WSO2 has added Passwordless Authentication with FIDO2 in the latest version of its WSO2 Identity Server 5.10.0. What this means is that WSO2 is now supporting the security model developed jointly by the FIDO Alliance and the W3C.
It is seeking to remove all the risks that are associated with passwords and provide security through other means. Those other means include biometrics, multi-factor authentication (MFA) through mobile devices and security keys.
Prabath Siriwardena, Vice President and General Manager – IAM Business Unit, WSO2 said: “An organization’s user experience is the window to creating a first impression for its capabilities and trust. This is where CIAM enters, serving to drive an enterprise’s revenue growth by leveraging identity data to acquire and retain customers. In short, it’s a company’s new public face.
“With our latest release of WSO2 Identity Server, we are further empowering developers to simplify authentication for end-users and support the complex architectures required for effective CIAM solutions that bring better user experiences to their customers.”
How does one configure passwordless authentication?
WSO2 has made this as simple as possible but there are some key limitations to note. All users must be on at least the listed versions of the three supported browsers – Chrome (67), Firefox (60) and Edge (17723).
To help users setup their device there is a new self-care portal in this release. It has gone through a complete rewrite since the previous version. One of the key features is a new UX. To setup their new device through the self-care portal users follow a 7-step process outlined by WSO2. By putting this in the self-service portal, it means users can change their authentication device when they update their mobile phone.
Adding FIDO as the authenticator is also a simple process. It is something that users can do but is more likely to be an IT Admin task.
New RESTful APIs to improve security
There are a number of new APIs and several improved APIs with this release. The API that supports FIDO2 was released in an earlier version. WSO2 has updated this API with new capabilities for developers. Importantly, WSO2 has kept it small and simple. This is something that many vendors miss. Complicated APIs lead to mistakes and cause developers to look for other options.
It is one of three updated APIs. In addition there are nine new APIs that are all aimed at improving management of different tasks.
To reduce the risk of API attack, WSO2 has added scope-based authorisation for internal; REST APIs. It uses permissions within the system to determine if the user has permission to make a call. This means that developers can build new self-service capabilities and use the scope-based approach to control who can access that capability.
Enterprise Times: What does this mean
WSO2 is not touting this as a major update. However, the adding of new passwordless authentication through a self-service mechanism is a significant boost. It will enable companies to overcome one of the problems of moving away from passwords to other means of authentication. That problem is that many systems are complex, require administrators to do the work and do not provide any form of self-service.
With the current pandemic forcing many organisations to look at WFH, there is a real concern over poor passwords. WSO2 has now made it easy for its customers to upgrade how their users login. The addition of a new user portal will also help companies deploy this to their user base.