Want to learn the best practice for configuring Chromebooks with 802.1X authentication?

Sign up for a Webinar!

Combining FIDO2 and PKI: Supporting All Your Applications

The world of IT is constantly evolving. This is true due to both advancements in technology and the emerging remote work landscape of the world. Remote work is now commonplace with 90% of IT leaders seeing an increase in cyberattacks since the start of the pandemic.

As a result, many businesses are taking another look at how they authenticate their users onto their network. IT personnel need to secure not just their office building but the home offices of their employees as well.

This has led many organizations to invest in PKI solutions to harden their networks with certificate-based authentication. Cloud Managed PKIs, like SecureW2, outrank on-premise PKIs like AD CS because they are more scalable and come at a third of the cost. Plus, they are simple to implement if you choose the right PKI solution.

A PKI can be taken to the next level when used in conjunction with FIDO2, the open authentication standard hosted by the FIDO Alliance. In this article, we’ll take a look at PKI and FIDO2 and see how they can work together.

 

What is FIDO?

radius server

FIDO stands for “Fast Identity Online” and it was created in order to do just that – securely access online services without having to install new software and drivers. So instead of relying on a static piece of data you know (like a password), FIDO relies on physical tokens (Ex: YubiKey) to access data on a network.

These keys are capable of robust cryptography without any actions required from the end-user. When the key is registered, a Public and Private key pair is generated for the client-side and user-side respectively.

Each time a user sends data, it is encrypted by the shared public key and can only be decrypted by the receiver’s private key. The key pair confirms the other party is the same entity that they registered with, which prevents any bad actor from accessing the data. The security key can’t communicate with any other device until it is unlocked physically by the user.

 

When To Use FIDO2 Security Key

Security Keys are undoubtedly useful for anyone who wants to prioritize security. Whether you want to protect your bank account or your Twitter, a security key can help keep your information safe.

Anyone from Enterprise Level corporations to small business operations will find countless different ways to use them. They can integrate into most authentication processes you encounter:

  • Log in to a user account on a laptop or desktop
  • Log in to a VPN or proxy service
  • Log in to social media
  • Log in to web applications
  • Regulate access to secure buildings, rooms, servers, etc.
  • Control privileged account access

FIDO2 Security Keys add the benefit of authenticating quickly without needing to remember any passwords. These keys can simply be plugged in and voila, authentication made simple.

 

What is a PKI? Can It Work With FIDO2?

The purpose of a PKI is to manage the public keys used by the network for public-key encryption, identity management, certificate distribution, certificate revocation, and certificate management. Once enabled, users who enroll for a certificate are identified for later authentication or certificate revocation.

PKI allows users and systems to verify the legitimacy of certificate-holding entities and securely exchange information between them over-the-air. The introduction of a PKI enables stronger, certificate-based security, as well as identity services and management tools to maximize network efficiency and security.

The tools and standards that a good PKI brings are perfect for combining with FIDO2. Certificates remove any possibility of user error and more advanced over-the-air hacking techniques.

While credentials are securely passed to the device from a FIDO security key, that’s as far as the protection goes. They’re communicated over the same network as all of the other potentially insecure traffic. Certificates ensure that the authentication process is protected from start to finish. The private keys are invulnerable from the moment they’re generated on the security key until they are authenticated by the recipient application.

 

The Ultimate FIDO2 Solution: YubiKeys with Certificate Enrollment Software

SecureW2 has the industry’s only solution for using certificates with YubiKeys. With SecureW2, you can easily onboard users and have them configure security keys with certificates in minutes. This takes the burden away from IT departments who would traditionally have to manually enroll each YubiKey. Instead, end-users are fully capable of enrolling certificates themselves using our portal. Storing those certificates on a YubiKey adds an invaluable MFA element to your security, allowing you to be confident that you are protected from over-the-air attacks and phishing.

Enrolling YubiKeys for certificates is simple with SecureW2. With just a few clicks in our world-class management portal, you can create a custom client that will configure your YubiKey for certificate enrollment. Our #1 onboarding software comes with the Getting Started Wizard, providing everything you need to enroll a YubiKey for a certificate. Here’s a brief GIF of the process:

If you’re interested in exploring the possibilities of certificate onboarding and simple self-enrollment, read about our Yubico integration here. You can contact us here if you have any other questions.

Learn about this author

Eytan Raphaely

Eytan Raphaely is a digital marketing professional with a true passion for writing things that he thinks are really funny, that other people think are mildly funny. Eytan is a graduate of University of Washington where he studied digital marketing. Eytan has diverse writing experience, including studios and marketing consulting companies, digital comedy media companies, and more.

Combining FIDO2 and PKI: Supporting All Your Applications