FIDO Devices

Thales FIDO2
Devices

Organizations expanding their digital transformation are moving applications and data to the cloud to enable accessibility from anywhere and decrease operating costs. As users log in to an increasing number of cloud-based applications, weak passwords are emerging as the primary cause of identity theft and security breaches.

Addressing this risk, Thales FIDO2 (the umbrella term for FIDO Alliance’s newest set of specifications) security keys are offering organizations passwordless, phishing-resistant authentication, allowing them to stop account takeover and remove risk of unauthorized access to sensitive resources like SaaS applications and Windows endpoints.

Thales FIDO2 security keys support multiple applications at the same time. Use one that combines FIDO2, U2F, PKI and RFID to access both physical spaces and logical resources.

Passwordless Phishing-Resistant MFA

FIDO2 authentication removes the risk of account take-over by replacing vulnerable passwords with a phishing-resistant WebAuthn credential.
FIDO2 authentication has gained traction as a modern form of MFA because of its considerable benefits in easing the login experience for users and overcoming the inherent vulnerabilities of passwords. Advantages include less friction for users and a high level of protection against phishing attacks.

Enterprise FIDO Management

Thales eToken FIDO Enterprise Functionality (EF) gives agencies a way to centrally manage FIDO issuance and lifecycle.

PIN unblock without device reset
Token attestation enforcement
FIDO application whitelisting
Administrator controlled FIDO reset
Administrator enterprise management key
- Retrieve Relying Party (RP) ID list
- List all credentials for a specific RP
- Delete and update FIDO credentials
- Set minimum PIN length
- Force change PIN
- Set allowed RP ID list to get MinPin length information
- Enforce user verification

Meet stringent compliance mandates

Thales FIDO2 security keys, USB Tokens and smart cards let you meet all your regulatory needs. They are FIDO2 and U2F certified. The combined PKI-FIDO keys are compliant with the US Executive Order mandate for phishing-resistant MFA and NIST regulations. They are FIPS 140-2 or Common Criteria (CC) certified.

eBook: The Comprehensive Guide on Phishing-Resistant MFA, Passkeys and FIDO security keys.

Phishing-resistant MFA is multi-factor authentication immune from attempts to compromise or subvert the authentication process, commonly achieved through phishing attacks such as MFA fatigue. Phishing resistance within an authentication mechanism is achieved by requiring each party to provide proof of their identity and intent through deliberate action.

Download this eBook to learn more about phishing-resistant MFA and how to apply the following four-step approach to comply with phishing-resistant MFA requirements.

Download Now

Why should organizations consider FIDO?

Convenient FIDO2 is a passwordless authentication method so users don’t need to remember their passwords. To facilitate user adoption, you can combine it with biometrics such as fingerprints.	Phishing-resistant Leveraging asymmetric public key cryptography, FIDO2 protects against phishing attacks because each private key is bound to a service domain. If the accessed service is fake, authentication fails.	Prevent attacks FIDO2 security key protects against man-in-the-middle (MiTM) attacks because each private key is stored securely in the hardware device.
Future-proof Modern web applications support FIDO2. Cybersecurity agencies and analysts rank FIDO2 security key as the “gold” technology to invest in (NIST, ENISA, CSA, Gartner...).	Authenticate anywhere Various form factors such as smart cards and USB tokens, with contactless option, allow users to authenticate from their mobile devices or from shared desktops.	Easy to deploy Based on open standard, FIDO2 simplifies systems compatibility. It removes password-related help desk costs and lower IT overheads (no separate infrastructure required).

FIDO2 Device Benefits

Thales multi-factor authentication devices use current and emerging protocols to support multiple applications at the same time. Use one security key that combines FIDO2, WebAuthn, U2F, and PKI to access both physical spaces and logical resources.

Best in class security

Thales controls the entire manufacturing cycle and develops its own FIDO crypto libraries, which reduces the risk of being compromised.

Support for multiple use cases

Combine FIDO, PKI and physical access in a single device
Experience a strong authentication from mobile endpoints

User convenience for better adoption

Support for biometric (fingerprint on smart card)
Sensitive presence detector on USB FIDO key

Compliant with high security market standards

U2F and FIDO2 certified
Compliant with US and EU regulations for phishing-resistant authentication
Manufacturing in Europe and Trade Agreement Act (TAA) compliancy in option
FIPS and CC certified for PKI operations

Robustness & Scalability for a long-life duration

Hard molded plastic, tamper evident USB FIDO keys
No damage to USB ports thanks to sensitive presence detector
Support for firmware updates for better maintenance and upgradability

Enterprise FIDO-ready

Comply with FIDO2.1 specifications
Benefit from Thales FIDO Enterprise features
Use SafeNet FIDO key Manager for free

Thales FIDO Authentication Solutions

FIDO USB Tokens

Secure access to web applications and devices using FIDO

SafeNet eToken FIDO series

Ideal solution for organizations to go passwordless
Compact, tamper-evident USB tokens, available in type A and C (TAA-Compliant)
Presence detection sensor to confirm human presence
Ideal for privilege users, frontline and temporary workers
Quick access for employees to any shared device such as PC or tablet

FIDO + Biometric

Simplify user adoption.

SafeNet IDPrime FIDO Bio Smart Card
Combining biometrics and NFC, the innovative SafeNet IDPrime FIDO Bio Smart Card allows end users to authenticate from multiple types of devices securely and easily, with just a fingerprint instead of a password.

FIDO + PKI Smart Cards

Extend modern FIDO authentication to PKI use cases.

SafeNet IDPrime FIDO Smart Cards series

New generation of PKI smart cards
Facilitates cloud migration and authentication modernization
Support FIDO and PKI use cases: authentication, digital signature, and file encryption
One single badge for securing access to legacy apps, network domains and cloud services
Use on multiple devices from desktops to tablets thanks to NFC
Help organizations to meet their market regulations

FIDO + PKI USB Tokens

Extend modern FIDO authentication to PKI use cases.

SafeNet eToken Fusion Series

New generation of PKI USB Tokens
Facilitates cloud migration and authentication modernization
Support FIDO and PKI use cases: authentication, digital signature, and file encryption
One single token for securing access to legacy apps, network domains and cloud services
Use on multiple devices from desktops to tablets thanks to NFC option
Help organizations to meet their market regulations
“Enterprise FIDO ready” in option to help organizations control their life cycle

Learn more about the eToken Fusion Series.

FIDO + Physical Access

Combine digital access with physical access.

Thales offers organizations smart cards combining physical access with digital PKI/FIDO authentication. Converged Badge is an ideal solution for organizations who need to protect access to secure areas and sensitive digital resources. Cost of badge deployment and fleet management are significantly reduced and the adoption by employees is facilitated.

Manage FIDO Keys

Control your FIDO keys’ life cycle thanks to Thales FIDO Enterprise Features.

Thales FIDO enterprise features allow organizations to manage their FIDO keys securely and easily throughout their life cycle. They add an administration layer and configuration policies to help IT teams deploy, administer, and support the end user. Beyond the FIDO Alliance FIDO2.1 specifications, Thales FIDO enterprise features offer organizations:

Better security – enforcing user verification during authentication from any device, managing the minimum PIN length and protecting the PIN policy set, preventing data in fido keys from malicious or non-intentional deletion
Appropriate usage of organization assets – limiting the usage of the FIDO authenticators to a list of preferred services
Reduced IT costs & better User Experience – unblocking the FIDO key without resetting all key data, allowing end users to set and change their PIN code in self-service

Resources

Image	Title	Link
	CTO Sessions On Demand Webcast: Everything You Need to Know About Phishing-Resistant MFA	Download
	CTO Sessions: Best Practices for Phishing-Resistant MFA: FIDO & PKI	Download
	eBook: The Comprehensive Guide on Phishing-Resistant MFA, Passkeys and FIDO security keys.	Download
	Product Brief: Thales FIDO2 Devices	Download
	Product Brief: Thales Fusion Authenticators	Download
	White Paper: Meeting U.S. Government requirements for phishing-resistant MFA	Download

Frequently Asked Questions

What is a FIDO2 security key?

It is a USB or smart card companion device that you can use to securely access sensitive online services without using a password. It uses the FIDO2 (Fast identity Online) standard developed by the FIDO Alliance.

How do FIDO2 tokens work?

The FIDO (Fast identity Online) protocol requires a “user gesture” (touch or tap the token) and/or a user verification (via a PIN or biometric) before the private key can be used to sign a response to an authentication challenge.

To access an online service, you just need to follow the online guideline displayed on the user interface: when requested, plug the token into the USB port of your device touch the sensitive sensor to confirm your presence, enter your PIN and you are logged in. Alternatively, if you use contactless and biometric token such as the SafeNet FIDO Bio Smart Card, you just tap the card on your device while putting your finger on the biometric sensor and you are in!

What are passkeys in FIDO2?

In FIDO2, passkeys are password replacements that provide faster, more accessible, and more secure sign-ins to websites and apps. They are resistant to phishing and credential stuffing, and designed so that there are no shared secrets.

There are two types of passkeys: synced passkeys (can be exported via a cloud service to another device) and device-bound passkeys (stored in a single device and cannot be copied). FIDO2 security keys/ tokens are device-bound passkeys.

Can FIDO2 tokens be used with mobile devices?

Yes, FIDO2 tokens can be used with any mobile device, but depending on the connector of the token (USB-C or USB-A), the user may need to use an adaptor. If the token and the device are compatible with NFC, the user can also use the NFC capability directly by tapping the token to the back of its mobile device.

How do I set up a FIDO2 token?

The Thales FIDO2 token is ready to use and requires no software or driver installation. You can set up your FIDO2 token by registering it to an online service. Set-up instructions may differ from one service provider to another, so follow the instructions displayed on the user interface. Generally, the service provider asks you to define your login name, a PIN code and put a name to the registered FIDO2 Token. Alternatively, you can use SafeNet FIDO Key Manager to set up and change the PIN of your Thales FIDO2 Token.

To learn more about this topic consult our dedicated section

Are FIDO2 tokens compatible with all online services?

FIDO2 tokens are compatible with all online services that support the FIDO2 standard.

What are the benefits of using FIDO2 passkeys over traditional passwords?

There are different benefits of using FIDO2 passkeys over traditional passwords:

Security: unique login credentials across every website which are never stored on a server, eliminating the risk of phishing and other forms of attacks.
User experience: user login with simple built-in methods on the device or by leveraging easy-to-use FIDO2 security keys.
Privacy: unique keys for each internet site that cannot be used to track users across sites. Biometric data, when used, never leaves the user’s device.
Scalability: enable FIDO2 through simple API calls supported across all leading browsers and platforms.

Is FIDO2 authentication phishing-resistant?

Based on cryptography, FIDO2 authentication is recognized by cybersecurity agencies around the world as one of the most secure authentication methods. A FIDO2 hardware token is resistant to phishing and Man-in-the Middle Attacks.

FIDO and CBA are the 2 authentication protocols recognized as phishing-resistant by cybersecurity regulation bodies.

What makes FIDO2 tokens phishing-resistant?

Based on asymmetric public key cryptography, the FIDO2 security key (USB token or smart card) prevents from phishing because each private key is bound to the domain of the service provider. If the domain is fake, the authentication fails. In addition, all private keys are stored locally and securely in the FIDO2 key which prevent form Man-In-The-Middle attacks.

Are FIDO2 tokens compliant with regulatory standards?

Yes, the FIDO2 tokens embrace the protection of personal data based on public key cryptography. FIDO2 meets the requirements of the US administration and the EU security agencies for strong MFA. Hardware FIDO security keys are evaluated AAL3 by NIST (Assurance Level 3 , the highest level of Assurance in Authentication according to NIST).