FIDO2, WebAuthn, Passkeys in 2022 and 2023

Recently, the topic of FIDO2 has gained attention in IT media and in the general perception. The bottom line, however, is that we are unfortunately still not at a point where we can work without passwords on a large scale - just as we imagine the future of authentication. There is no doubt that FIDO2 is on the right track, but there is still a lot to do for all parties involved. With this article we try to summarize the current adoption and support of FIDO2 and also give some background information about the different standards and terms.

FIDO2 - History und Variants

The FIDO Alliance initially published the following specifications:

  • FIDO U2F - FIDO Universal Second Factor
  • FIDO UAF - FIDO Universal Authentication Framework
  • Later CTAP followed - Client to Authenticator Protocols

Together with the W3C, standardization began, which then officially became a W3C Web Standard in its final version in 2019 as Web Authentication (WebAuthn). CTAP and WebAuthn together form the FIDO2 standard. Furthermore, to finalize the standard, FIDO U2F was renamed CTAP1 - greetings to the confusing USB naming. The newer specifications mostly use the term CTAP1 or FIDO U2F.

Various components and implementation details are described in the respective specifications. For example, CTAP describes the communication between a computer and a so-called external authenticator, token, or security key, by which is meant a device such as the Nitrokey 3. WebAuthn describes the implementation in the browser and interacts with CTAP, meaning the corresponding security key. More precisely, CTAP2 is used here for WebAuthn, as opposed to CTAP1 or FIDO U2F.

FIDO2 vs. FIDO U2F

FIDO U2F means "Universal Second Factor", which describes the core function and at the same time the limitation of the standard. FIDO U2F is always a second factor (2FA), i.e. in practice, in addition to a FIDO U2F token, you always need another factor, which is mostly the classic password. Basically, every FIDO2 device can also be used as a FIDO U2F device - at least every device we have ever held in our hands.

FIDO2, on the other hand, comes with the central innovation that a FIDO2 security key can now not only be used as a second factor, but can also make the password superfluous. The technical difference between the approaches is that FIDO U2F does not store any data on the security key, but the second factor is derived cryptographically, repeatably from a device key, for example - which can then be used for a 2FA login. Whereas FIDO2 makes it possible to create an identity on the security key; this is called a Resident Key (RK) or Discoverable Credential. This is a cryptographic key which, unlike FIDO U2F, is stored on the security key and can be used for passwordless login.

In practice, it is typically not clearly visible to the user which of the two methods is used. However, some details can usually be derived from the registration process:

  • For a second factor, i.e. a FIDO U2F-based login, no "user verification" or device PIN is required. This means that to register the token with a service, it is only necessary to confirm the so-called "user presence", which is usually done by pressing a button on the token (capacitive sensor for Nitrokeys). Finally, only the "user presence" has to be verified to log in.
  • FIDO2, on the other hand, requires some form of "user verification"; in the case of the Nitrokeys, this is always a PIN. The latter is also used for a login. (Notably, registration will fail if no PIN has been previously set up for the token).

As indicated, however, these are only indicators and it is possible to implement a FIDO U2F login with "user verification" (e.g. Facebook), so the PIN entry itself is not yet a clear indication of the method used.

Both variants can be tested and reproduced excellently on the webauthn.io website. Under "Advanced Settings", you can select whether you want "Require User Verification" or not for registration and authentication. As described before: If both checkboxes are activated, FIDO2 is used and a "Resident Key" is stored on the token, where you are asked to enter your PIN. If, on the other hand, both checkboxes are deactivated, then FIDO U2F is used and, as a rule, no data is stored on the token. In this case, no PIN entry is necessary, only a confirmation of the "User Presence".

It should be noted that this description is simplified and technically not complete to the last detail and there are numerous sub-variants. Nevertheless, with the help of webauthn.io it is possible to test both methods quite well, if there were not the problem of compatibility of the end devices or browsers...

Passkeys

The fairly new term Passkeys refers to the implementation of security keys directly on the end devices (computer, smartphone, tablet) rather than on a separate physical security key. Typically, passkeys are stored in a password manager, which enables their backup and synchronization between multiple end devices. This reduces the barrier to entry for users, as they do not have to spend money on an additional security key. This certainly accommodates the goal of replacing passwords among millions or billions of average Internet users. However, passkeys offer less security than physical security keys. Fortunately, passkeys are compatible with WebAuthn, so websites only need to implement one standard, support for WebAuthn, and then they are usable for both passkeys and physical security keys.

Compatibility and Adoption

One would think that, in principle, the problem of passwords has been solved. So why do you still have hundreds of (hopefully different) passwords for countless websites and services that you have to manage somehow? It's simple: FIDO2/U2F stands and falls with the support of websites and services. In addition, the browser is also an important component that must bring corresponding support for FIDO2/U2F. Whereas the tokens themselves are pretty good and also available from different vendors.

Websites and Services

FIDO U2F support is relatively good here, while FIDO2 support is still expandable. So you can already use FIDO U2F with very many services, among them are: Nextcloud, GitHub, Odoo, Gitlab, Facebook, Google and many more. Passwordless logins using FIDO2 are comparatively rare, e.g. at Microsoft or Nextcloud. We list an overview of compatible services on dongleauth.com. As you can see there, there is still a lot of room to improve. The most prominent example is Amazon (i.e., the market, not AWS), which is using its market power to suppress the spread of secure logins through FIDO2 or 2FA. Banks also, unfortunately, hardly support FIDO2 for logins or payment processing, even though FIDO2 is specified for PSD2.

The inconsistent support is worth mentioning here. Microsoft only offers passwordless authentication using FIDO2. Nextcloud is the only service we know of that actually offers both: FIDO U2F as a second factor for logins and also passwordless logins via FIDO2. The latter, however, is quite unusual without PIN entry, i.e. as single-factor authentication (PIN query will be added in the future). As indicated before, Facebook does something even more unusual by offering only FIDO U2F along with PIN verification.

Ultimately, the security of each individual user is only as good as the service allows or offers. In order to move forward, users are asked to use FIDO wherever possible! Ask "your" websites to implement current security standards like FIDO2! So that we can get through the digital world without passwords tomorrow.

Browser und Smartphones

Browsers and smartphones are a big construction site regarding FIDO2. Similar to websites and services, FIDO U2F support is good. Here's a (rough) overview for now:

  • Chromium, Chrome and Edge generally have very good support across all operating systems.
  • Firefox has full support on Windows. For macOS and Linux, CTAP2/FIDO2 was completely missing until recently, which is supposed to follow with version 109 in mid-January 2023.
  • Safari comes with full support.
  • Opera can also score with full support according to its self-description.
  • iOS also comes with complete support.
  • Android Smartphones unfortunately come with the massive restriction that no PIN entry is forseen, so no resident keys can be used, only FIDO U2F. Thus, it is possible on Android to store a FIDO U2F token as a second factor on many websites and services. However, if the service expects the FIDO2 standard, i.e. PIN entry, Android fails completely,  via both NFC and USB. There are better third-party libraries that provide a full implementation of the standard, but most apps unfortunately use the (incomplete) functionality provided by Google Play Services.

Even for the informed user, this is an imposition. It will probably remain the secret of these market-dominating companies for the foreseeable future why they do not realize the best possible security standards for the end user.

Especially the lack of support for FIDO2 by Android and (still) Firefox on macOS and Linux are particularly inconvenient for users. In that regard, the acceptance of FIDO2 tokens as password replacements, in particular, is severely hampered by this lack of support. This is obviously detrimental to the adoption and long-term goals of FIDO2 to make the Internet more secure for users.

The Future

As can be easily seen, we will not be able to forget all of our passwords in the near future. For this reason, there will be future OTP support as well as a Password Safe for the Nitrokey 3 to continue to support common password logins and make them more secure for the user.

Once Android and Firefox get FIDO2 support, there will be no reason for websites to abandon FIDO2 and passwordless login. We assume that afterwards the support of FIDO2 by websites will increase more.

At the same time, the recently implemented support for passkeys in popular operating systems (Windows, macOS, iOS, Android) should spur the spread of WebAuthn.

FIDO2 has many more uses than logging in to online services. For example, it can be used to secure SSH logins and to secure logins or root privileges on a Linux system. This and more, how you can use FIDO2 tokens to make your everyday life more secure, will be the topic in one of the next articles.

Stay secure
Your Nitrokey Team

23.12.2022

Comments

Submitted by noname on 23. December 2022 - 14:30
Excelent overview! The info about the different names/terms should also be made available on docs dot nitrokey dot com
Submitted by meissner on 24. December 2022 - 15:24
thanks, we are checking how to include these lines into the docs, maybe we'll just link this article to reduce redundancy.
Submitted by Anonymous on 5. January 2023 - 11:43
Double that, thanks a lot for that great overview.
Submitted by BR on 10. January 2023 - 17:31
Thank you for this. Also directs me to the right people since I haven't been able to get my NK3 to work on my Angerdroid. Just want to note the strong negative correlation between software openness and Fido2 support. Android < iOS; Firefox < Edge, Safari & Chrome. Apache support... almost nonexistent. At least Linux has it mostly together... mostly.
Submitted by DD on 20. August 2023 - 16:48
Liebes Nitrokey-Team! Vielen Dank für diesen Artikel. Ich konnte den im letzten Absatz erwähnten Folgeartikel nicht finden - ist er noch nicht veröffentlicht? Mich würde interessieren wie man die passwortlose Authentifizierung an einem Linux-System mit einem FIDO2/3-Key einrichtet. Dafür würde eine pam_fido2 benötigt werden oder plant ihr eine pam_nitrokey?
Submitted by meissner on 22. August 2023 - 9:09
Hey DD, die Inhalte sind noch nicht in einen Blog-Artikel erschienen, aber Linux Logins über FIDO2 haben wir bei uns in der Dokumentation beschrieben. Kann ich sehr empfehlen, insbesondere auch für `sudo` authentifizierung.
Submitted by Jean-Paul on 30. November 2023 - 13:03
Wie sieht denn *heute* (Ende 2023) die Passkey Unterstützung für die beiden schwächelnden Kandidaten (Firefox, Android) aus? Hat sich etwas getan, um das volle Nitrokey 3 Potenzial nutzen zu können? Ansonsten vielen Dank für den informativen Blogpost!
Submitted by meissner on 30. November 2023 - 22:22
Hey, ja auf der Seite von Firefox sieht das alles besser aus. Volle FIDO2 Unterstützung (technisch CTAP2) wurde Anfang des Jahres hinzugefügt, soweit ich weiß ist diese auch standardmäßig aktiviert. (about:config -> security.webauthn.ctap2) Vereinzelt haben wir von Fällen gehört bei denen es nötig war das man diesen auch mal wieder ausschaltet damit bestimmte Dienste funktionieren. Ich würde dies aber als die üblichen Kompatibilitäts-/Kinderkrankheiten bezeichnen - hier sieht es also doch sehr positiv aus. Bei Android hingegen, kann man im Artikel verlinken Bugtracker ein wenig Aktivität sehen und am Ende steht auch ein Hinweis auf einen Changelogeintrag der Hoffnung macht - ob das nun aber wirklich das meint was nötig wäre für vollen FIDO2 support, kann ich leider nicht sagen, genausowenig ab wann das tatsächlich auf Endgeräten landet.

Add new comment

Fill in the blank.