The centrality that digital systems now play in any business, in addition to the sensitivity and strategic nature of the information managed by most organisations, make cyber-security one of the crucial areas of the current ICT panorama. In this context, the constant increase in cyber attacks based on the credential’s theft or the accounts replacement requires a continuous evolution of user authentication methods, to avoid the much greater impact that, in turn, an intrusion can have on companies’ IT infrastructure’s security.
In particular, current security standards make it essential to adopt techniques called MFA (Multi-Factor Authentication) where multiple security elements are adopted simultaneously to verify the user’s identity and the access’ authenticity: other “knowledge” security factors are combined with the password (such as PINs or secret questions), as well as “possession” ones (such as company cards or tokens) or “hybrid” ones, such as One-Time-Passwords (OTPs), which are received by the user on a device or account.
However, these systems are also subject to vulnerabilities that partly depend on incorrect behavior, imprudence or the inevitable possibility of errors or distractions by users in ensuring the protection and robustness of their credentials. For this reason, the need to adopt authentication workflows that are also “friendly” is not secondary, guaranteeing users a fast and simple process that implicitly assists them in maintaining good security practices.
FIDO2 is an open standard for online authentication (Web/Cloud) developed by the FIDO Alliance (“Fast IDentity Online“) specifically to overcome some vulnerabilities of previous MFA solutions and provide, at the same time, an easier and more practical login experience for users, not requiring the entry of a username and password, while ensuring multiple security factors.
By leveraging “possession” and “presence” factors (FIDO2 certified devices that the user must possess and/or actions to be physically performed on such devices, like the detection of biometric parameters), FIDO2 allows access without OTPs mechanisms, often perceived as cumbersome and which often require passing through users’ personal numbers or devices outside the sphere of control of company security policies. Furthermore, in the FIDO2 standard, any need to store or keep accessible on the servers (if not connected locally) the security factors involved in the authentication process is avoided (as happens with traditional tokens), so as to be immune from external attacks or remotely.
Praim products based on ThinOX and Windows now also support the activation of multi-factor user authentication workflows based on FIDO2, even on Cloud infrastructures that integrate the most advanced technologies on the market. For example, it’s possible to use Praim endpoints with FIDO2 USB devices for authentication within a Citrix Cloud Virtual Desktop Infrastructure (VDI) on Microsoft’s Azure, without the need to enter a password. In this case the FIDO2 user login can be conveyed by Microsoft Entra ID with “pass-through” to the virtual desktop.
Management of FIDO2 devices is carried out on the Microsoft portal (Azure) which can act as a single point for user authentication for both Citrix and other productivity and collaboration tools (such as Office 365, Teams,…). Once in session, it‘s then possible to continue using FIDO2 also to authenticate on other services or web portals accessed by the user, as all interactions with the FIDO2 device are managed by the Citrix Workspace App client, which transmits the information in an always secure way via the appropriate virtual channel.
It’s also possible to customize the authentication experience with incremental security/protection and maximum flexibility of use, for example by deciding which model of FIDO2 device/technology to request for authentication or by setting “Key Restriction Policies” that limit only use of devices that support biometric recognition.
To find out more about the integration of FIDO2 into Praim products:
