How do you start your passwordless journey?

Written by Gregory Guglielmetti, Lukas Westermann

Today passwordless authentication solutions solve complex security requirements and mitigate the usability issues of cumbersome password policies. Searching the web for a passwordless authentication solution will present many different options for a variety of use cases. With so many options to choose from: How do you choose the solution which best meets your requirements?

Nevis offers three distinct implementation approaches for passwordless authentication, targeted at consumer use cases, which have triggered numerous conversations with our customers. In turn, this has given us better insights into their day-to-day business and specific requirements. In this blog, we will walk you through the various approaches available from Nevis, discussing their strengths and their suitability for different use cases.

But first, let’s discuss how the Fast IDentity Online (FIDO) standards have established the basis upon which all of our approaches are developed.

FIDO (Fast IDentity Online)

The FIDO Alliance was founded in 2013 in order to strengthen online authentication and become less reliant on passwords. The FIDO Alliance is backed by industry leaders including Apple, Facebook, Google, and Microsoft. It has published three major standards since 2013: FIDO UAF, FIDO U2F and FIDO 2 (WebAuthN/CTAP2). All of these standards are in use today:

• FIDO U2F: when using a Yubikey or another U2F compatible roaming authenticators with a desktop PC or laptop. For GitHub users, this has been possible since 2015.
• FIDO UAF: originally developed in support of the platform authenticators available on mobile phones (Touch ID, Face ID). Is commonly used in the financial industry in the United States and Europe.
• FIDO2: the latest standard, unifying the U2F and UAF approaches. It is split into multiple parts, one primarily driven by the W3C organization called WebAuthN and is implemented in browsers, another part called CTAP2 which describes the interface between the browser and the authenticators.

All Nevis solutions are based on either the FIDO UAF or the FIDO2 standards.

Mobile access app with customer-specific branding

Have you ever used the Google or Microsoft authenticator apps? The Nevis mobile access app is a similar native app for iOS and Android that provides users, once enrolled for the specific service(s) they require, with a passwordless log in solution. Replacing cumbersome and insecure passwords, users will use their biometrics to log in.

How is the Nevis access app different from Google, Microsoft or other standard authenticators?

• It is based on the FIDO UAF standard for secure passwordless authentication where it can be used as a second factor or first and second-factor authentication method.
• Transaction signing via biometric authentication, which is PSD2 compliant, conforms to WYSIWYS (What You See Is What You Sign) as required by the FIDO UAF standard. Transaction confirmation is a key building block in efficiently implementing financial grade APIs such as the OpenID: Client Initiated Backchannel Authentication Profile and is particularly important in the FinTech, crypto and banking sectors.
• The Nevis access app is hardened to protect against malware attacks, reverse engineering, tampering and other attacks that can put the authenticity of authentications and transactions at risk.
• It is fully brandable, tailored to the corporate identity of the customer.

What are the advantages of the native access app?

• The Nevis passwordless authentication solution can be up and running in hours and does not require any mobile development know-how.
• Multiple login use cases, such as push-notification, QR-code or deep-links for mobile-only authentication are available.
• Transaction confirmation is supported by push notification messages to proactively communicate with customers over a secure channel.

Mobile Software Development Kit (SDK)

The software development kit is a native library for iOS and Android. It can be used to add passwordless authentication and transaction confirmation to any existing mobile app. The Nevis SDK is based on the FIDO UAF standard and is security-hardened.

The Nevis SDK is the suggested solution for customers that already have a native mobile app and want to extend its functionality to include passwordless authentication.

What are the advantages of the SDK?

• The SDK provides a user-friendly passwordless experience that can be fully integrated into existing mobile apps.
• You can add transaction confirmation functionality to your mobile app.
• End users do not have to download an additional access app.
• Implementation flexibility for the different authentication options and fallback scenarios.
• Based on the FIDO UAF standard offering a highly secure authentication scheme.

FIDO2 (WebAuthN / CTAP2) — Available in Q4 2021*

FIDO2 unifies the U2F and FIDO UAF standards making passwordless authentication ubiquitous by integrating it into web browsers by default. The authentication occurs directly through the browser using the in-built biometric capabilities of the device or roaming hardware keys. With FIDO2, the end-user is not required to install a mobile app in order to authenticate. WebAuthN, which forms part of the FIDO2 standard, is supported by all major browsers, such as Google Chrome, Microsoft IE Edge and Safari.

FIDO2 is commonly used with a browser and either a platform authenticator, such as a fingerprint sensor on a mobile device, or a roaming authenticator interacting via Bluetooth (BLE), NFC or USB. Native iOS and Android APIs utilising FIDO2 functionality have recently been made available by Apple and Google, allowing the use of FIDO2 across browsers as well as a direct integration into native apps.

Employee authentication scenarios are well supported by FIDO2. Employers can allow their employees to authenticate securely from anywhere by providing a roaming authenticator, such as a Yubikey in combination with FIDO2. This scenario could replace the FIDO U2F standard that has been very successful at protecting Google employees access to internal resources.

A collection of FIDO2 security keys with USB-C, USB-A interfaces and NFC capabilities.

For consumer use cases, while FIDO2 shows a lot of promise, it still has a number of issues that need to be addressed.

Too many authenticator options could lead to an explosion of support calls

FIDO2 has many moving parts including the server(s), the browser/client, platform and roaming authenticators, and these all need to work together. Not every permutation of browser and hardware offer the same capabilities and security guarantees. For example, older iOS versions do not support FIDO2 in Mobile Safari; the Chrome browser supports Android mobiles devices as roaming authenticators, but Safari doesn’t. The variety and combinations of web browsers and authenticators can confuse a typical user, leading to dissatisfied customers unable to log in.

Device registration fatigue when using platform authenticators

FIDO2 registration is device-specific as the private key is securely stored on the device where the registration was performed. So, should a user want to log onto the same site on a different device or other subsequent devices, they will have to perform the FIDO2 device registration again on that device. As of August 2021, users of macOS are required to register each browser on each device separately if they wish to use FIDO2. There are solutions to these usability issues; however, there is no standard to implement these and various approaches will cause additional user friction.

Apple Passkey is the proposed solution from Apple to avoid user friction and ease of log in across devices in their eco-system. Private FIDO keys will be stored in the iCloud Keychain and synchronized across devices, allowing users to only have to register once to a service and your private FIDO keys will be available to login on all compatible devices.

Limited transaction confirmation support

FIDO2 offers limited functionality in support of browser-based transaction confirmations. As such, transaction confirmation has been removed from latest WebAuthN specifications. Current limitations of FIDO2 prevent the functionality to securely deliver an authorization request, via push notification to a users browser reliably and in a secure manner. This in turn raises complexities with financial grade APIs such as OpenID: Client Initiated Backchannel Authentication Profile.

What are the advantages of FIDO2?

• No app needs to be installed or downloaded, works directly in the browser — even on mobile phones.
• Broad industry support and interoperable authentication functionality.
• Great support for employee authentication scenarios with a growing number of enterprise software offerings supporting FIDO2, like Windows Hello.
• FIDO2 security keys (i.e. Yubikey) offer a very secure solution.

Where to start your passwordless journey?

Choosing a FIDO based approach for your customer’s identity and access management will vastly improve security and reduce user friction. The standards are widely used across multiple scenarios and sectors which are broadly supported by the software and hardware industry. As such, each scenario is tailored to the specific needs of the customer and their end-users. Through various implementations across sectors and unique use cases, Nevis can provide you with detailed insight into starting the passwordless journey that is suitable for your business.

For more information, please get in contact with the in country team or write us an email.

(*) FIDO2 support will be available in Q4 2021 in the Nevis Authentication Cloud.