developers

Identity, Unlocked...Explained | Episode 5

John Bradley joins the podcast today to talk about identity management specs, including FIDO2

Nov 9, 20204 min read

The Overview

In this episode of Identity. Unlocked, principal architect at Auth0 and podcast host, Vittorio Bertocci, has a conversation with John Bradley. John is the Senior Standard Architect at Yubico and the author of many important specifications pertaining to identity management, including FIDO2.

As usual, Vittorio begins the interview by asking John how he got into the field of Identity. John overviews his career and when he met Vittorio before turning to his current work on web authorization and FIDO2 standards. John’s current company is Yubico, and in his role with the organization, John wrangles standards. In other words, he represents Yubico at standards organizations and plays referee between companies in order to make sure the entire community is benefited by the companies’ shared work. Moving forward, Vittorio asks John to clarify significant terms for listeners. In order to do so, John shares the story of how Yubico and Google worked on their own program, U2F (Universal Second Factor) authentication, as other companies independently started FIDO. Yubico and Google decided to join FIDO in order to not be seen as competing, and the merged organization joined and developed technology to produce FIDO2. John further clarifies that FIDO2 is a marketing term rather than an actual standard, and the standards at play are WebAuthn and CTAP (Client to Authentication Protocol).

Vittorio and John also discuss details about how this technology works, with Vittorio boiling the ideas down to a description of a browser using CTAP to communicate with an authenticator, who then uses WebAuthn to communicate with a website. On the back end, the FIDO infrastructure is one of the various options for server validation. At this point, John clarifies, he and his team see WebAuthn used more as a second factor for authentication than as the first factor; however, with Apple’s work on multi-factor authentication, John imagines that the pattern of WebAuthn use may change. John expects that people will probably use local face or touch identification for the web credential for individual devices. Once this technology becomes ubiquitous, passwords will become increasingly obsolete. Of course, there are still problems that this vision of the future raises, and John and Vittorio talk through some of these problems, the need for the industry to create new practices, and ways in which authentication will likely become more integrated into our lives (as we’ve seen it start to do in the form of such things as wearable authenticators). As the conversation moves toward a conclusion, Vittorio asks John to share about what his team is working on now and plans to work on in the days ahead, including level 2 of WebAuthn, CTAP 2.1, and much more!

Key Takeaways

[4:20] - John clarifies the history of FIDO and FIDO2

[6:13] - John explains the history of WebAuthn

[10:59] - Uses of WebAuthn

[14:57] - How do you recover passwords without a roaming authenticator?

[18:26] - Has John ever considered an idea like implants for authentication?

[21:45] - John explains his work in progress and what he sees on the horizon.

Links/Resources:

Learn more about John Bradley
Follow John Bradley on Twitter
Learn more about Yubico
Learn more about FIDO2

Vittorio Bertocci on LinkedIn
Vittorio Bertocci on Twitter

Learn more about Identity, Unlocked
Learn more about Auth0

Identity, Unlocked

Identity, Unlocked is the podcast that discusses identity specs and trends from a developer perspective. Identity, Unlocked is powered by Auth0. Vittorio Bertocci is Principal Architect at Auth0 and applies his vast knowledge of the identity industry to Auth0 in all aspects of the company, including internal and external education, product innovation, and customer integration.

About Auth0

Auth0 by Okta takes a modern approach to customer identity and enables organizations to provide secure access to any application, for any user. Auth0 is a highly customizable platform that is as simple as development teams want, and as flexible as they need. Safeguarding billions of login transactions each month, Auth0 delivers convenience, privacy, and security so customers can focus on innovation. For more information, visit https://auth0.com.