FIDO

This year, I had the pleasure of (virtually) speaking at NDC Oslo. While it would have been great to present at the Oslo Spectrum, I still got the chance to talk about my recent work with FIDO2 and WebAuthn, which resulted in the creation of FIDO2 for ASP.NET.

If you want to learn more about how user authentication works on the web and how I think FIDO2 is going to be the solution to many of our issues, then check out my talk below.

Physical biometrics are awesome. If only we could use them to log into a website...

Physical biometrics, such as fingerprint or facial recognition, are super useful when logging into mobile apps. It allows the user to prove their presence without having to manage a password or go through a Multi-Factor Authentication (MFA) process. So why can’t you use biometrics in the browser?

Last week Google released an open-source FIDO2 authenticator called OpenSK, implemented in Rust.

OpenSK is not too dissimilar to the Solo Key, but unlike Solo, it is not yet suitable for everyday usage. It is not FIDO certified, and at the time of writing, it uses Rust implementations of the required cryptographic algorithms (e.g. ECDSA), as opposed to using available hardware-accelerated cryptography. For now, OpenSK is for research purposes only.

In this article, I’m going to talk through my creation of a security key using OpenSK (I am a Windows user, and this is all new to me). I’m also going to see how well the current implementation works with a FIDO conformant relying party (registration and authentication) such as FIDO2 for ASP.NET Core.

Evilginx is a tool that allows you to create phishing websites capable of stealing credentials and session cookies. It does this by simply proxying HTTP requests between the browser and the targeted site. To the user, it seems like they are using the legitimate website, but little do they know there is a man-in-the-middle. As a result, this style phishing attack even works against 2FA approaches such as TOTP and push notifications.

So, how can you defend against this kind of phishing attack? Security training your users is a good first step, but a phishing domain using a deceptive Unicode character can fool the best of us.

The only way to truly protect your users from this kind of phishing attack is using FIDO.

Passwords suck. People have been moaning about this for years, and it is becoming more and more apparent as we see high profile data and account breaches happen every day and the emerging necessity of services such as Have I Been Pwned and Pwned Passwords.

So, what’s the solution? FIDO2 (Fast Identity Online 2) seems a very strong candidate for a passwordless future or at the very least as a second factor, using public key cryptography to bring easy to use, unphishable credentials to the masses.

In this article, I’m going to talk through the basic ideas and concepts behind FIDO2, and then walk through a basic FIDO2 relying party proof of concept that I have created using ASP.NET Core.