Not All MFA is Equal, and the Differences Matter a Lot: Why FIDO2 and WebAuthN are so much better than SMS and app-based auth

“People are starting to get the message that text/SMS is a weak form of multi-factor authentication (MFA). Fewer people know that there’s a big gap between the post-SMS MFA options as well.

[..] it doesn’t really matter how you got that MFA code. It might have been a text, or it could have been something “strong”, like a mobile authenticator app like Google Authenticator or Authy. However you got it, you now have it, which means you can now type it into a text field owned by a bad guy. [..]

FIDO stands for Fast Identity Online, and it uses the Universal Authentication Framework (UAF) and Universal Second Factor (U2F) protocols. The systems use public-key cryptography and a physical access token. The private key is stored on the token and kept with you, and the public key is stored with the services you want to authenticate to.

When you authenticate, you prove to the client/token that you are you (fingerprint, PIN, voice, etc.), and the client creates a signed request that’s sent to the service. That request is decrypted and authenticated using the public key, which proves the request was made using the private key, and you are then authenticated.

FIDO2 / WebAuthn is the passwordless version of FIDO, and the passwordless part is critical here. It completely changes how authentication is done.

Instead of you being presented with a website—which could be malicious—that you then enter credentials into, you instead navigate to the legitimate website like usual, and you get prompted to authenticate.

You then authenticate using your physical token, which you keep with you, by touching it for example. Or using your face or whatever. And when that happens (this is the brilliant bit), your local token creates a request and signs it with your token’s private key…

…and then sends that specifically to the exact, legitimate URL associated with the token!

That’s the magic. When you enrolled the token with, say, Gmail, the token collected the official URL for Gmail, so it can only send authentication requests to that URL!

The best part of this entire flow is that there’s nothing to type. All you did was touch something or look at your device. Everything else happened in the backend automatically.”

Full article, D Miessler, personal website, 2022.3.14