Unite the strengths of two worlds – FIDO2 and PKI are a perfect match
Someone once said that PKI (Public Key Infrastructure) is 30% maths and 70% luck. All IAM management demands a process – procedures, documentation, follow-up and checking. Getting the process to work can be referred to – tongue-in-cheek – as “luck”, given that it involves something as complex and unpredictable as human beings.
Every organisation has its culture and its values. And they are all different. In order to be able to adapt the tools to the desired way of working and the applicable regulations, it is essential to ensure versatile implementation of secure authentication into the organisation’s workflows.
The data security method PKI is in widespread use for qualified authentication, digital signature and encryption of email and documents. PKI allows a stricter approach to identity management. It is actually comparable to our debit and credit cards. Debit and credit cards demand a strict process for ensuring that each card and PIN code is linked to the correct bank account, delivered to the correct mailbox and activated using a method that can be reinforced. Meanwhile, it must also be possible to block the card immediately and everywhere in the event of its loss and misuse. And, of course, it must not be possible to compromise this process.
FIDO2 is an open authentication standard, just like PKI. It is supported by most browsers and used for secure login to a range of web-based services including Microsoft Office 365, Google, Amazon and Salesforce. Users activate their own personal FIDO2 security key. It cannot be blocked, but if you lose your key you can activate a new one which automatically replaces the old one. FIDO2 is usually activated by users themselves, for services that contain their own data and no-one else’s.
If you use PKI, you are required to follow the procedures and processes your employer has set up to gain access to your own data and to data shared with multiple users.
You can now combine PKI with FIDO2, thus drawing even more benefit from your investment in Multifactor Authentication, MFA. The methods neatly complement each other and are used for different purposes: secure login, digital signature and encryption in all areas of the IT environment.
A combined carrier
YubiKey is a fast and powerful security key that allows the combination of FIDO2 and certificates for PKI-based security. This means you can enjoy the best of two worlds. PKI is used for secure login, email, etc. in the internal environment, while FIDO2 can serve as a valuable supplement for external authentication for web-based services.
It would be a waste of time to try to argue which method is better, since FIDO2 and PKI are both indispensable and cover different needs.
The technology they use is less important in this context. It is reasonable to assume that 30% of the protection is down to the technology. Everything else is about what you actually do. Or don’t do.
Lars Rydberg, our technology correspondent, has done a deep dive in the area.