. WebAuthn can utilize either one of those, but the user experience will be a little bit different. So, that’s something to note, is when you’re using a FIDO authenticator, it really kind of depends a lot on when the web developer built the application, what standards that they chose to be compliant with and your user experience will be, probably not a ton different, but a little different depending on what the developer has chosen.

• 

  Tim Callan

  Like I might need to add some extra information when I’m joining a site. I don’t want to say logging in, but if I’m using the older version, then if I’m using the newer version, something along those lines?

• 

  Jason Soroko

  Some of it also has to do, Tim, with how you basically access the keys. In other words, some of these things might absolutely require and will only be able use a USB token, some of them can use a range. Either USB token or a smart card or a biometric or essentially something that is opening up the key usage. Because in other words, those keys are stored in a safe place, and in order to actually utilize those keys, you actually have to attest that, yes, not only am I holding the device that holds the keys, the authenticator itself, but I as the person who is actually the authorized used of those keys, I am being challenged to prove that I am who I say I am, and therefore, you might be challenged to type in a PIN or put thumbprint or a thumbprint and a PIN. There’s many different ways to configure this, and that really is kind of up to what is the risk appetite, what is the challenge authenticator to open up the keys that is wanted to be used by the developer?

• 

  Tim Callan

  And that’s controlled on the site side, on the server side.

• 

  Jason Soroko

  Exact. They may give you a choice. They may actually say, choose your, pick your poison. Do you want to use biometric today, do you want to just enter a PIN; they can also make it flexible like that so that yes, ultimately, the developer makes the choice of how you are authenticating, but on the other hand, they can also give you flexibility, which is nice.

• 

  Tim Callan

  Speaking of flexibility. I’m just thinking this through. Most of us are accessing the same online properties from multiple different devices. Sometimes I go from my phone, sometimes I go from my computer, etc. If I’m using this passkey initiative from Apple and I’m on IOS, then I’ve got a key pair that’s associated with my phone. If I’m also logging in through my Windows machine, clearly I don’t have that same key pair sitting on my Windows machine. So, FIDO can deal with this scenario as well?

• 

  Jason Soroko

  Well, this is about and you’d think I paid you to give me that transition. So basically, this about, Tim, let’s get to the heart of the matter. Let’s get right to the meat of how this really works. Remember, if you and I wanted to do business together, Tim, and we want to use an asymmetric secret, you and I have to somehow figure out how to exchange our public keys. That is important. So, one of these days we’re going to do a podcast on PGP keys.

  A big part of that is going to be about how do you exchange your public keys. Because that’s what you have to do. In a managed PKI, it’s done for you. Typically, a good PKI will basically have the public keys registered in a directory. All I gotta do is look you up and if I’m already able to authenticate into the system, I can say, I want to send an e-mail to Tim. I want to encrypt data to Tim. I want to - something with Tim that’s encrypted. I can look your public key because it is available as part of the directory. Terrific. Well how does it work when there is no centralization? Well, it’s kind of like an opt-in, Tim. In other words, you have to say, I want to register this device. In other words, my Mac device to a particular web app, and then you might turn around and say what, I’ve also got this Windows laptop that I also want to register as a device into so I can authenticate into this web application as well.

• 

  Tim Callan

  Then I would just go log in using my traditional login credentials on the new device and then when I was there, if it was a WebAuthn compliant online property, I would have the opportunity to somehow click a button that says register this device. At which point it would do a key exchange, and then it would know that I’m that person. Is that right?

• 

  Jason Soroko

  Exactly. And so now, your public key is registered at basically, at the FIDO2 server. In other words, the place in which the web developer is going to check when you say, I want to log in. They will then – part of the API, it says, alright, that’s great. Now I’m going to challenge you for the authentication using basically the part of the standards that I was talking about, but I’m going to go look up your public key, and then, of course, the final part of that challenge is to actually authenticate the user. When the device gets the challenge it signs the challenge document from the FIDO2 server using the private key that it holds, and it never has to expose that private key. The only thing that is exposed is, you’ve already given away your public key, which is good, and then you are now handing back a signed document, signed with the private key, and all of a sudden, that server can say, alright, there’s – now that I own the public key of that user and in fact this checks out. The only way that this document could be unencrypted and authenticated is if this public key is able to be assigned to it to un-encrypt.

  And that, of course, is the secret behind using asymmetric key pairs.

• 

  Tim Callan

  Nobody has, all the benefits come. Nobody is sitting in the middle looking at what you’re doing. Nobody’s logging in pretending to be you. All of those things come along because at that point you’re doing key base encryption. I started all of this with a log in. That still implies a good ole fashion user name password. That still implies if somebody got my username and password, they could take a brand new system that had never been to that site, go to that site and say, I want to register this device.

• 

  Jason Soroko

  Absolutely. Therefore, all of the other security mechanisms that are around protecting the usage of your device are still very, very important. For example, if somebody – let’s say you left your iPhone unlocked, somewhere? If somebody were able to get that unlocked iPhone, they probably will be issued a secondary challenge, in order to able to prove who they are with an existing website, so they would have to know the secondary PIN code, they’d have to be able to pass the biometric challenge, whatever it happens to be. Even an unlocked phone, there is that level of security, but that scenario of registering a new device, your device, you’d have to ask the question, why would a bad guy want to do that. Is that typically you’d want to log into an existing website.

• 

  Tim Callan

  Well, but to get in. If I’m understanding correctly, say I go to my favorite site. I’ve never done this before. It’s my first time. I’m going to go use a WebAuthn for the first time. So I log in to Facebook. Let’s say they’re supporting it, and I say, yes, I want to – here’s my user name and password, and I want to register this device. For now on when I’m using that device, I am not going to enter a username and password. It’s going to be PKI-based. But, I can always go from another device. I throw my laptop away, and buy a new laptop. I’ve got to go create a new device, which means there’s a mechanism where I can go in and use my traditional user name and password, at least for the first time entering that site. Which means if my username and password gets stolen by a bad guy, the bad guy can just pretend they’re me, and they got a new laptop.

• 

  Jason Soroko

  So, Tim, what you’re talking about is an entirely different challenge, which is how do you probably provision and how do you properly re-register when a device has been lost. There is an art and a science to that and that is, that is a whole other set of podcasts that we can talk through. We absolutely probably should. So in other words, I think that the FIDO Alliance – basically what they’ve given you is the building blocks to do really mass consumption of a really legitimate passwordless technology meant for – I don’t want to call it decentralize, but it’s essentially a non-centralized type of opt-in authentication. Which is very useful to a lot of different websites and a lot of different web applications. Of course, you will have that initial challenge of how do you provision a user, what do you decide on doing to make sure that the person is who they actually claim that they are and also, if the person loses their device, you have to deal with that use case, and so, therefore those are choices that have to be made by the organization that’s running the web application to say, how are we going to provision and how are we going to re-register someone. Those are important points.

• 

  Tim Callan

  It’s still better. Don’t get me wrong. Because what are we doing today? I’m doing it every single time. And now, if it’s something that I have to do once and then after that one time from here on out, I’m passwordless, your exposure, your risk surface, if you will, is greatly reduced. Vastly reduced. And so, in that regard, it’s certainly an improvement. I don’t mean to imply that it’s not. I’m just trying to think through what about that particular need.

• 

  Jason Soroko

  So, Tim, what you are getting on to, and I think this is a topic for a very important podcast, is what is the relevance of centralized enterprise-level authentication versus some of these technologies such as FIDO. In other words, they don’t have to be mutually exclusive. That’s what’s interesting. But what needs to happen is how do you know that somebody is who they claim they are? And you and I have already talked about the whole topic of enterprise-level authentication and when you have employees that are provisioned, you have a much better sense of who somebody is. Therefore, you have a better way of controlling it, you have a better sense – in other words, you have a finite population that you can control very carefully. What happens when you don’t have a finite population that is defined? And this is what FIDO is allowing. Therefore, there’s a lot of questions around what you’re talking about. I would say the more interesting aspect to me is, alright, we will get into how do you do you provision properly. What are the different mechanisms? How do you handle that with an IDP? How do you handle that with other federated identity services. In other words, do you federate in because of the pre-provisioned nature of people within other systems where people have provisioned themselves? How does that play into the consumer side and even into the enterprise side? There might be a lot of confusion around, FIDO2 and WebAuthn, how does play in an enterprise world? Well it can partially play.

  Or not play at all or, you know, what is it giving you. What is it giving you and what is it not giving you?

  What you just touched on is what it is not giving you at all. So, anyway, very, very interesting topic. I’m impressed with how FIDO has put together these building blocks. I think the evolution has been good. I think the implementations have been good enough that big players like Microsoft and Apple and others, have now implemented this and it’s gonna - this is going to be finally the way that mass consumption of true passwordless probably will come about. I’m hoping and crossing my fingers. There’s still a place for really tough world gardens and other forms of authentication. Tim, I think that that’s – teasing all that out could be a set of conversations you and I have.

• 

  Tim Callan

  Cool. So, it sounds like this is something we definitely will return to. I think this was a great overview, Jay. Thank you very much. What is FIDO, what is WebAuthn, and an alphabet soup of other standards and, ah, always a pleasure, Jay.