Single factor login with FIDO2 offers strong authentication as a single factor. In many cases, this single factor authentication is more secure than other forms of two-factor authentication (such as SMS), as there are no secrets that can be phished remotely when using FIDO2. FIDO2 single factor uses the same strong public key cryptography with origin checking to prevent phishing just like FIDO U2F, but with the additional convenience of not needing usernames and passwords as the first factor to identify the user.
FIDO2 WebAuthn is backwards compatible with FIDO U2F authenticators, so over time, we expect FIDO2 will subsume FIDO U2F.
Yes, this option is available. Hardware authenticators supporting CTAP2 can add user verification by requiring users to use a PIN or biometric to unlock the hardware authenticator so it can perform its role. This preference is primarily dependent on the implementors threat vectors as well as use cases. For example, a large banking institution may want to consider the use of a PIN in conjunction with a security key for a higher level of assurance, while a warehouse-based shared kiosk environment may not.
Yubico’s FIDO2 compatible YubiKeys are enabled with the full CTAP2 specs, and are capable of supporting several passwordless experiences including single factor touch-and-go using the hardware authenticator (no need for a username) as well as use of a PIN with touch of the hardware authenticator.
As stated above, one of the allowances with FIDO2 is the option to combine hardware-based authentication with an additional factor such as a PIN. This has many of you wondering, “Well, isn’t that the same as needing to remember a password?”
A PIN is actually different from a password. The purpose of the PIN is to unlock the Security Key so it can perform its role. A PIN is stored locally on the device, and is never sent across the network. In contrast, a password is sent across a network to the service for validation, and that can be phished. In addition, since the PIN is not part of the security context for remotely authenticating the user, the PIN does not need the same security requirements as passwords that are sent across the network for verification. This means that a PIN can be much simpler, shorter and does not need to change often, which reduces concerns and IT support loads for reset and recovery. Therefore, the hardware authenticator with a PIN provides a passwordless, phishing-resistant solution for authentication. Finally, the authenticator can limit how many PIN guesses can be made in a given time, or permanently block the PIN if too many incorrect attempts are made. YubiKey devices take the latter approach of blocking the PIN - and effectively destroying all private keys - after 8 incorrect attempts.
Nevertheless, YubiKey devices do not constrain the PIN to a small number of digits; the FIDO2 PIN on a YubiKey can be any sequence of characters up to 256 bytes long.
With FIDO2, there is no need to replace passwords, as there are no passwords required.
For those combining a hardware authenticator with a PIN, it’s important to note that PINs do not demand the same security requirement as a password. A PIN and a password are different. Since a PIN is not part of the security context for remotely authenticating the user (the PIN is not sent over the network for verification), it can be much simpler and less complex than a password, and does not need to be changed with the same frequency (or at all), which eases enterprise concerns about PIN reset and recovery.
At the time of this writing, Chrome, Firefox, and Dropbox have implemented support for WebAuthn second-factor login flow. Beginning with build 17723, Microsoft Edge now supports the first version of WebAuthn. This latest version of Edge is able to support FIDO2 strong single factor and multi-factor authentication, in addition to the second factor. The Yubico Developer Program offers comprehensive resources for those interested in adding support for FIDO2. Other services supporting FIDO2 can be found on the Works With YubiKey Catalog.
Best practice is always to ensure that you have a backup FIDO2 device in place, should you misplace your primary device. FIDO2 credentials on YubiKeys contain no unprotected identifiable information, so if it were to be found, it could not immediately be used to login without knowing the identity of the owner and to which accounts it is registered. Even when using the YubiKey as a Passwordless single factor authenticator, the discoverable credentials will not be exposed without the user’s PIN being provided first (with firmware 5.2.4 and above). The reality is that the primary attack vector for consumers and enterprises is remote account takeover — whether by credential theft, phishing scams, or man-in-the-middle attacks. FIDO2 is specifically designed to protect against these types of threats.
For those who are concerned with physical threats, the option is there to require multi-factor authentication using a PIN for additional protection. That way, if someone obtains a stolen Security Key, they will still need to know which accounts it is registered with, and also have access to your additional factor (PIN) to be able to login.
Note that the backup FIDO2 device must also be registered with each service where you want to use it as a backup.
FIDO2 authenticators share many similarities with smart cards: authentication is performed by using cryptographic primitives instead of string comparisons, and the user’s key material is secure inside tamper-resistant hardware. FIDO2, however, does not require the extra infrastructure components required for smart card deployment e.g. a Public Key Infrastructure (PKI) to manage certificates. SmartCard implementations typically have a centralized authentication model where FIDO2 uses a decentralized model. The authentication event happens on the FIDO2 authenticator. The server can check the authenticator’s assertion response to verify that the authentication meets the server’s criteria.