Organizations expanding their digital transformation are moving applications and data to the cloud to enable accessibility from anywhere and decrease operating costs. As users log in to an increasing number of cloud-based applications, weak passwords are emerging as the primary cause of identity theft and security breaches.

Addressing this risk, Thales FIDO2 (the umbrella term for FIDO Alliance’s newest set of specifications) security keys are offering organizations passwordless, phishing-resistant authentication, allowing them to stop account takeover and remove risk of unauthorized access to sensitive resources like SaaS applications and Windows endpoints.

Thales FIDO2 security keys support multiple applications at the same time. Use one that combines FIDO2, U2F, PKI and RFID to access both physical spaces and logical resources.

Passwordless Phishing-Resistant MFA

FIDO2 authentication removes the risk of account take-over by replacing vulnerable passwords with a phishing-resistant WebAuthn credential.
FIDO2 authentication has gained traction as a modern form of MFA because of its considerable benefits in easing the login experience for users and overcoming the inherent vulnerabilities of passwords. Advantages include less friction for users and a high level of protection against phishing attacks.

Enterprise FIDO Management

Thales eToken FIDO Enterprise Functionality (EF) gives agencies a way to centrally manage FIDO issuance and lifecycle.

  • PIN unblock without device reset
  • Token attestation enforcement
  • FIDO application whitelisting
  • Administrator controlled FIDO reset
  • Administrator enterprise management key
    • Retrieve Relying Party (RP) ID list
    • List all credentials for a specific RP
    • Delete and update FIDO credentials
    • Set minimum PIN length
    • Force change PIN
    • Set allowed RP ID list to get MinPin length information
    • Enforce user verification

Meet stringent compliance mandates

Thales FIDO2 security keys, USB Tokens and smart cards let you meet all your regulatory needs. They are FIDO2 and U2F certified. The combined PKI-FIDO keys are compliant with the US Executive Order mandate for phishing-resistant MFA and NIST regulations. They are FIPS 140-2 or Common Criteria (CC) certified.

eBook: The Comprehensive Guide on Phishing-Resistant MFA, Passkeys and FIDO security keys.

Phishing-resistant MFA is multi-factor authentication immune from attempts to compromise or subvert the authentication process, commonly achieved through phishing attacks such as MFA fatigue. Phishing resistance within an authentication mechanism is achieved by requiring each party to provide proof of their identity and intent through deliberate action.

Download this eBook to learn more about phishing-resistant MFA and how to apply the following four-step approach to comply with  phishing-resistant MFA requirements.

Why should organizations consider FIDO?

Convenient

FIDO2 is a passwordless authentication method so users don’t need to remember their passwords. To facilitate user adoption, you can combine it with biometrics such as fingerprints.

Phishing-resistant

Leveraging asymmetric public key cryptography, FIDO2 protects against phishing attacks because each private key is bound to a service domain. If the accessed service is fake, authentication fails.

Prevent attacks

FIDO2 security key protects against man-in-the-middle (MiTM) attacks because each private key is stored securely in the hardware device.

Future-proof

Modern web applications support FIDO2. Cybersecurity agencies and analysts rank FIDO2 security key as the “gold” technology to invest in (NIST, ENISA, CSA, Gartner...).

Authenticate anywhere

Various form factors such as smart cards and USB tokens, with contactless option, allow users to authenticate from their mobile devices or from shared desktops.

Easy to deploy

Based on open standard, FIDO2 simplifies systems compatibility. It removes password-related help desk costs and lower IT overheads (no separate infrastructure required).

FIDO2 Device Benefits

Thales multi-factor authentication devices use current and emerging protocols to support multiple applications at the same time. Use one security key that combines FIDO2, WebAuthn, U2F, and PKI to access both physical spaces and logical resources.

Best in class security

  • Thales controls the entire manufacturing cycle and develops its own FIDO crypto libraries, which reduces the risk of being compromised.

Support for multiple use cases

  • Combine FIDO, PKI and physical access in a single device
  • Experience a strong authentication from mobile endpoints

User convenience for better adoption

  • Support for biometric (fingerprint on smart card)
  • Sensitive presence detector on USB FIDO key

Compliant with high security market standards

  • U2F and FIDO2 certified
  • Compliant with US and EU regulations for phishing-resistant authentication
  • Manufacturing in Europe and Trade Agreement Act (TAA) compliancy in option
  • FIPS and CC certified for PKI operations

Robustness & Scalability for a long-life duration

  • Hard molded plastic, tamper evident USB FIDO keys
  • No damage to USB ports thanks to sensitive presence detector
  • Support for firmware updates for better maintenance and upgradability

Enterprise FIDO-ready

  • Comply with FIDO2.1 specifications
  • Benefit from Thales FIDO Enterprise features
  • Use SafeNet FIDO key Manager for free

Thales FIDO Authentication Solutions

Secure access to web applications and devices using FIDO

SafeNet eToken FIDO series

  • Ideal solution for organizations to go passwordless
  • Compact, tamper-evident USB tokens, available in type A and C (TAA-Compliant)
  • Presence detection sensor to confirm human presence
  • Ideal for privilege users, frontline and temporary workers
  • Quick access for employees to any shared device such as PC or tablet

Simplify user adoption.

SafeNet IDPrime FIDO Bio Smart Card
Combining biometrics and NFC, the innovative SafeNet IDPrime FIDO Bio Smart Card allows end users to authenticate from multiple types of devices securely and easily, with just a fingerprint instead of a password.

Extend modern FIDO authentication to PKI use cases.

SafeNet IDPrime FIDO Smart Cards series

  • New generation of PKI smart cards
  • Facilitates cloud migration and authentication modernization
  • Support FIDO and PKI use cases: authentication, digital signature, and file encryption
  • One single badge for securing access to legacy apps, network domains and cloud services
  • Use on multiple devices from desktops to tablets thanks to NFC
  • Help organizations to meet their market regulations

Extend modern FIDO authentication to PKI use cases.

SafeNet eToken Fusion Series

  • New generation of PKI USB Tokens
  • Facilitates cloud migration and authentication modernization
  • Support FIDO and PKI use cases: authentication, digital signature, and file encryption
  • One single token for securing access to legacy apps, network domains and cloud services
  • Use on multiple devices from desktops to tablets thanks to NFC option
  • Help organizations to meet their market regulations
  • “Enterprise FIDO ready” in option to help organizations control their life cycle

Learn more about the eToken Fusion Series.

Combine digital access with physical access.

Thales offers organizations smart cards combining physical access with digital PKI/FIDO authentication. Converged Badge is an ideal solution for organizations who need to protect access to secure areas and sensitive digital resources. Cost of badge deployment and fleet management are significantly reduced and the adoption by employees is facilitated.

Control your FIDO keys’ life cycle thanks to Thales FIDO Enterprise Features.

Thales FIDO enterprise features allow organizations to manage their FIDO keys securely and easily throughout their life cycle. They add an administration layer and configuration policies to help IT teams deploy, administer, and support the end user. Beyond the FIDO Alliance FIDO2.1 specifications, Thales FIDO enterprise features offer organizations:

  • Better security – enforcing user verification during authentication from any device, managing the minimum PIN length and protecting the PIN policy set, preventing data in fido keys from malicious or non-intentional deletion
  • Appropriate usage of organization assets – limiting the usage of the FIDO authenticators to a list of preferred services
  • Reduced IT costs & better User Experience – unblocking the FIDO key without resetting all key data, allowing end users to set and change their PIN code in self-service

Resources

ImageTitleLink
CTO Sessions On Demand Webcast: Everything You Need to Know About Phishing-Resistant MFA
CTO Sessions: Best Practices for Phishing-Resistant MFA: FIDO & PKI
eBook: The Comprehensive Guide on Phishing-Resistant MFA, Passkeys and FIDO security keys.
Product Brief: Thales FIDO2 Devices
Product Brief: Thales Fusion Authenticators
White Paper: Meeting U.S. Government requirements for phishing-resistant MFA

Frequently Asked Questions

It is a USB or smart card companion device that you can use to securely access sensitive online services without using a password. It uses the FIDO2 (Fast identity Online) standard developed by the FIDO Alliance.

The FIDO (Fast identity Online) protocol requires a “user gesture” (touch or tap the token) and/or a user verification (via a PIN or biometric) before the private key can be used to sign a response to an authentication challenge.

To access an online service, you just need to follow the online guideline displayed on the user interface: when requested, plug the token into the USB port of your device touch the sensitive sensor to confirm your presence, enter your PIN and you are logged in. Alternatively, if you use contactless and biometric token such as the SafeNet FIDO Bio Smart Card, you just tap the card on your device while putting your finger on the biometric sensor and you are in!

In FIDO2, passkeys are password replacements that provide faster, more accessible, and more secure sign-ins to websites and apps. They are resistant to phishing and credential stuffing, and designed so that there are no shared secrets.

There are two types of passkeys: synced passkeys (can be exported via a cloud service to another device) and device-bound passkeys (stored in a single device and cannot be copied). FIDO2 security keys/ tokens are device-bound passkeys.

Yes, FIDO2 tokens can be used with any mobile device, but depending on the connector of the token (USB-C or USB-A), the user may need to use an adaptor. If the token and the device are compatible with NFC, the user can also use the NFC capability directly by tapping the token to the back of its mobile device.

The Thales FIDO2 token is ready to use and requires no software or driver installation. You can set up your FIDO2 token by registering it to an online service. Set-up instructions may differ from one service provider to another, so follow the instructions displayed on the user interface. Generally, the service provider asks you to define your login name, a PIN code and put a name to the registered FIDO2 Token. Alternatively, you can use SafeNet FIDO Key Manager to set up and change the PIN of your Thales FIDO2 Token.

To learn more about this topic consult our dedicated section

FIDO2 tokens are compatible with all online services that support the FIDO2 standard.

There are different benefits of using FIDO2 passkeys over traditional passwords:

  1. Security: unique login credentials across every website which are never stored on a server, eliminating the risk of phishing and other forms of attacks.
  2. User experience: user login with simple built-in methods on the device or by leveraging easy-to-use FIDO2 security keys.
  3. Privacy: unique keys for each internet site that cannot be used to track users across sites. Biometric data, when used, never leaves the user’s device.
  4. Scalability: enable FIDO2 through simple API calls supported across all leading browsers and platforms.

Based on cryptography, FIDO2 authentication is recognized by cybersecurity agencies around the world as one of the most secure authentication methods. A FIDO2 hardware token is resistant to phishing and Man-in-the Middle Attacks.

FIDO and CBA are the 2 authentication protocols recognized as phishing-resistant by cybersecurity regulation bodies.

Based on asymmetric public key cryptography, the FIDO2 security key (USB token or smart card) prevents from phishing because each private key is bound to the domain of the service provider. If the domain is fake, the authentication fails. In addition, all private keys are stored locally and securely in the FIDO2 key which prevent form Man-In-The-Middle attacks.

Yes, the FIDO2 tokens embrace the protection of personal data based on public key cryptography. FIDO2 meets the requirements of the US administration and the EU security agencies for strong MFA. Hardware FIDO security keys are evaluated AAL3 by NIST (Assurance Level 3 , the highest level of Assurance in Authentication according to NIST).