Blog

FIDO2 for Windows Credential Provider

Exciting New functionality: FIDO2 for Windows Credential Provider

FIDO2

Exciting New functionality: FIDO2 for Windows Credential Provider

Now you can log in to your Windows computer with FIDO2 ready USB key or device, as you used with the FIDO U2F Key.

What is FIDO2?

FIDO2 enables users to easily authenticate to the online services in both mobile and desktop environments.

FID02 is a successor to the previous authentication standards, FIDO UAF and FIDO U2F. 

Advantages for using FIDO2 for Multi-Factor Authentication

– Authentication to multiple systems with one device

You have the ability to secure the web as well as desktop via Multi-Factor Authentication.

-Higher Security

FIDO2 provides strong user authentication with a keypair (private and public) that can only be unlocked with a finger press. The FIDO standards protect the users against fishing attacks by linking the cryptography to the DNS names.

-Low Discrepancy

There is a counter stored on both the fido key and the relying party (WebADM). It is incremented in the fido key each time you get an assertion from it, and that value is sent in the assertion to WebADM which stores it. That new value should always be higher than the one which is already stored in WebADM hence detecting cloned/forged authenticators.

There are 3 scenarios, you can log in to your RCDevs Windows credential provider via the FIDO2 key:

1)If you are on your active directory network, you can log in on your active directory with or without enabling Multi-Factor Authentication with your FIDO2 Key.

2)If you are outside your network and connected to the internet, you can still have authentication with your FIDO2 key that is verified on your RCDevs OpenOTP Server.

3)With no connection at all the offline mode still allows you to use your FIDO2 Key to authenticate yourself on your computer.

This mode is, of course, not mandatory and you can set the duration you want to enable it.

How FIDO2 works for the Windows Credential Provider client?

FIDO2 Authentication Method

Offline login works with Asymmetric keys thus, you can’t decrypt anything with the public key.

Here WebADM is the relying party, when you login and configure in FIDO2, WebADM sends a challenge to the private key. The user’s private key is stored in FIDO2 authenticator, which is protected by a biometric factor or a pin (user’s presence is mandatory) and is used to sign transactions initiated by a relying party. 

It brings to your windows login the same tree logging scenario that you already had with your RCDevs Mobile Push App.