The Secret to Phishing-Resistant Authentication

• As attackers increasingly intercept one-time passwords, FIDO2 stops phishers cold by keeping credentials locked to the device.
• Industry giants already trust FIDO2—your users are likely ready too.
• A proven authentication service like Symantec VIP makes it easy to deploy strong, phishing-resistant authentication.

Phishers have become a menace. Attackers send helpful-looking text messages and coax unsuspecting users into handing over their one-time password (OTP) used for identity verification. Once a phisher pairs an OTP with a batch of stolen passwords, they can log into the user’s account and perform nefarious activities. Unfortunately, traditional OTP apps can’t tell the difference between a real user and a smooth-talking phisher.

Phishing-resistant tokens flip the script: there’s less to type and far less chance for phishers to steal an authentication token. The FIDO2 standard lets organizations augment or even replace passwords and their associated risks with strong, possession‑based credentials. That means when security tools offer FIDO2 support, organizations can let users prove “something you have” without risking “something you can hand over.”

Why passwords are failing you

For decades, primary authentication hinged on passwords and costly digital certificates. With passwords as the weak link in many breaches and digital certificates requiring expensive integrations to get started, the time was ripe to use an alternative. FIDO credentials bring the ease of use that passwords enjoy, along with the strongest point of digital certificates—cryptographic authentication. Nothing sensitive ever leaves the authenticator; the user merely performs a quick gesture—tapping a security key, holding it near NFC or unlocking with a biometric—and the cryptographic exchange happens behind the scenes.

With FIDO’s user experience matching (and often beating) passwords, adoption is accelerating. The world's largest providers offer these phishing-resistant credentials to their billions of users. That widespread familiarity removes a major barrier to change. Now the real question of adoption surfaces: Do we want to adopt this? If so, how?

The industry’s road to passwordless

The FIDO Alliance launched in February of 2013 with the aim of allowing users the option to replace passwords. With most sites using only one factor of authentication, the idea is to switch the default authentication to something more secure than passwords while providing all the interconnection needed in today's world.

Major industry players have been adopting FIDO authentication at a rapid rate. 

• 2014 - Yubico popularizes hardware FIDO keys.
• 2017 - Facebook enables FIDO for account protection.
• 2019 - Google rolls FIDO2 into Android; Microsoft adds it to Windows Hello
• 2021 - Amazon distributes free FIDO security keys to AWS customers

Today, FIDO2 authentication comes in two general forms: simple possession, and possession with biometric authentication. With simple possession, at authentication, the user presents the token by plugging it in via USB, bringing it near a computer or tapping it near a designated antenna. 

Possession with biometric authentication generally happens with a user's laptop. The user registers their biometrics on their laptop (something they possess). At authentication time, the authenticator is unlocked via biometric authentication. Once this is complete, the FIDO2 authentication proceeds.

How to implement FIDO2 authentication

One highly effective way to implement FIDO2 authentication is to deploy Symantec VIP, a cloud-based, strong authentication service that uses FIDO2 to let users bring phishing-resistant credentials as their possession factor. Here’s how to deploy FIDO for Symantec VIP with ease:

In the VIP Manager console, go to Policies and find the Biometric / Security Key section.  Simply enable the setting:

If you use our registration portal My VIP, your users will immediately have a new tile available when they register credentials:

This will take them through the registration process:

If you have your own registration portal, VIP has two APIs used in registration (fidoPreRegister and fidoRegister) as well as two used in authentication (fidoPreAuthenticate and fidoAuthenticate), documented here.

Symantec VIP offers a range of authentication capabilities including FIDO2, classic OTP, Push-based authentication, email, voice and other techniques that provide not only the authentication capabilities, but also the policy and management infrastructure needed for modern solutions.  

Evolve your security strategy 

By adopting Symantec VIP, organizations can strengthen their authentication security, protecting both users and sensitive data from emerging threats. We know transitions aren’t always easy, but the long-term benefits—both in security and user trust—far outweigh the effort.

When you’re ready to move beyond vulnerable OTPs, FIDO2 with VIP offers a proven, standards-based and streamlined path that meets users where they’re at. Watch the video to see how it all works.