Understanding FIDO2 Authentication Across Different Operating Systems and Browsers
In an era where cybersecurity threats are becoming increasingly sophisticated, FIDO2 authentication stands out as a powerful solution to enhance online security. FIDO2, developed by the FIDO (Fast IDentity Online) Alliance, provides a robust framework for passwordless and phishing-resistant authentication. This article explores how various operating systems and browsers support FIDO2, ensuring users can benefit from this advanced authentication standard.
What is FIDO2?
FIDO2 is a set of standards developed to improve security and user experience by eliminating the need for passwords. It consists of two main components:
- WebAuthn (Web Authentication): A web standard that allows browsers to integrate with hardware-based authenticators.
- CTAP (Client-to-Authenticator Protocol): A protocol that enables communication between a device (like a smartphone or hardware key) and a browser or operating system.
Operating System Support for FIDO2
Windows
Windows 10 and Windows 11 provide extensive support for FIDO2 authentication. Both versions integrate with the Windows Hello platform, which supports biometric authentication (like fingerprint or facial recognition) and PINs. Windows Hello can be used as a FIDO2 authenticator, enabling users to log into websites and applications that support FIDO2 without needing a password.
- Windows 10: With the April 2018 update, Windows 10 supports FIDO2 through Windows Hello and Microsoft Edge.
- Windows 11: This version continues and enhances support for FIDO2 with a seamless integration of Windows Hello and improved security features.
macOS
macOS supports FIDO2 through its integration with the Safari browser and hardware security keys. The support is bolstered by macOS's built-in support for biometric authentication through Touch ID and Face ID on compatible devices.
- macOS Mojave (10.14) and later versions support WebAuthn, allowing users to use FIDO2-compliant hardware keys and biometric methods for secure authentication.
- macOS Ventura (13) further refines FIDO2 support, improving compatibility and security features.
Linux
Support for FIDO2 on Linux is evolving, with many distributions offering compatibility through the PAM (Pluggable Authentication Module) framework and U2F tools. Notable Linux distributions like Ubuntu and Fedora have added support for FIDO2 authentication, allowing users to integrate hardware security keys with their systems.
- Ubuntu: Provides support for FIDO2 through its PAM modules and GNOME settings.
- Fedora: Integrates FIDO2 with its authentication framework, enhancing security options for users.
Linux Limitations
There are some issues in Linux (Ubuntu, for example). Browsers send CTAP commands to the FIDO2 key (authenticator) via a USB HID interface, which does not work with PC/SC. It's important to note that this behavior is not specific to Token2 FIDO2 keys but rather to any FIDO2 device; USB connections work fine. Workarounds can be found on the Internet, but they are not ideal for production and also have limitations. USB transport works without any issues.
Mobile OS Support for FIDO2
FIDO2 support extends to mobile operating systems as well, providing a seamless experience across various devices. Both Android and iOS offer robust support for FIDO2 authentication, enhancing security and user convenience on smartphones and tablets.
Android
Android has integrated FIDO2 support starting with Android 7.0 (Nougat). Modern versions of Android provide extensive support through the use of FIDO2-compliant hardware keys and biometric methods. Android devices can utilize NFC-enabled security keys and biometric authentication such as fingerprint or facial recognition. Additionally, Android's support for WebAuthn allows apps and websites to leverage FIDO2 for secure, passwordless login.
Android Limitations
While Android support is declared, please note that there are some limitations around it. First of all, FIDO2.1's passkey support (namely PIN-protected resident keys) has been introduced as a part of Google Play Services v23 and only via USB transport method. So, this means that:
- Android supports PIN-protected FIDO credentials only if Google Play Services is present.
- Android does not support PIN-protected FIDO credentials over NFC.
Non PIN-protected usage (legacy "U2F" mode) is working fine.
iOS
iOS, beginning with version 13, includes support for FIDO2 authentication. iPhones and iPads can use FIDO2-compliant hardware keys through Bluetooth and NFC. iOS devices also support WebAuthn, enabling secure authentication through biometric methods like Face ID and Touch ID, as well as hardware keys. This integration ensures that iOS users can benefit from the same level of security and convenience as users on other platforms.
Browser Support for FIDO2
Google Chrome
Google Chrome has been a pioneer in supporting FIDO2. As of version 67 and later, Chrome includes built-in support for WebAuthn, allowing users to authenticate using FIDO2 hardware keys, biometric authentication, or PINs. Chrome’s integration with FIDO2 provides a seamless user experience across various platforms.
Mozilla Firefox
Mozilla Firefox added support for FIDO2 starting with version 60. This support extends to both Windows and macOS platforms, allowing users to utilize FIDO2 hardware keys and biometric authentication. Firefox's commitment to privacy and security aligns well with the goals of FIDO2.
Microsoft Edge
Microsoft Edge, the successor to Internet Explorer, includes comprehensive FIDO2 support. Integrated with Windows 10 and 11's Windows Hello, Edge allows users to leverage biometric and hardware-based authentication methods for secure access to websites and applications.
Safari
Safari, the default browser for macOS and iOS, started supporting WebAuthn and FIDO2 with macOS Mojave and iOS 13. This support enables users to authenticate using FIDO2 hardware keys and biometric methods, aligning with the security standards of other major browsers.
Note: Some versions of Safari do not currently support setting a PIN on new or recently reset FIDO2 keys. To set a PIN, you must use an alternative method, such as Chrome or the fido2-manage tool. Once the PIN has been set, Safari can be used for further operations.
Server-Side Considerations
While operating systems and browsers may offer robust support for FIDO2, authentication servers can impose their own limitations or requirements. This means that even if your OS and browser support FIDO2, the server you are trying to authenticate with may have specific constraints or configurations. For example, Microsoft Entra ID, formerly known as Azure Active Directory, supports FIDO2 authentication but has specific implementation details or limitations, as described here. For instance, organizations using Microsoft Entra ID need to ensure that their policies and configurations align with FIDO2 standards to enable seamless authentication experiences. This might include setting up conditional access policies or integrating specific hardware keys that are supported by the service.
Platform Passkey Implementation and Standalone FIDO2 Devices
With the implementation of platform passkey support, some modern browsers may default to using built-in authentication methods or external software-based passkeys (such as Microsoft Authenticator's passkey functionality or passkeys integrated into Android and iOS). This means that device biometrics or PINs might be prioritized over standalone FIDO2 devices like USB or NFC keys. Consequently, you might need to make a few extra clicks to switch from the built-in methods to your standalone FIDO2 device. While the platform's native passkey functionality is prioritized, you can still use your FIDO2 device by manually selecting it when prompted.
Managing Your FIDO2 Keys
The guide above focuses on the usage of FIDO2 keys for authentication. For information on managing your keys—such as setting or changing a PIN, enrolling fingerprints, viewing or deleting passkeys, and managing resident keys—please refer to our dedicated management tools page. Some systems include these features built-in, while others may require different tools or applications.
Conclusion
FIDO2 represents a significant advancement in online security by eliminating passwords and offering more secure authentication methods. The support for FIDO2 across various operating systems and browsers reflects a broader commitment to enhancing cybersecurity and improving user experience. As this standard continues to evolve, we can expect even more robust integrations and widespread adoption, making passwordless authentication a mainstream reality.
Subscribe to our mailing list
Want to keep up-to-date with the latest Token2 news, projects and events? Join our mailing list!