Unveiling the FIDO2 W3C Standard and Its Impact on Device Security
Biometrics authentication received a serious kick in the second half of 2018 with the release of FIDO2 W3C standard. Consumers were already used to unlocking some of their devices with strong authentication processes such as Touch ID / Face ID from Apple on iOS and MacOS, fingerprint sensors and facial recognition on Android devices, as well as Windows Hello that encapsulates the possible biometrics authentications offered by the hardware of the computer.
In the year 2018, those things became possible for pretty much any use case on the web. Thanks to the WebAuthn API, the browser could now get access to biometrics sensors of the device, and make use of those sensors to offer the best level of security and user experience for consumers authentication purposes.
Overcoming FIDO2's Limitation for Seamless Multi-Device Authentication
There were just one small issue. As the FIDO2 standard relies on creating a public and private key pair between the device and the website or service, it is not easily reusable on another device or context. It is actually quite the opposite. For a consumer to be able to log on a given website with all of their devices (most of the time a phone and a computer, sometimes also a tablet), they should initiate the registration process from each of those devices, which can be cumbersome. Solution providers had to handle the process around the registration of new devices to offers consumers an overall frictionless experience.
Jumping forward a few years later, the FIDO Alliance decided to tackle this issue by providing an update on top of FIDO2 WebAuthn, called Passkeys. Passkeys aim at providing a better overall user experience by leveraging automatic cloud synchronisation and make the created keys reusable directly from one device to the other, as long as they are connected under the same cloud account (iCloud, Google, Microsoft, etc.). With this ability, a consumer can register on a website from their laptop, and continue later on browsing the website from a phone that will actually use the laptop key to reconnect. The beauty of the standard is that even though the user registered the laptop key with a fingerprint, it is possible to unlock it with a facial recognition on the phone because the cloud provider has both the information regarding the user.
The Promise of Passkeys in Redefining Biometrics Authentication and Phasing Out Password Vulnerabilities
With these capabilities, web services should be able to offer state of the art biometrics authentication, improving overall user experience, making a seamless transition between native OS world and the web, while also reducing the use of passwords that are still, to date, the largest security flaw for consumers when they interact with applications, and more generally, with brands.
