■ Limitation of "password authentication method"
・The cause of information leakage is loss or theft of credentials (authentication information).
・The problem with passwords is that they may be leaked from servers and communication paths, theft due to phishing, and inconvenience of input from mobile devices. The biggest trouble is that there are too many passwords to remember. (As a result, reuse of passwords and withdrawal or suspension of services will result.)
■FIDO (FastIDentityOnline) authentication concept
-Aiming for an industry standard for security such as "SSL", we have established a standard for authentication that replaces password authentication.・Standardization based on standards not limited to specific manufacturers. (The FIDO Alliance conducts intercommunication tests of "FIDO Server", "FIDO Client", and "Authenticator" to certify products. As a result, each vendor should implement according to the FIDO specifications. Will lead to being able to.)
-Separate "local authentication of mobile device" and "server authentication of device" and do not use a common key (shared credentials) method such as a password for server authentication. Authentication is performed by public key encryption.
-Authentication information can be stored in the secure store area (storage area) in the terminal, and biometric authentication information is not saved in the server.
■ FIDO specifications
-The FIDO Alliance has had two specifications (initially). One is the "UAF (Universal Authentication Framework) method" that does not use passwords, and the other is the "U2F (Universal Second Factor) method" that touches the security device together with password authentication. Is. After that, the FIDO Alliance provided the Web API specifications to the W3C, which is standardizing Web browsers, and completed the standardization of Web authentication (FIDO2).
■Passwordless authentication realized by YubiKey and "FIDO2"
Improvement of "usability"
Public encryption-based "strong security"
One key can be used for multiple service accounts
The FIDO2 authentication specification is an open standard for authentication that includes the W3C's "WebAuthn API" and "CTAP (Client to Authentication Protocol)". With FIDO2 that uses Yubico's Security Key, there are three factors: single factor (passwordless), second factor (same as U2F, two-step authentication), and multi-factor (single factor plus a second element such as PIN). There is a solution. Authentication based on secure hardware can prevent the theft and hijacking of authentication information (credentials), which is effective in countermeasures against phishing, man-in-the-middle attacks, and server attacks.
・Windows Blog: Windows Hello and FIDO2 Security Keys enable secure and easy authentication for shared devices
・FIDO Alliance: FIDO2 project page
・RSA Conference 2018 session materials: Replacing Passwords with FIDO2 Authentication