FIDO2 and Web Authentication

Speaker: Joost van Dijk

Abstract

Earlier this year, the World Wide Web Consortium published the W3C Recommendation for Web Authentication: An API for accessing Public Key Credentials. This API enables web sites to authenticate users with FIDO2 authenticators — small hardware tokens that can be used as a second factor for protecting your accounts at Dropbox, Google, and Microsoft (just like its predecessor, FIDO U2F).

Moreover, FIDO2 support passwordless login, where users can access their accounts without the need to enter any credentials, instead performing some user action like pushing a button or scanning a fingerprint.

Also of great importance are the security benefits of FIDO2 tokens, in particular its privacy properties and protection from phishing and Man-in-the-Middle attacks.

In this presentation, we will dive into this new technology and see how it works under the hood, why it improves on usability, security, and privacy aspects compared with traditional solutions, and how it can be integrated into your own web applications.

Biography

Joost van Dijk works for SURF, the collaborative organisation for ICT in Dutch education and research as a technical product manager in the field of Security and Privacy.

For the past decade, he has been working on solutions for improving the usability and security of authentication for SURF's population of 1.5 million students, researchers, and staff. He was involved in the development of SURF’s service for strong authentication and is the co-designer of the open source authentication app tiqr.