Thales eSecurity Blog

New FIDO2 Devices offer a single token for combined PKI – FIDO use cases, without the need to rip and replace existing infrastructure

Danna Bethlehem | director, product marketing More About This Author >

The Verizon 2019 Data Breach Investigations Report advises organizations to deploy multifactor authentication throughout all systems and discourage password reuse. MFA awareness is not new to CISOs or IT teams. And yet, according to Norton, data breaches for 2019 included 3,800 publicly disclosed breaches, 4.1 billion records exposed, and a more than 54% increase in the number of reported breaches vs. the first half of 2018.

The combination of prominent media-reported mega breaches and less famous identity thefts have promoted the industry to adopt passwordless authentication methods. This has become more popular through the adoption of FIDO2 (FastIDentity Online 2.0) authentication technologies.

Established in 2013, the FIDO alliance is an open industry association focused on developing authentication standards to help reduce the world’s over-dependency on passwords. Passwordless authentication replaces passwords with other methods of identity, improving the levels of assurance and convenience. This type of authentication has gained traction because of its considerable benefits in easing the login experience for users and surmounting the inherent vulnerabilities of text-based passwords. These advantages include less friction, a higher level of security that’s offered for each app and the elimination of the legacy password.

According to Francois Lasnier, Vice President for Access Management solutions at Thales “FIDO is increasingly being perceived as a viable passwordless authentication method in the enterprise, especially as Windows 10 and Azure AD adoption rises“.

However, many organizations are heavily invested in PKI (Public Key Infrastructure) or certificate-based authentication. Mandated by numerous government and privacy regulations that require a high level of assurance, PKI or certificate-based authentication, is used broadly by numerous military, financial and healthcare-based organizations. Many of these organizations are now undergoing digital transformation and are seeking ways to extend their PKI-based strong authentication frameworks to cloud and mobile use cases.

The release of combined FIDO / PKI authentication devices from Thales allows organizations to continue to use PKI-based authentication while enabling FIDO for additional use cases such as authentication to Azure AD managed services, Windows Hello devices, and support for mobile devices. In this way, organizations can extend their current PKI environment without needing to rip and replace their existing infrastructure.

Using a single card or token for all use cases, SafeNet FIDO devices from Thales offer users a seamless and passwordless logon experience from all devices. Organizations using Thales FIDO2 devices can address new use cases while maintaining the optimal balance between security and convenience with passwordless authentication.

These new solutions enable organizations to secure cloud adoption and bridge secure access across hybrid environments via an integrated access management and authentication offering from Thales, facilitating their cloud and digital transformation initiatives by providing their users with a single authentication device for securing access to legacy apps, network domains and cloud services.

Thales SafeNet FIDO devices include the SafeNet IDPrime 3940 FIDO, a CC and ANSSI certified smart card that supports PKI authentication and FIDO on the same device and the SafeNet eToken FIDO, a compact, tamper-evident USB token with presence detection. Both devices are compatible with Azure AD managed services.

A demo showing secure access to Azure managed services and PKI authentication using a combined FIDO-PKI device will be shown at the Thales booth #N-5445 this week at RSA Conference 2020.