TL;DR
Yes, FIDO can be implemented for shared devices, but it requires careful planning and configuration. You’ll need to use a combination of strong authentication policies, device attestation (where possible), user context checks, and potentially multi-factor authentication alongside FIDO. This guide outlines the steps involved.
Implementing FIDO on Shared Devices
- Understand the Risks: Shared devices inherently introduce security risks. Anyone with access to the device could potentially impersonate another user. Mitigating these risks is paramount.
- Choose a Suitable FIDO Method: Consider which FIDO methods are appropriate for your use case:
- FIDO2 WebAuthn/CTAP: This uses security keys (USB, NFC) or platform authenticators (fingerprint scanners on laptops). It’s generally more secure than passwords but requires users to have their own authenticators.
- FIDO UAF: Less common now, often used with mobile devices and app-specific authentication.
For shared devices, WebAuthn/CTAP is usually the better option if you can enforce authenticator ownership (see step 3).
- Authenticator Ownership & Management: This is the biggest challenge.
- Dedicated Authenticators: Ideally, each user has their own security key. This provides the strongest security but may not be practical for all shared device scenarios.
- Shared Authenticator with User Context: If authenticators *must* be shared:
- Strong Authentication Policies: Require a PIN or password to unlock the authenticator before FIDO authentication. This adds an extra layer of protection.
- User Context Checks: Implement checks to verify the user’s identity beyond just the FIDO token. This could include:
- Location-based restrictions: Only allow authentication from trusted locations.
- Time-of-day restrictions: Limit authentication to normal working hours.
- IP address filtering: Restrict access based on known IP addresses.
- Device Attestation (if supported): Verify the authenticity of the device itself before allowing FIDO registration or authentication. This is more difficult with shared devices as they may not be consistently managed.
- Registration Process: The initial FIDO registration process needs to be secure:
- Out-of-Band Verification: Verify the user’s identity through a separate channel (e.g., SMS code, email verification) before allowing them to register their authenticator.
- Registration Limits: Limit the number of authenticators each user can register.
- Session Management: Implement robust session management:
- Short Session Times: Keep sessions short to minimize the window of opportunity for unauthorized access.
- Automatic Logout: Automatically log users out after a period of inactivity.
- Session Revocation: Allow administrators to revoke active sessions in case of suspected compromise.
- Monitoring and Auditing: Continuously monitor for suspicious activity:
- Authentication Logs: Log all FIDO authentication attempts, including successful and failed logins.
- Anomaly Detection: Implement systems to detect unusual login patterns (e.g., multiple failed logins from different locations).
- Regular Security Audits: Conduct regular security audits to identify vulnerabilities and weaknesses in your implementation.
- Multi-Factor Authentication (MFA): Consider adding MFA as an extra layer of protection, especially for high-risk applications.
For example, require a one-time password from an authenticator app *in addition* to FIDO authentication.
- Example WebAuthn Registration Code Snippet (Conceptual):
// This is simplified and requires a full WebAuthn library. navigator.credentials.create({ publicKey: { challenge: challenge, rpId: 'your-domain.com', user: userCredential, } }).then(credential => { // Handle the new credential }).catch(error => { // Handle errors }); - Regular Updates: Keep your FIDO libraries and software up to date with the latest security patches.