Microsoft whistles up FIDO to protect users

Microsoft Edge and Windows 10 users can now use FIDO2-enabled hardware keys to authenticate in the Microsoft eco-system and beyond.
22 November 2018

Microsoft CEO Satya Nadella speak onstage at WIRED25 Summit. Source: AFP

The acceptance of physical keys to help prevent a range of cyber frauds and data breaches has come a step closer, with Microsoft joining an increasing number of companies using FIDO2 technology.

The part of the announcements surrounding the 1609 update to Windows 10 covered the adoption by the company of the FIDO2 protocols in several of its products. However, that update’s miring in trouble unconnected with the authentication technologies probably hid the message from much of the tech press’s attention.

The FIDO Alliance is an ecosystem to which many manufacturers of hardware and software have signed up. It provides the cross-platform basis for authentication – either as a second factor (FIDO U2F) or as a sole means of assuring a user’s credentials (FIDO UAF).

The FIDO2 Project to which Microsoft has attached itself is a FIDO standard comprising of the W3C’s Web Authentication specification (WebAuthn) and the Foundation’s CTAP (Client to Authenticator Protocol).

Microsoft Edge is joining browsers like Chrome and Firefox in supporting the protocol, so web log-ins can be authenticated by a range of second-factor authentication or single login by device. In Windows 10 environments, users can use a no-password login via one of three options: a hardware key combined with Windows Hello face recognition or fingerprint ID, a hardware key coupled with a PIN, or a phone running the Microsoft Authenticator app.

In the Microsoft ecosystem, users can deploy their favored login authentication method with Outlook.com, Office 365, One Drive, Xbox Live (on PC), the Microsoft Store and MSN Portal.

Hardware keys, which typically plug into a USB socket (or use NFC or Bluetooth for mobile), usually use the FIDO-governed methods and are accepted by a huge range of platforms and applications, ranging from Debian Linux to Salesforce, DropBox for Business and several password management platforms like LastPass and Dashlane.

With data theft on the rise, even if your organization suffers a data breach (or one of your staff’s details are stolen), the insurance of a physical device means that only the key’s user can access the range of data stores and applications that have been potentially compromised.

An example of the technology’s efficacy comes from no other authority than Google, whose 85,000 worldwide employees began to use USB security keys in early 2017. Since then, not one of its employees has been phished on their work accounts.

The USB keys don’t prevent phishing emails getting through, being read, nor being acted on. But even if the victim enters their password to any malicious portal masquerading as a genuine service online, credentials cannot be used by a third party without access to the physical USB key.

A Google representative told Krebs on Security at the time, “We have had no reported or confirmed account takeovers since implementing security keys at Google. Users might be asked to authenticate using their security key for many different apps or reasons. It all depends on the sensitivity of the app and the risk of the user at that point in time.”

USB keys suitable for type B and C ports are available for just a few dollars, and several also come equipped with NFC and Bluetooth, meaning the same key can be used with a suitably-equipped tablet or phone.

With biometric authentication still in its infancy and subject to well-publicized spoofing, passwords easily compromised through simple human error, and SMS authentication hacked recently, hardware keys may be the answer to the cybersecurity issues that blight many businesses.