Securing Web Resources

When choosing an option, it is important to understand all of the options available.

FIDO2 / WebAuthn

The FIDO Alliance has curated the new trails blazed by innovators in secure authentication, providing a standard, open platform for maintaining new specifications. WebAuthn represents a new way of performing authentication using public key cryptography, but without the overhead of a Public Key Infrastructure framework or a central trust authority.

FIDO protocols are ideal for web portals in which security is a top concern, and users can be reasonably expected to use a modern browser on a modern OS.

Key Points:

  • Modern protocol

  • Public key based

  • Customer self-registration

  • Privacy protection

  • Multiple implementation choices

  • Immune to phishing

  • Requires modern browser

One-Time Passwords

OTPs (One-Time Passwords) have been the backbone of multifactor authentication for the vast majority of established systems. We use OTPs from SMS messages, software apps like Google Authenticator or from authentication hardware, like YubiKeys. OTPs have a major advantage in that they are easy to implement user endpoints for - just include a text field to accept the typed input. While not as secure as the modern authentication protocols, OTPs, when implemented properly, provide security that username and password only cannot match.

OTPs are perfect for quickly standing up a multifactor authentication solution which will work across every environment.

Key Points:

  • Universally supported protocol

  • Very quick to enable

  • Customer self-registration

  • Multiple implementation choices

  • Vulnerable to phishing

Smart Cards

Smart cards provide a superior authentication solution, allowing for strong, centrally managed authentication which can be extended to secure OS endpoints as well. However, their strength relies on establishing a Public Key Infrastructure (PKI) framework which can be unwieldy to manage. However, should such a PKI deployment already be in place, say in a corporate or federal office, it can be leveraged to extend the same authentication to websites.

Smart Cards are perfect for extending an existing PKI deployment to securing web assets as well.

Key Points:

  • Strong form of authentication

  • Credentials are centrally managed - no user registration

  • Credential lifecycle can be highly managed

  • Immune to phishing

  • Requires a notable investment in a PKI framework

  • Limited to members within an organization