Last month, open authentication standards reached an important milestone; Microsoft launched support for FIDO2 and CTAP, and the World Wide Web Consortium (W3C) won approval for WebAuthn. Since then, Yubico has received questions on how these efforts are related, what role FIDO U2F and Yubico have in the mix, and what organizations can implement now — and in the future — to enable simple, strong authentication for employees and end-users. This blog will bring some clarity to those questions.
What is the difference between FIDO U2F and FIDO2?
U2F was developed by Yubico and Google, and contributed to the FIDO Alliance after it was successfully deployed for Google employees. The protocol is designed to act as a second-factor to strengthen username/password-based login flows. It’s built on Yubico’s invention of a scalable public-key model in which a new key pair is generated for each service and an unlimited number of services can be supported, all while maintaining full separation between them to preserve privacy.
Essentially, FIDO2 is the passwordless evolution of FIDO U2F. The overall objective for FIDO2 is to provide an extended set of functionality to cover additional use-cases, with the main driver being passwordless login flows. The U2F model is still the basis for FIDO2 and compatibility for existing U2F deployments is provided in the FIDO2 specs.
What is WebAuthn & CTAP?
A new, extensible web API, called Webauthn, has been developed within W3C, which supports both existing U2F and upcoming FIDO2 credentials.
A new, extensible client-to-authenticator protocol (CTAP2) has been developed to allow for external authenticators (tokens, phones, smart cards etc.) to interface with FIDO2-enabled platforms.
WebAuthn and CTAP2 are both required to deliver the FIDO2 passwordless login experience.
How can organizations deploy FIDO2?
So, what can organizations do if they are aiming to provide support for FIDO2? For the time being, we recommend that you start by creating support for FIDO U2F, which currently works with Chrome and Opera. FIDO U2F will also work with Firefox, as the browser recently added support for WebAuthn. Later this year, we also expect official FIDO2 and WebAuthn support in Chrome and Edge browsers.
All leading online services that have made support for U2F have used Yubico’s free open source servers, and the integration time has ranged from only one to a few days. Once an online service has made support for U2F, most of the FIDO2 implementation work will already be done. Then, upgrading to FIDO2 will only be a couple of days of work and require significantly less effort than integrating FIDO2 from the start.
To evaluate FIDO2 today, Yubico offers offer a test service at demo.yubico.com/webauthn, and soon we will provide more complete open source FIDO2 servers on GitHub. Organizations can sign up for updates from the Yubico Developer Program to get early access to FIDO2 and WebAuthn resources and also access the full suite of developer tools, reference code and support to rapidly integrate U2F.
From Yubico’s perspective, we’re proud and pleased to see our vision of one single security key to any number of services become a reality. We’ve watched our vision progress from our launch of the first YubiKey in 2008, to early U2F development in 2011, to the launch of FIDO2 in 2018.
Our mission has always been to drive standards and adoption by providing technical specifications, open source components, and developer tools; and to be the gold standard for authenticators. With the open standards ecosystem growing, we see the vision of providing strong authentication for everyone coming true.
Interested in exploring FIDO2 and passwordless login? Get started today with the Security Key by Yubico.