Why combining FIDO2 and PKI provides broader enterprise-wide security

FIDO2 authentication standards are great for streamlining the user experience, but CISOs still need PKI to manage machine identity and trusted interactions across the enterprise.
(Getty Images)

This past year’s seismic shift in how and where people access corporate resources has heightened the urgent need for organizations to upgrade the identity and authentication systems they rely on.

That urgency isn’t likely to diminish anytime soon, according to a 2021 Gartner CIO survey. The survey found that 64% of employees at CIOs’ organizations are now able to work from home, and two-fifths are actually doing so, suggesting the landscape for authenticating users has clearly taken on new and more dynamic contours.


Ready the full report.

But it’s not just people accessing enterprise resources. The transition to cloud-based services and the underlying automation supporting digital workloads have led to dramatic increases in the volume of non-human entities — virtual machines, mobile devices, applications, containers, and IoT/OT devices — all seeking their own access to enterprise resources independent of the end user’s identity.

As a result, managing machine identities has also become part of a larger need on the part of organizations to engineer identity authentication and trust verification at the center of every digital interaction within their enterprises, according to a new report produced by CyberScoop, underwritten by Axiad.

Against that backdrop, however, is a growing debate over the trajectories of two security technologies — the long-established PKI, or public-key infrastructure approach, and newer-generation methods such as FIDO2 and Microsoft Windows Hello for Business.

The report examines the need for, and advantages of, each technology and concludes both technologies will likely play essential roles in authenticating who or what can access your organization’s resources. Ultimately, the two security approaches will need to work together as IT environments continue to evolve, suggest experts quoted in the report.

Public key infrastructure offers a well-established method for securing online communications between one person and another or between machines — and makes it possible to encrypt messages, documents and data targeted for a specific person or entity without sharing any secret.

Its complexity, especially in supporting web-based and mobile applications, however, has led to newer, more user-friendly approaches developed by a consortium of technology players, known as the FIDO Alliance (Fast IDentity Online).

The issue that enterprise CIOs and CISOs face, according to Jerome Becquart in the report, is that FIDO2 — and parallel authentication efforts at Microsoft and other tech vendors — only address a portion of the trio of authentication, privacy, and authenticity requirements most enterprises must manage. Becquart is chief operating officer and CISO at Axiad, a leading trusted identity solutions provider.

FIDO2 and Windows Hello for Business can improve the way enterprises can authenticate people accessing cloud-based applications, says Becquart.

“But in reality, the newer technology still only addresses part of the use cases that enterprise CISOs worry about.  What about machines that are connected to your network — things like laptops, Wi Fi routers or servers? How do you authenticate them?

FIDO and Windows Hello for Business won’t solve that alone,” he says.

It’s not just devices on the network that are at issue. Transactional workloads, where digital signatures are required, also require authentication certificates and the kind of authentication protocols that PKI was built to provide.

Getting FIDO2 and PKI to work together

Fortunately, a lot of effort has gone into integrating authentication standards, the report says. That was prompted in part by U.S. government’s challenges in implementing its own multi-factor authentication initiatives more than a decade ago. It directed agencies to roll out Personal Identity Verification (PIV) cards. The Department of Defense’s developed an equivalent Common Access Card to access facilities and electronic systems.

PKI-enabled PIV and CAC cards made sense at the time, when employees worked at assigned locations. But they’ve proven impractical for employees and contractors on the go. The report highlights efforts since then to develop a series of remedies and technical guides, designed to incorporate PKI and FIDO authentication and expand the authentication ecosystem across the federal government.

The question that remains for enterprises today, says Axiad Chief Technology Officer John Babbidge, is how achieve the benefits of PKI in today’s larger IT operating environments, given its complexity.

Babbidge argues that managed PKI and credential experts like Axiad can help organizations take the complexity of PKI policies, compliance, and management off their hands, letting them concentrate on their core business.

Get the full report and learn more how Axiad can help your organization achieve passwordless, multi-factor authentication.

This article was produced by CyberScoop and sponsored by Axiad.

Latest Podcasts