For a detailed review of the FIDO2 specifications and additional resources, please visit our FIDO2 tech blog. To get a broader understanding of why FIDO2 security keys should be used, please read Gizmodo’s excellent article describing how physical keys can help in everyday authentication scenarios.
Benefit 1: Mobile Devices Work Great with FIDO2 Security Keys
Before FIDO2, using a hardware security key on a mobile device (such as an iPhone) would require extra software and an extra reader. However, the major mobile device manufacturers have invested heavily in making FIDO2 a natural part of their authentication system. The end result is that you can use a FIDO2 security key on a mobile device right out of the box. This compatibility can help you immediately deploy strong MFA to all mobile devices without any changes to the mobile device.
Benefit 2: Eliminate credential replay attacks with user presence check
Malware and other hacking software make it really simple to steal credentials and repeatedly retry them until access is granted. FIDO2 eliminates this threat by forcing the hardware token to be physically touched before the authentication transaction can occur. With this set up, even if a hacker takes control of a machine that has a FIDO2 credential plugged in, no authentication will take place unless the user physically takes action. This security feature will immediately protect your organization against the most damaging credential stealing and phishing attacks.
Benefit 3: Easily enforce authentication standards
With supply chain security being of the utmost importance, organizations can now enforce that their partners only use NIST certified FIDO2 devices using the FIDO2 (WebAuthN) Attestation security feature. To understand how this works, imagine you are the IT security manager for a manufacturing plant and you have vendors that access your ordering system. You stipulate they must now use multifactor authentication…however, you further require a FIPS certified device to meet your internal compliance requirements. Using FIDO2 Attestation, you can automatically inspect the device during the registration process to make sure it is approved before allowing them to use it. This benefit enables you to make sure your partner uses a FIPS certified device and not their personal iPhone.
Benefit 4: Ensure authentication redundancy with a FIDO2 security key
Although Public Key Infrastructure (PKI) is one of the strongest ways to perform authentication, there are operational challenges that can cause outages or prevent authentication. For example, a new workstation may not have the trust certificates installed, a CRL list could be blocked, or a smart card certificate could have expired… all preventing the user from successfully authenticating.
FIDO2 is deeply rooted in cryptography and is often thought of as PK (without the I) because it uses a direct hardware-based cryptography model instead of secondary infrastructure validation. This direct model requires fewer moving parts and therefore, is more resilient.
FIDO2 can be used as a backup authentication to PKI. This feature can help to minimize outages while also strictly maintaining your high assurance authentication protocol.
Benefit 5: Fast track compliance and satisfy auditors
Since different authentication technologies have different levels of security, many regulations now mandate that MFA options must meet NIST/FIPS standards. (Microsoft published a nice guide here that explains the concept remarkably well.)
As the IT security manager, you want to ensure that the MFA option that is deployed, will pass an audit. By using FIDO2 security keys that are FIPS certified, you can be certain that your MFA devices will meet the highest security requirements. Furthermore, you are able to implement a much stronger MFA architecture because FIDO2 security devices perform their cryptographic operations in a separate chip.