For organizations looking to secure devices or applications, PIV-compatible smart cards and FIDO2 authenticators have emerged as the two broadly recognized methods for achieving phishing-resistant authentication. PIV, which has been a mature standard for many years, has recently seen a lot of interest from identity providers, owing partly to its prevalence in the US Federal Government and other large organizations. FIDO2 is a relative newcomer, and takes a much more privacy-focused and less infrastructure intensive approach to phishing-resistant authentication, making it useful for organizations of all sizes as well as individuals.
How do phishing resistant authentication methods work?
All currently available phishing resistant authentication methods rely on public key cryptography (also known as asymmetric cryptography), a type of cryptography which relies on two different keys - a public key, which can be distributed freely, and a private key which must be kept secret. The private key can be used to create signatures that can be quickly and easily verified by anyone with the public key, but are not practical to forge. The YubiKey stores the private key securely, and performs the signing operations internally, so that the private key never has to leave the secure element. The use of asymmetric cryptography allows for each authentication session to be unique, and protecting the private key prevents others from assuming the user's identity.
What is PIV?
When we refer to PIV, it’s generally shorthand for “PIV compliant smart card”. PIV compliant smart cards can be used on a wide variety of platforms including mobile devices, usually with a minimal amount of additional software. PIV Support is typically coupled with mTLS for use over the internet. mTLS (mutual transport layer security) is a W3C-maintained protocol for authenticating the server to the client (like in normal TLS) and also authenticating the client to the server. When mTLS is coupled with a PIV smart card - the result is a standards-based phishing resistant authentication mechanism. Generally speaking, the hardware (in our case the YubiKey) is referred to as a smart card.
What is FIDO2?
When we refer to FIDO2, we’re referring to the combination of the FIDO Alliance maintained CTAP2 protocol, which governs the interface between the Yubikey and the device it’s plugged in to, and the W3C-maintained WebAuthn protocol, which controls how services can interact with security keys on client devices. In this case, the hardware is referred to as a security key. FIDO2 also encompasses some older protocols and specifications. U2F is the predecessor specification for both CTAP2 and WebAuthn - it describes both the hardware interface and web standard for authentication. Generally speaking, if a service is compatible with U2F, a FIDO2 key will still work, but a U2F security key will only work with a website using WebAuthn if the new FIDO2 features that enable passwordless like user verification (PIN or Biometrics) and discoverable credentials are not required.
PIV: Broad Compatibility at a Cost
PIV is the undisputed champion of device logon. With broad support for Windows, Mac and Linux, connected to a variety of different directories including on-premises Active Directory as well as disconnected / offline environments, PIV is the most likely to be able to meet the needs of where a majority of their devices aren’t joined to a cloud-based directory like Azure AD. PIV smart cards are a relatively stable technology that has enjoyed this broad device logon support for many years.
The technology at the core of PIV - x509 certificates - also lend other benefits to organizations that can securely deploy the CA (Certificate Authority) and PKI (Public Key Infrastructure) to issue certificates to the YubiKey. In addition to the broad device logon compatibility, the YubiKey can securely store Encryption and Signing certificates. These certificates can be used to encrypt communications, or digitally sign documents, source code or compiled executables with a certificate that can be strongly tied to an identity. That strong binding to an identity, which is carried on the YubiKey in the form of a certificate can be an advantage in and of itself. PIV credentials are not bound to a specific authentication domain, so the same credential can be used for multiple different accounts in multiple disparate directories - as long as they all trust the authority that issued the PIV certificate.
The long established dominance of PIV with security conscious organizations has also driven it into the cloud and mobile space. In the fall of 2022, Microsoft made a string of announcements related to PIV support for Azure AD (and their flagship Microsoft 365 product), and mobile platforms. PIV can now be used with Android, iOS and iPadOS devices to log in to Microsoft’s suite of mobile apps as well as Azure AD protected web applications. While these new features are still in public preview at the time of writing, we expect that this support will see improvements and a public release soon.
PIV Deployment Scenarios
While we don’t expect most organizations to fit neatly into a single description, these deployment scenarios are meant to exemplify situations where PIV credentials have a clear advantage over FIDO2 - either in terms of architecture complexity, device support or capability.
Pre-existing Strong Centralized Identity & Device Management
Organizations with already-deployed strong identity management for most users of their systems can leverage that investment to help implement phishing-resistant authentication with PIV. These organizations are well equipped to deploy the Yubico Minidriver and optional 3rd party smart card middleware to assist with provisioning smart cards and loading certificates either in-person or via remote enrollment. These organizations may benefit greatly from integrating a 3rd party CMS (credential or certificate management system), which will be able to use the centralized identity store to provision and manage PIV credentials at scale.
Heavy Mobile Device Usage & Strong Mobile Device Management
For organizations where the ability to use phishing resistant authentication to authenticate mobile devices is paramount, PIV has a commanding lead over other technologies. Microsoft 365 native applications and web applications are well supported, and 1st party applications can be integrated with the Yubico Authenticator app for Android and iOS to ensure that in-house applications have the strongest authentication available.
Disjointed or Disconnected Authentication Domains
Organizations that have exotic domain environments (multiple isolated domains, offline or air-gapped domains, etc.) can benefit from PIV’s identity-centric authentication model, which can allow a single identity on a single YubiKey to be used with a number of different accounts in different organization-managed environments - whether they’re connected to the internet or not.
FIDO2: High efficiency authentication.
If PIV is the reigning champion of device logon, then FIDO2 is the upstart that has disrupted authentication to *services*. FIDO2 was designed from the ground up to be easy to use on today’s internet, inexpensive and easy to implement for service providers. Unlike PIV, FIDO2 has no reliance on a certificate authority. The credentials that are created on a FIDO2 token prove only authentication, not identity. FIDO2 credentials are bound to a specific authentication domain (a relying party), and won’t even be disclosed to other relying parties. In fact, FIDO2 doesn’t disclose *any* information about the credentials stored on the device without knowledge of the PIN. For organizations seeking to limit the risk of any identifying information being leaked if an authenticator is lost or stolen, FIDO2 excels at preserving that privacy.
FIDO2 leverages the USB HID specification - the same one that allows seamless (and driver-less) plug and play with keyboards and mice - for communication. That interface allows FIDO2 to be used without any configuration hassle or driver deployments on a wide range of platforms.
The slimmed-down nature of FIDO2 limits its applications to authentication only.
The reduced cost and complexity of FIDO2 deployments that comes from not requiring a Certificate authority or PKI is significant. Most notably, FIDO2 credentials don’t expire after a fixed time period. This makes them much more convenient for infrequent users of a service.
FIDO2 also provides attestation, which can be used to restrict authenticators to only specific manufacturers and models that meet certain criteria (like FIPS, CSPN or FIDO certification), and to validate that devices are not counterfeit. Attestation can be used to ensure customers and partners are using appropriately certified (and secure) FIDO2 devices - even if they’re not provided by the same organization.
Support for FIDO2 in the Microsoft Azure ecosystem is gradually improving, and Windows devices are well supported for device logon, client applications and web apps. However, support on other platforms, especially mobile devices, is currently very limited. We expect to see this support improve quickly as more and more organizations transition to phishing-resistant authentication, and as regulatory, investor and insurance pressure grows to make sure that organizations protect themselves from preventable credential theft.
FIDO2 Deployment Scenarios
Just as with the PIV Deployment scenarios - these are not meant to be perfect descriptions of organizations, however sharing a lot of requirements with these model organizations can be a strong indicator that FIDO2 is the most cost effective solution.
BYOD Devices and Diverse User Base
In organizations where devices are not strongly centrally managed, or where they may even be relying on employees to provide their own device, or where many users of organization systems may not be employees, the self-service and non-expiring nature of FIDO2 tokens can significantly reduce ongoing expenses while still ensuring that users have the best available protection against phishing attacks. Allowing customers to register their own FIDO2 security keys provides a benefit for security-conscious users without incurring the costs of managing a PKI system that comes with PIV deployments.
Cloud Native Organizations
Organizations that are primarily running off of SaaS systems - whether they’re all properly federated with a single-sign-on provider or not - can benefit from FIDO2. While it’s almost unheard of for SaaS solutions to directly accept authentication with PIV smart cards. It’s relatively common for SaaS providers to accept security keys as an authentication mechanism.
PIV and FIDO2: Not Mutually Exclusive
PIV and FIDO2 are both very similar in the abstract - they both use asymmetric cryptography to ensure that possession of a credential can be verified without disclosing the contents of the credential itself, but are quite different in execution. These differences in implementation give them each their own niches - specific situations, platforms and user bases that make them each more or less desirable, while still meeting the same basic need: secure authentication that is resistant to modern phishing mechanisms. In that chase, it’s good that these technologies aren’t mutually exclusive. They can be used to compliment each other in a deployment, and help to provide a fuller spectrum of support for different scenarios. For example, an organization might enforce *some sort* of phishing resistant MFA for all access to sensitive information, with PIV being used by system administrators and developers that need to interact with on-premises systems and remotely manage servers, where FIDO2 would be utilized by remote information workers, where all of their interaction with company managed systems is via officially supported Microsoft applications, or web applications.
A number of identity management solutions support mixing both PIV and FIDO2 credentials. Some CMS systems even come with their own identity provider that supports both and is ready to federate with organizational and cloud systems. While adding additional PIV identities can incur a fairly hefty recurring cost, the incremental cost for additional FIDO2 tokens is typically minor, and doesn’t require any significant upkeep other than ensuring the tokens are in good working order.
Given the current state of support for PIV and FIDO2, they shouldn’t be thought of as competing technologies, they should each be evaluated individually. When you have a device, like the YubiKey that is capable of both protocols, it’s important to understand what the cost and benefits of each of them might be. While it may not make sense to enroll every user in both a cloud-based CMS to manage a PIV certificate and have each person enroll their YubiKey as a FIDO2 authenticator, it may make sense to have that sort of coverage and flexibility for certain user groups.
For organizations that are already steeped in certificate based authentication for on-premises use or device logon, the calculus is different. There’s no large incremental cost to enable FIDO2 beyond actually communicating how to use it to end users. It can also enable a wide variety of secure logon scenarios. FIDO2 can suecure accounts that employees hold with partners or suppliers where there isn’t a formal federation or authentication trust, but business related information is still exchanged. Ensuring that employees have FIDO2 tokens (and know how to use them) can help reinforce good security practices with employees that can have an impact on reducing risky behaviors (like password reuse), even if your organization doesn’t have complete control over the account, or use FIDO2 at all.