Introductions and Background: OR Skip to TruYouID Authenticator
Authenticator’s then and now. Historically the authenticator is a device you carry on your person and use to establish your identity when accessing secure accounts. Most often referred to as a 2FA device, the authenticator produces a second factor password on demand, the One Time Password, that you append to your password when accessing secure accounts or services. Thus, even if a bad actor comes into possession of your password, it is useless without the required second factor.
2FA authenticators were first introduced in the late 1990’s the best known of which is perhaps the “RSA SecureID” device. There were several others and with advent of the Smartphone came a slew of 2FA authenticator App’s from a host of different providers as well as email and SMS text messaging solutions adopted by some service providers. Initially 2FA solutions solved the problem of hijacked accounts but in time their weaknesses became all to apparent leading to exploitation by the dedicated attacker. Notwithstanding this recognition, 2FA remained the best defense against attacks resulting from compromised credentials. A major push to convince user’s to adopt 2FA began and continues as a best efforts way to thwart account attacks using compromised credentials.
In 2013 industry leaders together with the World Wide Web (W3C) standards body undertook efforts to address the shortcomings of 2FA and at the same time to streamline and simplify the authentication process. The fruits of those efforts are now known as the FIDO2 and WebAuthn protocols. While WebAuthn addresses the specific weaknesses of 2FA with the new U2F protocol, the FIDO Alliance takes a different approach promoting the new FIDO2 protocol that does away with passwords altogether. Together these standards map the future of secure account access. As such, it’s safe to predict there will come a time when use of either 2FA, U2F or FIDO2, and perhaps all three, will become a requirement, not an option.
Universal Second Factor, U2F, us a replacement for 2FA that can be accommodated by service providers with minimal impact. It’s use eliminates the 2FA One-Time-Password replacing it with a physical token you must have in our possession at the time of secure account access. U2F tokens available from different vendors share a common feature, the requirement that you demonstrate possession of the token at time of access by some form of gesture, most often the pressing of a button on the token. In this way is eliminated the compromised One-Time-Password, the impersonation BOT, and the pirated 2FA secret key.
FIDO2, sometimes referred to as UAF or CTAP2, is an all new approach to secure authentication that does away with passwords and second factors altogether. If you can imagine a time when secure account access is simply your user name and the press of a button, then you can imagine FIDO2. Operationally a FIDO2 authentication session requires you have in your possession at the time of authentication a registered FIDO2 compliant authenticator. During the authentication process you sign into your account using some form of account specific user name and make a device recognizable gesture, such as pressing a button, to establish presence in the authentication process. FIDO2 authenticators may be certified and if so then are certified to a Level between L1 and L3+. Certification assures a natural party certifies the authenticator meets a FIDO2 certification level and each higher level indicates more robust defensive measure taken by the authenticator.
Proceed to TruYouID Authenticator to discover a new and unique method of authentication that builds upon the foundations of FIDO2 and U2F.