Passwordless authentication with FIDO2 – what you need to know to deploy FIDO for employee ID
Passwords are outdated, like the last movie rental store, they’re a relic of a time before better, more convenient solutions rendered them redundant. However, many organisations are still missing out on the convenience and improved security of passwordless solutions. In this blog we look at how IT leaders can adopt passwordless authentication across their workforce with FIDO.
Why use FIDO2 for passwordless authentication?
Other options are available, one-time passwords (OTP) sent via SMS, time or event-based OTP tokens for example, but all provide a clunky user experience that is arguably worse than passwords and in addition they’re not as secure as the alternatives.
FIDO2 is a standards-based method of user authentication that is passwordless, supporting PIN and biometrics . Unlike OTP based solutions FIDO2 uses cryptography to secure the authentication process and users can authenticate using a smartphone, hardware security key or even web browser.
By generating a private key on the device and associating it with an off-device public key, the ‘secret key’ upon which authentication is based, never leaves the protected device and is therefore highly resistant to the common attacks used against passwords such as dictionary attacks and password theft.
The cryptography is also used to prove the type of device being used, by utilising on-device public key cryptography with an x.509 certificate which is burned onto devices supporting FIDO standards at their point of manufacture. This additional layer of security enables organisations to decide which devices they trust.
FIDO2 is supported across a wide variety of devices, enabling users to authenticate using an iOS or Android device, smart card, or security key from vendors including AuthenTrend, Feitian, Identiv, Solokeys, Thales, and Yubico.
With FIDO you can:
- Improve security with crypto-secured passwordless authentication
- Remove the helpdesk costs associated with forgotten passwords by replacing them with a simple PIN or fingerprint
- Remove the user-experience annoyances of long passwords to create, remember and reset so that your workforce can get on with their role simply and seamlessly.
How can I deploy FIDO2 passwordless authentication across my enterprise?
To deploy FIDO for an employee identity solution you need a solution that’s going to work with your existing infrastructure.
- An Organisation needs policy control to ensure that the employee has been through sufficient identity checks to create a trusted identity.
The organisation needs policy control over:
- Who can issue FIDO credentials
- Who can receive FIDO credentials
- The type of FIDO device used (external USB / Mobile)
- The organisation needs to consider the type of user verification required (PIN / Fingerprint / FaceID)
- The end user needs a simple experience during registration of a FIDO credential
- The organization needs to trust the genuineness of the FIDO device being used for the FIDO credential
- Vision of who has been assigned which FIDO Credentials
- Ability to simply revoke access to all systems accessed by the FIDO Credential
- Ability to manage lifecycle events – lost devices / replacement devices / back up devices
- The end user needs a simple experience to authenticate to systems, usernameless aids this process.
- The FIDO Authentication Server should be easily connected into the organizations existing systems.
- Policy control to ensure only the correct people have access to the systems they need.
To find out more about FIDO 2 and passwordless authentication, please visit our FIDO product pages or contact us now to arrange a free software demo using the form below.
Trusted by Governments and Large Enterprises Worldwide
Where protecting systems and information really matters, you will find MyID. Whether its citizen data, aerospace and defence systems, high-value financial transactions, intellectual property or air traffic control, we are proud that many leading organisations around the world choose MyID to protect themselves against data breach and ensure business continuity.