FIDO2, from Fast Identity Online, is an authentication standard developed by the FIDO Alliance that aims to eliminate the use of traditional passwords – they can be compromised through attacks such as phishing or brute force. – and significantly reduce dependence on them to improve online security.
In this sense, FIDO2 provides an authentication alternative based purely on public key cryptography, using your biometric data, such as your fingerprint, facial recognition or using a physical security key, with devices you already have, such as your mobile phone or a USB token. This is a secure and reliable mechanism that makes it difficult for a cybercriminal to take over your accounts.
How to use FIDO2
FIDO2 is promoted by companies such as Google, Microsoft, Apple, and other large companies worldwide. You can use it in the following way:
-Registration in a compatible service: First of all, you have to register on a platform or service compatible with FIDO2: a social network, a bank or any other website that supports it.
When you do so, your device – phone, computer or security token – will generate a pair of cryptographic keys. The first is private and stored securely on your device. The second is a public key that is sent and stored on the service server.
-Initial authentication: When you enter the service for the first time you will have to log in using your traditional credentials (username and password) in order to link your account to the FIDO2 authentication method.
-Enable biometric or security key authentication: Once inside the system, it will give you the option to enable the most secure authentication method, whether using biometric data (fingerprint, facial recognition) or a USB/NFC security key.
An exchange of cryptographic keys then occurs between the device and the server to ensure that, in future accesses, you can use that authentication method.
-Login without entering the password: In new sessions you will not have to enter your username or password. You will only have to use your fingerprint or the method you have configured to authenticate.
Your device will use the private key stored on it to sign a cryptographic challenge generated by the server. Once signed, it returns it to the server, which will determine its authenticity using the previously stored public key. If everything is correct, you will obtain the corresponding access.
-Access new devices: If you want to access the service from a new device, you will have to repeat this entire initial process of starting the session with traditional credentials and then enabling FIDO2 on that new device according to your needs.
