We won! 2021 FIDO Developer Challenge: FIDO2 WebAuthn for Passwordless MFA on Amazon Cognito

Has on-board WiFi ever actually worked for anyone?

Solving the password problem with “passwordless”

To give you some background. When Lockdrop was built, we wanted to focus on making the platform ridiculously easy to use. The reality of any security product is that if you add friction to an end-users experience, they’re going to find ways around that friction often undermining the security product all-together. To this end, we wanted to make sure that our users didn’t have to deal with passwords. There’s an infamous XKCD sketch and a John Oliver interview with Edward Snowden that sums up the real world problems with passwords.


What are some weaknesses of OTP over SMS/Email?

Well for one, it’s a single factor. MFA (multi-factor authentication) is an important aspect of operational security today both for professionals and regular people, for good reason. It’s increasingly easy to compromise single factors.

Possession-based factors

While authenticating someone by way of possession of a device associated with them for most people is better than knowledge based factors this isn’t always enough. Thankfully, attacks on this factor typically require nation-state abilities and/or a focus on specific victims. For those with a higher risk profile, SMS messages and emails can be intercepted at telecom companies (or through their partners it seems). Scarier still, is the ease at which SIM swapping attacks can occur.

Knowledge-based factors

Knowledge based factors while sounding incredibly secure (people can’t steal your thoughts, yet..?) in practice are horrible. People choose horrible passwords (easy to guess), password databases are leaked constantly, opening up the door for automated hacks targeting large groups of people.

Biometric-based factors

Biometric factors (or “something you are”) are even harder to compromise. Most threat actors aren’t going to steal your fingers 😬, face or eye-balls, but they might be able to replicate them if they can gain direct access to you and have the knowledge and resources to manufacture facsimiles. Until recently, biometrics have been fraught with adoption issues (needing expensive, sometimes custom hardware) and privacy concerns about how you store and use the biometric data.

Leveraging FIDO2 WebAuthn to implement multi-factor passwordless authentication

Flight update: There sure is a lot of small lakes or ponds down there, hello Minneapolis.

Security keys (roaming authenticators)

Years ago, I saw an article explaining how Google managed to eliminate phishing attacks on their employees by using security keys. Ever since, I’ve been using Yubikey’s myself whenever an authentication system supports them. These keys have worked great as a second-factor for knowledge-based first and less commonly passwordless possession-based authentication systems.

Mobile phones (platform authenticators)

For the past few years I’ve been watching with excitement as smart phone manufacturers have been adding security chips to their phones. While biometrics have sometimes been integrated into platform devices for decades, these security chips are a game changer.

Web service asks web app to authenticate user with an on-device platform authenticator or external security key potentially using Biometrics

The FIDO Developer Challenge

Flight update: Looks like were flying past Minot, North Dakota

Implementing passwordless MFA using FIDO2/WebAuthn

Flight update: We seem to be approaching Yellowstone according to the flight status screen in-front of me, thanks BBC for giving me one more natural disaster to fear.

FIDO2 WebAuthn terms

Terminology within the specifications are purposefully generic, and can make it sometimes confusing to have a conversation with the uninitiated using it. Hence why I’ve tried to avoid it thus far in this post. Let’s define a few of them though.

Lockdrop’s existing authentication system

Lockdrop was built as a serverless application on AWS. We decided to use Amazon Cognito for authentication early on. We leveraged a feature of Amazon Cognito called Custom Auth Flows to extend the built-in functionality and implement the existing OTP over SMS/Email solution. Custom Auth Flows allow you to write what I like to call “escape hatch” code using AWS Lambda functions, allowing you to run custom logic at different parts of Cognito’s authentication process. We were leveraging AWS Lambda’s Node.JS runtime.


Open-source FIDO2 Libraries (FIDO Servers)

It turns out there are many libraries out there implementing what is called a “FIDO server”. However, as I discovered along the way, the quality varies greatly.

Rough evaluation based on my own experience between the two libraries, YMMV

FIDO2 in Amazon Cognito using Custom Authentication Flows

Before integrating this into the existing Lockdrop authentication system, I wanted to trial it without the added complexity of the existing logic. I also figured this would be helpful for others that are using Amazon Cognito to store and authenticate their users and may want to leverage Cognito to implement FIDO2 authentication into their own applications.


What about Lockdrop’s implementation?

Flight update: We just flew over Spokane, Washington, which means we’re about to start our landing descent, guess I’ll stop here and continue this at the hotel.

Using an Octatco EzFinger2 biometric enabled security key to register
Similarly authenticating with the same security key as part of the sign-in process
Authenticating on iPhone using a platform authenticator

Sponsors of the 2021 FIDO Developer Challenge

The challenge had an impressive set of sponsors, and some of them were able to actually provide us with authenticators to develop and trial as part of the process.

Octatco EzFinger2+, TrustKey G320H & G310H, non-biometric Yubikey 5 Series

Final thoughts

The 2021 FIDO Developer Challenge was a great experience. I’ve learned lots about the state of FIDO2 WebAuthn today, and it’s super exciting seeing technologies and organizations coming together to transform authentication and identity for really, every human on this planet (or nearly everyone, those that use technology).



Get the Medium app

A button that says 'Download on the App Store', and if clicked it will lead you to the iOS App store
A button that says 'Get it on, Google Play', and if clicked it will lead you to the Google Play store
Aaron Brighton

Aaron Brighton

Cloud Infrastructure Architect @ AWS | CISSP | AWS-SAP,DOP