FAQ
Passwordless authentication
“Passwordless” isn’t the password manager.
Being passwordless means it discards passwords entirely and uses another technique for authentication.
Passwordless authentication adopts the “asymmetric cryptographic system” in cryptography. The user holds a pair of keys, namely the “public key” and the “private key”. The private key must be kept by the user and cannot be leaked. The public key is provided to the public to verify the user’s identity.
A private key is not a password, but a very large positive integer computed via algorithms, usually expressed in binary or hexadecimal, which is stored in the secure space of the device and cannot be read without authorization. It is accessed only when decryption or digital signature is performed.
Whether there is evidence after the private key is taken depends on the environment where the private key is stored. If a private key is stored in a hardware security module (HSM), there are hardware-based security measures to leave evidence (tamper-proof). If a private key is stored in an ordinary device like smartphones, it is easy to be stolen and difficult to detect.
A user’s public key is given to the “public” so that other parties can verify the identity of the user. Therefore, a public is not the target of theft.
About FIDO
FIDO stands for Fast Identity Online. It is a framework developed to enhance online security by using public key cryptography for identity authentication, replacing traditional passwords. Initially founded by an alliance of companies including PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio, FIDO has since grown into an international alliance with nearly 300 corporate members.
In the FIDO authentication framework, a user’s private key is stored either in a secure environment on the device or in an external security key. The security of this storage environment affects the risk of the private key being copied or stolen. FIDO-certified products have two levels of certification:
- Level 1: Provides a certain quality of private key storage, but does not guarantee complete protection against copying or theft.
- Level 2: Offers a higher level of assurance that the private key will not be stolen or misused.
FIDO2 emphasizes replacing passwords with physical security keys or smartphones. Users only need to create an account and bind it to a physical security key or their smartphone. For subsequent logins, they can use the physical security key or smartphone as their authentication credential, eliminating the need to manage any passwords. This approach enhances security and simplifies the user experience by removing the reliance on traditional password management.
Passwords need to be updated primarily because password-related information is stored on the server, and users cannot ensure the security of their passwords, making password management difficult. In contrast, FIDO authentication uses a public key cryptography system. During registration, a key pair is generated and bound to the account. Once bound, the keys are not updated. If there are security concerns with an existing account, the user would need to re-register to generate a new key pair. Thus, FIDO authentication does not require periodic updates like passwords but relies on re-registration if security issues arise.
If a security key is lost, you should report the loss to your organization’s IT department. They will handle the process of re-binding a new security key in the backend.
Each security key is unique and cannot be replaced once it is bound to an individual’s identity. Therefore, after a security key is bound to a user account, it cannot be exchanged or used interchangeably with other accounts.
According to the FIDO Alliance website, when Validity Sensors and PayPal aimed to use biometric authentication to replace passwords in 2009, they intended to base their technology on the “public key cryptography system” from cryptography. This means that biometric authentication must be used in conjunction with public key cryptography to be considered part of FIDO authentication.
However, many current FIDO authentication methods do not use biometric recognition but rely solely on public key cryptography technology, often combined with methods like touch or PIN entry to verify the user’s presence. In summary, while biometric recognition was part of the original vision for FIDO, subsequent developments focused more on the public key cryptography system due to factors like cost, security, and technology, leading to a shift away from relying solely on biometric modules.
WiSECURE ecosystem
WiSECURE’s mission is to “empower enterprises to implement the FIDO2 authentication framework” and provide consulting services to achieve certification. Enterprises can choose to deploy security chips, MicroSD cards, USB security keys, or mobile applications with FIDO2 functionality as their authentication engines. We also provide FIDO2 certification servers to manage account binding and access control within the enterprise.
For enterprise internal control, account binding and permission settings are handled by IT personnel. For consumer-side implementations, depending on the service provider’s design, if passwordless authentication is used, it is recommended to have at least two non-password methods for authentication. This is to ensure that if a security key is lost, there is still a way to access the account.
WiSECURE’s FIDO2 solutions include activity logging to enhance security and non-repudiation. Digital signatures are used for auditing logs, providing an additional layer of security and traceability.
Yes, WiSECURE’s FIDO2 Server solutions can be used not only for internal enterprise applications but also integrated into cloud services.
Yes, WiSECURE’s passwordless authentication can be applied to privileged account management.
Yes, passwordless authentication can be used to replace traditional account password methods with FIDO2 multi-factor or passwordless authentication, significantly enhancing the security of cryptocurrency management.
Both pricing models are available.
WiSECURE typically provides enterprise solutions, but personal versions can be acquired through distributors or resellers, who can then offer services to individual users.
Yes, WiSECURE can assist in integrating “devices, internal enterprise website services, and FIDO2 certification servers,” providing a platform and tools for managing device and user permissions, and transferring technology and packages comprehensively.
FIDO, which stands for Fast Identity Online, can be deployed on private or public clouds. For offline authorization, WiSECURE can customize authentication mechanisms, extending the FIDO2 framework to create a secure certificate verification framework for temporary authorization.
Yes, FIDO can be used for two-factor authentication.
