Password-Free Security via FIDO2
Key Points
- The speaker laments the hassle of remembering many passwords and proposes a password‑less solution that can boost both security and usability.
- This solution is the Fast Identity Online (FIDO) standard, which replaces passwords with “passkeys” and has been supported by the FIDO Alliance and over 250 member organizations since 2013.
- The newer FIDO 2 specification adds hardware‑based authentication—such as biometrics or secure tokens like smartphones—and native support in web browsers, expanding its practical use cases.
- A brief cryptography primer explains that symmetric keys use the same secret for encryption and decryption, whereas asymmetric cryptography relies on mathematically linked public and private keys.
- Passkeys leverage asymmetric (public‑key) cryptography, allowing a device to authenticate securely without transmitting secret passwords, thereby eliminating the need for users to manage them.
Sections
- Ditch Passwords with FIDO - The speaker complains about password fatigue and explains how the FIDO and FIDO2 standards replace passwords with passkeys, leveraging hardware‑based authentication for both improved security and usability.
- FIDO Passwordless Challenge-Response - The speaker explains that FIDO authentication verifies a user by the server decrypting a response with the stored public key and matching it to its challenge, all without transmitting passwords because the private key remains securely on the device protected by multi‑factor authentication.
Full Transcript
# Password-Free Security via FIDO2 **Source:** [https://www.youtube.com/watch?v=lRFeuSH9t44](https://www.youtube.com/watch?v=lRFeuSH9t44) **Duration:** 00:09:56 ## Summary - The speaker laments the hassle of remembering many passwords and proposes a password‑less solution that can boost both security and usability. - This solution is the Fast Identity Online (FIDO) standard, which replaces passwords with “passkeys” and has been supported by the FIDO Alliance and over 250 member organizations since 2013. - The newer FIDO 2 specification adds hardware‑based authentication—such as biometrics or secure tokens like smartphones—and native support in web browsers, expanding its practical use cases. - A brief cryptography primer explains that symmetric keys use the same secret for encryption and decryption, whereas asymmetric cryptography relies on mathematically linked public and private keys. - Passkeys leverage asymmetric (public‑key) cryptography, allowing a device to authenticate securely without transmitting secret passwords, thereby eliminating the need for users to manage them. ## Sections - [00:00:00](https://www.youtube.com/watch?v=lRFeuSH9t44&t=0s) **Ditch Passwords with FIDO** - The speaker complains about password fatigue and explains how the FIDO and FIDO2 standards replace passwords with passkeys, leveraging hardware‑based authentication for both improved security and usability. - [00:05:59](https://www.youtube.com/watch?v=lRFeuSH9t44&t=359s) **FIDO Passwordless Challenge-Response** - The speaker explains that FIDO authentication verifies a user by the server decrypting a response with the stored public key and matching it to its challenge, all without transmitting passwords because the private key remains securely on the device protected by multi‑factor authentication. ## Full Transcript
You know what I hate? I mean, really hate? Passwords. There's too many of them. They're hard
to keep up with. I'm losing them all the time. I'm going to go out on a limb, probably not very far,
and suggest that you probably don't like them either. Well, what if I told you there was a
way that we could get rid of these things without compromising security? In fact, a way that allows
us to improve usability of the system while also improving security, which is something
that's hard to do, both of these at the same time. That would be interesting, right? What's the name
of the technology that lets us do this? Well, it's called Fast Identity Online or FiDO for short. No,
not that Fido. Although he really hates passwords, too. And what does FIDO do? Well,
it's a protocol that allows us to get rid of passwords by replacing them with something we
call passkeys. And it's not something brand new, even though you may not have heard of it before.
It's been around since 2013. The FIDO Alliance, this industry consortium that put together the
standard. And in fact, there are more than 250 organizations that are using the FIDO standard
and are part of this alliance. And now what's new, is there's a newer version of this called FIDO 2,
which incorporates two new elements that are particularly important. Hardware-based
authentication, so now I can use biometrics or hardware-based tokens. Think a phone. That is
something I have. And then using my face to unlock the phone, something that I am--that we can do,
that sort of thing. And we have support now for web browsers, which now extend the use cases and
the possibility of all the different places where we can use FIDO. Okay, so how does all this magic
work? Well, let's start with a quick review of cryptography. Some of these concepts are going
to be important in understanding how this could be possible. First of all, we have two main different
classes of cryptography algorithms. We have symmetric and we have asymmetric. With a symmetric
algorithm, I have a single key, a symmetric key. And that key is used to encrypt as well
as decrypt. So if I encrypt a message, I use this key. I want to decrypt it, I use the very same
key. So that means both sides have to have that key and know what it is. That's how that works,
symmetric, because it's the same key on both sides. However, when we go over here to asymmetric
cryptography, it's a different situation. We have to mathematically related keys that share this
unique property that whatever I encrypt with one can only in fact be decrypted with the other and
vice versa. If I encrypt with this, then I can decrypt only with that. So these are related,
but they are not equal. Now we're going to use that special quality in order to do the magic
that we're going to do with these passkeys. For instance, and in fact what we do, we refer to
these one of them as a public key and the other as a private key. And so let's take an example
of how we would use these. So here is our user going to log into this website. First of all,
they need to register. How does the registration flow work? Well, it's sort of like this user is
going to send some registration information over to the web server. And as they're doing that,
in this process of registration, the user on their device is going to generate both a public key and
a private key. So an example of each of these. The private key is going to stay on this device
and never leave it. And we're going to lock it down with some sort of biometric or other strong
authentication capability. So the private key stays on the device. The public key, however,
we share with the web server. The web server takes that public key and puts it in a database
and associate it with this user. Now, that's the registration piece. Now, what do we do next is,
let's say this user, we do that one time. Now the user wants to log into the system. So now
what we need to be able to do is authenticate. The authentication flow is going to work like
this. So the user is going to send information to the web server. For instance, they're going
to put it in their username and say, "Hey, this is me. I'd like to log in." The web server says,
"Oh yeah, I remember you because you registered with me before. I'm going to pull in your public
key because you shared that with me." And by the way, there's never a problem with sharing a public
key. That's why we call it a public key. Only problem is if you share a private key. So we take
the public key that's been shared in advance, and we're going to then calculate a challenge
of some sort. So that is a specially designed message that's going to have some information,
probably a timestamp and other things like that that are unique. And we're going to encrypt it
with that user's public key. And remember, if it's been encrypted with the user's public key,
only they can decrypt it because they're the only ones that have the private key and they've locked
it down on their device. That's this is where we start getting the real security capabilities. He
sends the challenge over to the user. The user decrypts it with their private key. And then
if they're able to read it, they're able to see what's the challenge message. And they can then
respond to the web server encrypting the response that proves that they have read the challenge
message and they will encrypt that again with their private key and send that back to the web
server. The web server then is going to take that and we do the final step. That is verification.
Verification means the web server now is going to take this response message that we got. We're
going to decrypt it with the public key, and we're going to compare it and see if it works. If the
challenge we sent matches the message we got back, then we can prove that this user is in fact who
they claim to be and we will allow them to log in. Notice what was not ever happening in this
case. There were no passwords. At no time did you see a password come out of my hands. In this case,
we stored the private key on the device. Always we keep the public key, share it with the web server.
The web server associates that with the user, and then we just do a series of challenges. So
for this user, all they have to do in order when this challenge comes across, unlock their device,
indicate maybe on the device that this is the website that I want to log into, approve that, and
the rest of it happens automagically. Okay, let's review really quickly what we've talked about.
So with FIDO, we keep the private key on the device itself and we guard it with multi-factor
authentication. So that way nobody else can see it. It remains private and therefore only that
user can decrypt and encrypt with that key. The public key, however, is shared. That's why we
call it public. We share that with the service provider, with the website or what have you.
And that's okay. Because of the mathematical relationship between these two, having one
doesn't allow you to figure out what the other is, which is nice. Now, one of the things that really
nice about this, not only do I get to get rid of passwords, but there's some downstream effects
that occur from that. For instance, it resists phishing attacks. So the phishing issue often
occurs because someone is able to coax you out of your credentials. You click on a website and log
into a bogus website and you give the attacker your login your user ID and password. If there's
no password, in other words, only passkeys in the form of these challenges and crypto
mechanisms, then there really is no password for the phisher to gather in the first place. So we
resist a lot of those phishing attacks. That's a nice side effect. Another thing is it resists
replay attacks. So a replay attack is one where a user or an attacker might sit on a network and
see the information that you're sending when you go to send your password over the network. Maybe
it's in an encrypted form in the form of a hash, and they take that hash and they don't even have
to know what it says. They just need a copy of it. And then they replay it and send it to the
web server as if they were you. In this case, we've got a system of challenges. They wouldn't
know what to send because they'd have to see what was coming in the first place. So we resist replay
attacks. And finally it gets rid of passwords for us. Those things that we hate, the things
that are hard to keep up with, the things that can be forgotten, the things that people write down,
the things that people are not very creative at coming up with in the first place. In this kind
of a situation, there's no passwords involved. The passkeys are all based upon information with these
public and private keys, which are automatically generated, and they're complex and strong and the
user doesn't have to keep up with it. And you know what? This has been around for a while. In fact,
IBM has been supporting FIDO 2 since 2018, and there's a lot of other vendors that are jumping
on board as well as I told you to begin with. So this is something that I believe is going
to be the future of logins and authentication. And the beautiful thing is the future is free
of passwords. Thanks for watching. If you found this video interesting and would like to learn
more about cybersecurity, please remember to hit like and subscribe to this channel.