Last year I had the chance to present at the Authenticate conference the adoption figures we observed. The two authenticator types are called roaming authenticators and platform authenticators, respectively.Īuth0 immediately saw the value in the initiative and adopted WebAuthn both as a second factor for administrators accessing our management dashboard and as a method developers can use to authenticate their users when protecting their web apps with Auth0. In short, that's achieved by describing how authenticators (physical keys, security hardware on devices, etc.) can talk to browsers and by defining a JavaScript API that websites can use to tap into those authenticators to perform public key cryptography authentication.Ĭlear as mud? In practice: by using the Javascript API defined in the WebAuthn specification, developers can leverage either hardware keys (e.g., YubiKeys) or secure hardware on the device (e.g., secure elements on your phone, TPMs on your laptop) gated by biometric sensors to authenticate users without using passwords. If you are interested in digging deeper into FIDO, you can listen to the Identity, Unlocked podcast episode I recorded with Yubico's John Bradley on that very topic.įor the purposes of today's story, the important bit is that FIDO2, one of the sets of specifications the alliance produced, led to the widespread availability of phishing-resistant authentication features on modern devices. The FIDO Alliance, a group of industry leaders, was formed to create and promote the adoption of phishing-resistant tech that could be a viable alternative to passwords. Unfortunately, the sheer number of accounts everyone needs to juggle to participate in modern life exacerbates the shortcomings of this method, up to and including all the ways in which passwords can be stolen by bad actors, remotely and at scale.
Intuitive, portable, and (in the naive case) easy to use, shared secrets have been used to protect information and resources since at least Roman times. Passwords are a classic example of how civilization will, sometimes, get stuck on a local maximum. The Starting Point: FIDO's Platform Authenticators
Passkeys might also introduce challenges for solutions relying on FIDO's platform authenticators as they are implemented today, typically in the workforce and mission-critical solutions: as an industry, we'll need to find ways to reap the advantages of this new technology while minimizing the drawbacks. We believe that passkeys offer a viable, phishing-resistant alternative to passwords that solves end-user friction for consumer applications in particular, and we are committed to making it easy for developers to offer that experience to their users. "Passkey" is the shorthand for FIDO multi-device credentials, a new technology that makes it convenient to use FIDO's phishing-resistant authentication methods and ceremonies across multiple devices. "When the student is ready, the teacher will appear"
0 kommentar(er)
