23.11.2023

Paving the way to a safer and easier authentication to enterprise networks

Network

Thanks to their experiences within the eduroam international WiFi-roaming service, the Restena Foundation and DFN have co-authored a standardisation proposal to allow the development of a new authentication method to enterprise networks combining EAP and FIDO 2 standards.

Late October 2023, Stefan Winter, Research Engineer and Chief Technology Officer at the Restena Foundation, and his colleague Jan-Frederik Rieckers from the German Research and Technology Network (Deutsches Forschungsnetz – DFN), published an Internet-Draft entitled ‘EAP-FIDO’ within the Internet Engineering Task Force (IETF), a standards development organization (SDO) for the Internet. The authors presented the document during the IETF meeting in Prague (IETF 118) in November 2023 to a room full of experts in authentication protocols.

Cryptography instead of password

Through this work document, the authors, both members of the international Research & Development (R&D) team of eduroam - an international Wi-Fi roaming service - specified an authentication method via the Extensible Authentication Protocol (EAP) using FIDO2 security tokens. The EAP protocol is a widely used standard for enabling server and user authentication. FIDO 2 is a standard based on public key cryptography for certifying the identity of the person wishing to connect to an account, up until now almost exclusively used for protecting resources inside web browsers (then called WebAuthn).

The association of those 2 standards, which until recently seemed incompatible, could revolutionise the future of user authentication to enterprise networks: previously, user authentication either used passwords (sent over the internet in one form or another), or TLS client certificates (very secure but also unpractical). With the proposed method in the working document, the authentication using password is replaced by asymmetric cryptography with encryption keys (bringing about the benefits of client certificates, but without their drawbacks), and clear guidance on how to decide if a server certificate is valid or not for a specific authentication are developed.

A methodology to be further developed

The initial working document is written for and discussed within the IETF EAP Method Update (emu) working group whose ambition is to update the existing EAP method and produce various documents. It is the first step in a long series of forthcoming reflections to which the international Internet community is invited to take part.

Future considerations include: how to determine the FIDO Relaying Party ID? How to set up the deprovisioning (i.e., the elimination of devices that automatically allocate resources to a user) of EAP configuration? These open questions will be discussed within the IETF in the coming months. When the standard document is finished and industry implementations are available, Enterprise Wi-Fi, secured Ethernet and VPN services around the globe can apply this new authentication method in the future.

Further information

Internet-Draft ‘EAP-FIDO’ published on IETF website
Record of the EAP Method update meeting at IETF 118 published on YouTube by IETF (The presentation of Stefan Winter and Jan-Frederik Rieckers starts at 35:30)