Step into the world of phishing proof passwordless authentification – with Goldengate Security Keys
The eWBM Goldengate series security keys are USB biometric hardware keys. The keys are made for FIDO2 authentication with extensive security features and the fastest in class fingerprint recognition algorithm. Our keys are the most secure, fastest in class and affordable choice in keeping your online accounts safe.
The Keys to Phishing Proof Security
Goldengate G310 Security Key
eWBM Goldengate G310 security key features a USB A plug. The keys are made for FIDO2.
Goldengate G320 Security Key
eWBM Goldengate G320 security key features a USB C plug. The keys are made for FIDO2.
Goldengate G450 Security Key
eWBM Goldengate G450 security key features a USB A plug. The keys are made for FIDO2.
Goldengate G500 Security Key
eWBM Goldengate G500 security key features a USB A plug. The keys are made for FIDO2.
PointBlank is the official EMEA distributor for Goldengate Series Security Keys by eWBM – the world’s first FIDO2 Level2 Certified Security Keys
FIDO2 is an open authentication standard that consists of W3C (World Wide Web Consortium) WebAuthn API (Web Authentication specification) and the CTAP (Client To Authenticator Protocol). WebAuthn has been implemented by the major browsers, and CTAP2 is supported by hardware and platform companies. FIDO2 cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user's device and are never stored on a server.
So, why is a technology giant like Microsoft alongside other major companies such as Google, Intel or Amazon pushing for the FIDO specification to become an integral part of its operating systems (https://www.microsoft.com/en-us/microsoft-365/blog/2018/11/20/sign-in-to-your-microsoft-account-without-a-password-using-windows-hello-or-a-security-key/) and the entire product family as recently announced at Microsoft Ignite (https://techcommunity.microsoft.com/t5/Azure-Active-Directory-Identity/What-s-new-in-Azure-Active-Directory-at-Microsoft-Ignite-2019/ba-p/827831)?
If you are looking to supersede password based authentication on a large (enterprise) scale, e.g. Azure AD, please keep in mind that TOTP among other conventional authentication solutions is generally rather tricky to handle. On top of its reliance on a shared / symmetric secret, the scheme also requires solid clock synchronisation which may not always work well depending on various factors such as latency for instance. Please also note that TOTP uses time to generate a One Time Password which is of course far from being as unique as true entropy or a Pseudo Random Number Generator (PRNG) based on one. That observation calls for additional countermeasures, e.g. rate limiting. TOTP is vulnerable to phishing, can be attacked from the inside by a rogue administrator for instance and on the practical side of things TOTP client devices require batteries.
FIDO on the other hand uses asymmetric keys which are decoupled from the user’s secret: the biometric sample of the user’s fingerprint for instance is never sent to a FIDO server / Relying Party. Instead, upon a successful local authentication attempt which could entail PIN entry and fingerprint unlock to support 2FA, the FIDO device generates and registers a public key with the Relying Party. That means that in contrast to TOTP where the shared secret is largely stored in the clear on the server side (unless additional countermeasures such as low-level volume or transparent data encryption with databases are implemented), FIDO “gets away” with public user keys only. A final note on the countermeasures: low-level volume or transparent data encryption can only reach the highest currently known level of protection if used in conjunction with hardware-based key management which again would not be explicitly required for FIDO.
Incidentally, FIDO also supports Federated Identity Management (FIM) (see https://fidoalliance.org/specs/fido-uaf-v1.1-id-20170202/fido-uaf-overview-v1.1-id-20170202.html, section 5) which could come in handy in a B2B/AAD scenario. Section 6 by the way also indicates that FIDO is working to extend its realm into OATH and other standards.
Last, but not least: it is possible to have a heterogenous setup where PCs, laptops or similar workstations could use the power of a 2FA biometric-enabled USB dongle while also leveraging the usual mobile platforms (e.g. Android or iOS) to run MS Authenticator by way of a backup or if your company supports the idea of Bring Your Own Devices (BYOD) or Mobile Device Management (MDM) in conjunction with strong smartphone key storage capabilities.
For more information on Microsoft’s new passwordless strategy, kindly refer to https://www.microsoft.com/en-us/security/technology/identity-access-management/passwordless
Compared to other FIDO2 keys the eWBM keys are the only ones which achieve the FIDO2 LEVEL 2 standard.
FIDO boasts an extensive certification program which spans various aspects of the underlying standard such as functional certification or certified authenticator protection levels: https://fidoalliance.org/certification/
Despite the apparent distinction between different security levels all the way up to L3+, it is worth noting that L2 is currently the highest available level which requires evaluation and penetration testing conducted by an accredited security laboratory. Furthermore, L2 prescribes conformance with the following prerequisites and quality guidelines:
- Enhanced key management and authenticator security parameters
- Physical security
- Compliance with an Authenticator Allowed Restricted Operation Environment (AROE), e.g. ARM Trust Zone, Intel VT or TPM
- Self-test and firmware update
- Specific cryptographic algorithms providing at least 112 bits of key strength alongside confidentiality, authentication, key protection, digital signatures and random number generation
Our FIDO2 enabled Goldengate Security Keys are worldwide the only L2 certified hardware authenticators with biometric support. The hardened secure core MCU MS500 at the heart of all our FIDO2 dongles features cryptographic primitives such as AES-256, SHA-256, HMAC, GCM block cipher mode of operation, ECDSA/ECDH as well as a high-performance FIPS140-2 compliant True Random Number Generator (TRNG). The firmware is protected through Secure Boot which checks the firmware’s digital signature on every start while sensitive information such as the biometric fingerprint samples are protected at rest with the help of strong encryption where the underlying keys never leave the secure confines of an HSM or SmartCard like cryptographic co-processor.
While FIDO has been specifically designed to simplify the user experience in parallel to boosting security, a large scale set up will require additional work – quite particularly so within the backend infrastructure.
A very helpful observation here to make is that most major platforms and browsers (in the middle) have already incorporated FIDO2 to considerably reduce the need for local third-party applications. However, the infrastructure depicted on the right-hand side may require its own FIDO2 Server to implement a Relying Party (RP). To facilitate this step, we also offer a reinforced version of a FIDO2 server to match our excellent client-side hardware, i.e. FIDO2 dongles. We will be introducing it here shortly as a complementary product.
As the name would suggest it, the RP in turn requires an Identity Provider (IdP) which could be any number of things in fact. For example, most enterprises are currently leaning towards Microsoft’s Azure Active Directory (AAD). Subsequently, AAD can also relay authentication requests to local Group Directory (GD) services of a company which contain the user objects in question. It goes without saying that proper and policy-aligned integration of these essential building blocks of a FIDO2 based enterprise-grade authentication solution calls for professional attention with a good portion of subject matter expertise and project management.
Given our experience in the enterprise business which now spans three decades, we are more than happy to support our customers and partners on their way into the future of sustainable password-less authentication. Our professional services include general consultancy, project management, technical design and architecture, bespoke software solutions and of course high- and low-level IT security awareness all the way into the salient cryptographic details, if someone wants ‘to see what makes it tick’.
Feel free to reach out to us for more information on this.
Consider the following high-level structure of FIDO2: