The first laptop to build in FIDO was the Google Pixelbook (RIP). It was a little geeky–you enabled a hidden ChromeOS feature to activate FIDO U2F via the laptop power button. But Apple has taken this behavior to its logical next level: using the MacBook Touch ID as a FIDO token. Who needs to plug in a biometric USB token when you have a fingerprint reader right on your keyboard?
Apple joined the FIDO Alliance back in early 2020. One of the goals was to add “platform authenticator” capabilities to their devices. iOS 14 and new MacBooks (like the M1) are the first to do so, paving the way for phishing-resistant, standards-based passwordless two-factor authentication.
Some organizations resist issuing USB or Bluetooth hardware devices. Platform authenticators offer the advantages of FIDO 2 / WebAuthn, without the need to buy a physical token.
“Attestation” (performed in the FIDO2 server during creation) is basically a secure way for you to verify the device is authentic and has the capabilities it says it does. A limitation of attestation is that it does not guarantee that the operating system running on that device has not been tampered with. Non-platform credentials (e.g. a USB token) do not have this issue, because it is impossible (or at least impractical) to modify the hardware. An untampered operating system ensures that the private key is protected by the Secure Enclave, protected with Face ID or Touch ID (although the passcode backstops biometric failure).
Apple Anonymous Attestation is the first of its kind, providing a service like an Anonymization CA, where the authenticator works with a cloud-operated CA owned by its manufacturer to dynamically generate per-credential attestation certificates such that no identification information of the authenticator will be revealed to websites in the attestation statement. Furthermore, among data relevant to the registration ceremony, only the public key of the credential along with a hash of the concatenated authenticator data and client data is sent to the CA for attestation, and the CA will not store any of these. This approach makes the whole attestation process privacy-preserving. In addition, this approach avoids the security pitfall of Basic Attestation in that the compromising of a single device results in revoking certificates from all devices with the same attestation certificate.
Support for Apple platform FIDO credentials is available in Gluu Server 4.3.
Gluu’s support for FIDO is multi-tiered. The Gluu Server includes a standalone FIDO server that validates and registers credentials. A Casa FIDO plugin enables users to manage their devices (i.e. register, remove). And Gluu provides a FIDO SCIM extension, which allows applications to list and remove FIDO devices for an end-user (enabling self-service).
The Gluu OpenID Connect server enables the use of FIDO for traditional two-step authentication (step 1: username/password; step 2: FIDO device authentication) or a passwordless flow (step 1: username; step 2: FIDO device authentication).
All this is excellent news for the industry. Reducing the password monoculture will make the Internet safer for everyone. A decade of hard work by the FIDO community is helping to make this happen and enabling Gluu to bring these new features to the open-source community.