Last updated on May 12, 2021
Stealing somebody’s password is relatively easy, which is something many users still do not realize. Frequent login data leaks from social networks, online stores and other places on the web make password leaks the greatest threat to users who set the same password on different websites. Incidentally, users who provided their e-mail address as their login are always at greatest risk. More often than not, cybercriminals take advantage of the public cloud to crack a password using brute-force (trying all possible permutations of characters in the password) or dictionary attacks (based on the linguistic rules and words in a given language).
Biometrics is the future of MFA
It is easy to steal a password. It isn’t easy to steal a phone or another device used for Multi-Factor Authentication (MFA). In addition to smartphones, devices used for MFA also include security keys. Security keys are portable devices that the user plugs in to the USB port of their computer when authenticating. Essentially, access to your data is far better secured when protected by MFA than if you only used the username and password.
Of all methods of authentication, a fingerprint or eye retinal pattern are most difficult to fake. Biometrics such as fingerprint or eye retinal pattern scanning can be therefore effectively implemented as an additional step of authentication. Faking biometry isn’t impossible but it’s hard enough to make biometrics a strong method of authentication. Even today many models of business notebooks allow you to log in to the system after verifying your fingerprint, thus demonstrating biometrics in everyday use. Fingerprint-protected notebooks are just one of many harbingers suggesting the soon-to-come widespread use of independent devices that will verify the user using biometric data. Naturally, such biometric devices already exist and embody several standards, including U2F and WebAuthn.
U2F, FIDO2, W3C… That’s confusing…
Universal 2nd Factor (U2F) is an open standard that enables and facilitates Two-Factor Authentication (2FA) by using specialized USB devices or other devices that can communicate over an NFC interface. Similar security technologies can be found in smart cards. Devices of this kind are often called security keys.
U2F was developed by Yubico and Google. Over time, U2F has been incorporated into the FIDO Alliance. The FIDO Alliance is an association founded in 2013 whose mission is to develop and promote authentication standards. Founders of the FIDO Alliance include PayPal, Lenovo, Nok Nok Labs, Infineon, Validity Sensors, and Agnitio.
The U2F protocol was designed as a second factor intended to strengthen the security of basic username-and-password logins. The strength of U2F lies in Yubico’s ingenious public key model, in which a new key pair is generated for each service the user wants to log in to. As a result, the idea allows a single device to support a virtually unlimited number of services while maintaining the highest degree of privacy.
The successor to the U2F project is FIDO2, which includes the W3C Web Authentication (WebAuthn) standard and the FIDO Alliance’s Client to Authenticator Protocol 2 (CTAP2).
What is the difference between FIDO U2F and FIDO2?
Long story short, the FIDO2 standard is a new passwordless version of FIDO U2F. FIDO2’s main premise is to provide an enhanced set of features while the standard’s primary component accumulates processes that allow passwordless logins to a service (application). The U2F model is still the basis for FIDO2, and compatibility with existing U2F implementations is guaranteed in the FIDO2 specification.
What is WebAuthn and CTAP?
W3C has developed a new web authentication API programming interface. This interface, called WebAuthn, supports existing FIDO U2F and FIDO2 credentials.
The client-side FIDO U2F protocol was given a new name: CTAP1. The client-provider authentication method protocol has been defined as CTAP2. The CTAP2 protocol was primarily developed to allow third-party providers of authentication tools or methods (such as phones, tokens, smart cards, etc.) to connect to FIDO2 via browsers and operating systems.
Rublon believes in biometrics
Rublon fully supports security keys that work with WebAuthn and U2F standards. In a common use case scenario, you plug in a security key to confirm your identity when logging in to any of the hundreds of applications that can be integrated with Rublon. When logging in to a Rublon-integrated application, you will first enter your username and password. In the second step, you can choose from a number of authentication methods. If you decide to log in using a security key, you are asked to either connect the security key to your computer’s USB port or use an integrated security key (e.g. Touch ID on your MacBook). After you connect and tap your security key, Rublon verifies your identity and logs you into the application. Rublon provides not only high security, but also an easy and fast way to log in with security keys such as YubiKey and others.
Furthermore, Rublon offers a mobile application called Rublon Authenticator. Access to Rublon Authenticator can be secured by introducing an additional layer of security in the form of a fingerprint or face scan (Fingerprint on Android devices or Touch ID and Face ID on Apple devices).
Biometric methods of authentication are constantly evolving. That’s why Rublon aims to always deliver the latest solutions in this area of security. After all, biometrics is the future of authentication. Would you like to take a step into the future with Rublon?