CBA AND FIDO: One, Other, or Both?

MFA Fatigue Attacks

Overview - A Pragmatic FIDO Approach

There are a number of articles that discuss FIDO and CBA as standalone authentication methods. But, relatively few provide a recommended approach, and even fewer provide insights for both enterprises and government agencies. To begin the discussion of CBA and FIDO, some background and context is needed.

Waiting for FIDO

A great many organizations, both enterprises and government agencies, are implementing or planning to implement FIDO as an authentication method throughout the environment. And, there’s good reason for these plans. The FIDO Alliance (see insert) is composed of many of the biggest players in tech. So, it’s likely that FIDO will become a leading authentication technology in the next couple of years.However, attacks on people, machines, and interactions are escalating in sophistication, number, and coverage across the entire exposure surface. A complete and robust FIDO stack is perhaps a couple of years in the future. So, what’s the right thing to do TODAY?

FIDO Alliance PrimerFIDO2 is a modern phishing resistant, passwordless authentication standard that allows users to access web, desktop, and mobile applications simply and securely. FIDO2 was developed and promoted by the FIDO alliance and its members as the authentication baseline for both consumers and enterprises, with large base of support including Apple, Google, Microsoft, etc. The standard is being widely adopted by the industry, from browsers such as Google Chrome, Microsoft Edge, Safari, and Firefox to hardware such as Windows, Android and MacOS devices. For more information, visit the FIDO Alliance website.

CBA Is Here Today

Certificate-Based Authentication (CBA) is based on the proven Public Key Infrastructure (PKI) technology that is widely utilized for users and machine (physical device and workloads) identity today. CBA is enjoying a resurgence of activity due to being named as the Azure AD preferred approach for user authentication (for more background, see insert or our Why is CBA Hot Right Now? blog). Key points about CBA today:

  • Leverages an accepted global standard (X.509) for certificates
  • Enables user-friendly authentication
  • Simplifies authentication architecture for Azure AD by eliminating the requirement for a federated Microsoft Active Directory infrastructure
Certificate-Based Authentication PrimerCertificate-based authentication is a security measure that uses digital certificates to verify the identity of a user or device. A digital certificate is a file that contains information about the holder of the certificate, such as their name, email address, and public key. The certificate is signed by a trusted authority, such as a government agency or a web server, to verify that it is genuine. Certificate-based authentication is a very secure way to verify the identity of users and devices. The digital certificates used in certificate-based authentication are difficult to forge, and the process of verifying the certificate’s validity is automated. Organizations that use certificate-based authentication can be confident that only authorized users and devices will be able to access their resources. For more information, visit our How Does Certificate-Based Authentication Work? blog.

Axiad’s “Pragmatic FIDO” Approach

Axiad’s describes our approach as “Pragmatic FIDO”. Boiled down, that means leveraging FIDO where it works best TODAY and leveraging other approaches such as Certificate-Based Authentication (CBA) where it works best by use case, such as:

  • As a non-disruptive add-on to unify authentication across 1 or more IAM systems.
  • Where it is the preferred approach, such as with Azure AD.
  • Where it covers gaps in FIDO, such as for authentication to MacOS devices. FIDO can then be used to authenticate to applications such as Office 365.

Axiad Plan: Evolve Pragmatic FIDO

Axiad’s platform supports a wide range of authentication technologies and approaches today including FIDO, CBA, MFA, Phishing-Resistant Authentication, PKI, and more. Any or all these approaches can be implemented by an organization today. As FIDO standards evolve, Axiad plans to enhance our platform to evolve our pragmatic FIDO approach further. Stay tuned to the Axiad blog for more information over time.

Wrapping Up: The Answer is Both FIDO and CBA

To summarize Axiad’s “pragmatic FIDO” approach: In short, both FIDO and CBA have use on their own and combined to address required use cases in enterprises and government agencies. Further, a platform that supports both is an ideal way to do so efficiently and holistically. Not coincidentally, the Axiad Cloud Platform supports both authentication methods along with the widest range of authenticators on the market.

Learn More

For additional information on how we support both FIDO and CBA in a single platform, please view our Cloud Platform page.