ClickCease

FIDO Authentication: The History of the Fido Alliance, the Promise of FIDO2, and Passkeys

Introduction 

In today's digital landscape, where online security threats are constantly evolving, the need for robust authentication methods has never been more critical. Traditional password-based systems are no longer sufficient to prevent fraud, leading to the rise of advanced authentication solutions. The FIDO Alliance, an industry consortium at the forefront of this movement, is pioneering the development of open and scalable authentication standards that will create a safer digital world for all. 

This blog post explores the history of the FIDO Alliance, its current activities, member companies, and the achievements that make it a game-changer in the realm of secure authentication. It will also outline the steps necessary to achieve FIDO compliance. 

1. What Was the Genesis of the FIDO Alliance? 

The FIDO (Fast Identity Online) Alliance was established in July 2012 as a collaboration between technology industry leaders with a common goal: to address the inherent weaknesses of traditional authentication methods. 

Founding members included industry giants like Google, Microsoft, PayPal, and Lenovo. The alliance aimed to develop open standards that enable simpler, stronger, and more secure online authentication. Newer members include Prove Identity. Together, they work to “solve the world’s password problem.”

Remember, traditional authentication methods like passwords have several inherent weaknesses:

1. Weak and predictable passwords: Many people choose weak passwords that are super easy to guess, such as "123456" or "password." They often use common patterns, dictionary words, or personal information, which can be easily cracked by fraudsters using brute force or dictionary-based attacks. While FIDO works to build a passwordless world, remember that passphrases are a better alternative than passwords in the meantime. 

2. Password reuse: Users are notorious for reusing passwords across multiple accounts, which means that if one account is compromised, all the other accounts using the same password fall like dominoes. Prove’s Passwords & Authentication Consumer Trends Report found that respondents had an average of four “go-to” passwords -- with 31% saying these are just different variations of the same password. 

3. Human error: Users may unintentionally reveal their passwords through phishing attacks or by falling for social engineering techniques. For example, they might respond to fraudulent emails or click on malicious links that lead to fake login pages designed to steal their credentials.

4. Password storage: Storing passwords securely is a challenge for service providers. If passwords are not properly hashed and salted, a data breach can expose the actual passwords, enabling attackers to use them directly.

5. Lack of scalability: As the number of online accounts and services continues to grow, users often struggle to remember multiple complex passwords. As a result, they might resort to using simpler passwords or writing them down, compromising security.

6. Single-point vulnerability: When relying solely on passwords, the security of the entire system or service hinges on the secrecy of the password. If the password is compromised, an attacker can gain unauthorized access without any further obstacles.

8. Lack of dynamic authentication: Passwords provide static authentication, meaning that once a user is authenticated, they often remain authenticated until they explicitly log out. This lack of dynamic authentication can be problematic if a device or session is left unattended or if an authorized user's account is compromised.

2. What are the Mission and Objectives of the FIDO Alliance? 

The FIDO Alliance's primary mission is to provide open authentication standards that eliminate the reliance on passwords and enhance online security. The alliance believes in user-friendly, privacy-enhancing authentication methods that prioritize interoperability among devices and platforms. FIDO's core objectives include developing technical specifications, promoting market adoption, and educating industry stakeholders about the benefits of FIDO authentication.

The benefits that an open authentication standard has on the digital ecosystem are immense:

1. Interoperability: Open authentication standards allow different systems and services to communicate and work together seamlessly. A great example of interoperability is the network of ATMs around the country. Regardless of which bank you use, you can deposit and withdraw money from any ATM. This is made possible because there are various standards every bank follows. FIDO is leveraging this same concept of interoperability to achieve a different goal.  The FIDO alliance envisions a world where users can authenticate themselves across various platforms and services without having to create and remember separate credentials for each one. This interoperability simplifies the user experience and promotes the integration of different applications.

2. User convenience: Shared open authentication standards make it easier for users to access multiple services with a single set of credentials. Users can use their existing accounts on popular platforms to authenticate themselves on other websites and applications, eliminating the need to create and remember multiple usernames and passwords. This convenience encourages broader adoption of online services.

3. Security: Open authentication standards can enhance security by implementing robust authentication protocols. These standards often incorporate advanced security measures such as encryption, token-based authentication, and session management, which can help protect user credentials from being compromised during the authentication process.

4. Reduced password fatigue and risks: With shared open authentication standards, users can reduce the number of passwords they need to remember, decreasing the likelihood of weak passwords or password reuse. This reduces the overwhelming burden of password management for users and helps reduce the many risks associated with passwords.

5. Trust and transparency: Open authentication standards provide transparency and clarity in the authentication process. Users can better understand how and where their credentials are being used and shared across different services. Additionally, the open nature of these standards allows for peer review, which helps identify and address potential security vulnerabilities, ensuring greater trust in the authentication mechanisms.

6. Innovation and collaboration: By adopting shared open authentication standards, developers and organizations can focus on building innovative applications and services without needing to reinvent the authentication process for every single website. This collaboration and sharing of best practices drive technological advancements and foster a more vibrant ecosystem of interconnected applications and services.

7. Vendor independence and user control: Open authentication standards reduce dependence on specific vendors or platforms for authentication. Users have more freedom than ever before to choose the identity providers they trust, empowering them to have greater control over their online identities and personal data.

In short, shared open authentication standards create a useful structure that promotes a host of beneficial qualities like interoperability, convenience, security, trust, innovation, and user control. They establish a foundation for seamless and secure authentication across different systems, benefitting both users and service providers and creating a more secure digital environment for all.

3. What are the FIDO Alliance’s Current Initiatives? 

The FIDO Alliance has made significant progress since its inception, advancing authentication standards and promoting their adoption across various sectors. Key initiatives include:

  • FIDO2: The FIDO2 project builds upon the Universal Second Factor (U2F) standard to offer passwordless authentication experiences across devices and web browsers. FIDO2 consists of two primary components: WebAuthn and CTAP. WebAuthn is a web API that enables passwordless authentication, while CTAP allows secure communication between external authenticators and client platforms.
  • FIDO Biometric Component Certification Program: This program ensures that biometric authentication solutions meet specific security and usability standards, encouraging vendors to develop reliable and interoperable biometric systems.
  • FIDO Developer Program: The FIDO Developer Program provides resources, tools, and support to developers who are in the process of implementing FIDO authentication. It includes FIDO Certified™ testing programs and developer-focused events.

4. What are the Benefits of FIDO Authentication?

  • Enhanced Security: FIDO authentication offers robust protection against various forms of online threats, such as phishing, password theft, and man-in-the-middle attacks. With FIDO, users can rely on strong cryptographic mechanisms and multi-factor authentication to secure their online identities effectively.
  • Improved User Experience: FIDO authentication eliminates the need to remember complex passwords, streamlining the user experience. Passwordless authentication methods, such as biometrics and secure hardware tokens, provide a seamless and user-friendly way to access digital services.
  • Interoperability and Standardization: FIDO's open standards promote interoperability between different platforms, devices, and service providers. This fosters competition and innovation while ensuring that users have a consistent and secure authentication experience across various online services.

5. What are the Leading Companies in the FIDO Alliance?

The FIDO Alliance boasts a diverse membership base, consisting of technology leaders such as Prove, device manufacturers, service providers, and industry organizations. Other recognizable member companies include Amazon, Apple, Facebook, Intel, Mastercard, and Samsung. This collaboration between industry giants underscores the broad support and commitment to advancing secure authentication standards.

6. What are the FIDO Alliance's Impact and Achievements So Far?

  • Global Adoption: FIDO authentication has gained significant traction around the world, with widespread adoption across various sectors, including finance, healthcare, e-commerce, and government services. Numerous online services and platforms now support FIDO standards, offering users more secure and convenient authentication options.
  • Standardization and Regulation: The FIDO Alliance has played a crucial role in shaping authentication standards and regulations. Organizations including the World Wide Web Consortium (W3C) and the International Electrotechnical Commission (IEC) have embraced FIDO specifications as international standards.
  • Awards and Recognition: The FIDO Alliance's groundbreaking efforts in improving online authentication have garnered recognition and awards from leading industry and technology publications. These accolades underscore the alliance's impact on the industry and its commitment to driving innovation in secure authentication practices.
  • The SC Awards, presented by SC Media, one of the most respected cybersecurity publications, have recognized the FIDO Alliance for its significant contributions to the field of secure authentication. The alliance has received awards in categories like Best Authentication Technology, Best Multifactor Solution, and Best Identity Management Solution.
  • Beyond specific award programs, the FIDO Alliance has received recognition from industry analysts, research firms, and media outlets. Its contributions to authentication standards and its role in driving the adoption of passwordless authentication methods have been highlighted by influential publications, further cementing its position as a leader in the field.

7. Are There Other Organizations Similar to FIDO Alliance?

There are several organizations with similar goals of advancing digital identity and authentication technologies, here are a few notable examples:

1. OpenID Foundation: The OpenID Foundation promotes and develops open standards for decentralized identity and authentication on the Internet. They focus on technologies such as OpenID Connect and OAuth, which enable secure and seamless authentication across different websites and applications.

2. Kantara Initiative: The Kantara Initiative is a global consortium that works on the development and adoption of privacy and identity management standards. They focus on topics such as digital identity, consent and privacy, and trust frameworks to enable secure and trusted online interactions.

3. Identity Defined Security Alliance (IDSA): The IDSA is a nonprofit organization that brings together industry leaders to advance the adoption of identity-centric security strategies. They focus on promoting the integration of identity and access management (IAM) with security technologies to strengthen defenses against cyber threats.

5. Open Identity Exchange (OIX): The Open Identity Exchange is a nonprofit organization that fosters the development and adoption of open identity trust frameworks. OIX works to establish trust frameworks and certification programs that facilitate the secure exchange of identity information across different sectors and domains.

These organizations share a common goal of advancing identity and authentication technologies, promoting interoperability, and enhancing security and privacy in the digital realm. However, each organization has its specific focus and approach within the broader field of digital identity.

8. How do FIDO Alliance’s Protocols Interact with PSD2?

FIDO standards provide a secure and user-friendly solution for the European payments industry to meet the strong authentication requirements outlined in PSD2 (Payment Services Directive 2). The authentication standards established by the FIDO Alliance offer a scalable approach for the European financial ecosystem to comply with PSD2's requirements for robust user login authentication and cryptographically signed transactions. Importantly, these standards also address the need for transaction convenience, which is essential for both organizations and consumers.

FIDO Authentication is built upon open standards and supported by a vast ecosystem of over 800 FIDO Certified solutions. Banks and payment service providers (PSPs) have the flexibility to choose from various reputable vendors offering modern authentication solutions. Alternatively, they can develop and test their own PSD2 solutions based on FIDO standards. Once implemented, banks and PSPs can accept a range of certified and interoperable FIDO-compliant authenticators available in the market, including those embedded in mobile devices, personal computers, and hardware-backed security keys. This approach minimizes friction in user authentication and surpasses the requirements set by the European Banking Authority (EBA) in PSD2.

The FIDO architecture presents an optimal solution that combines the best aspects of both worlds: it resolves the challenges that led to the introduction of multi-factor authentication requirements, as defined in the EBA's final draft Regulatory Technical Standards (RTS) on Strong Customer Authentication (SCA).

Why is it Important to Select a FIDO-compliant Product?

Selecting a FIDO-compliant product is super important in today's digital landscape, where secure authentication is crucial for protecting sensitive data and mitigating the risks of unauthorized access. Here are the key reasons why selecting a FIDO-compliant product is essential:

1. Enhanced Security: FIDO-compliant products adhere to industry-leading security standards and protocols. By choosing a FIDO-compliant solution, you can leverage advanced authentication mechanisms that go beyond traditional passwords, such as biometrics and hardware tokens. These authentication methods provide stronger protection against identity theft, phishing attacks, and password-related vulnerabilities.

2. Interoperability and Compatibility: FIDO-compliant products ensure interoperability and compatibility with other FIDO-enabled systems. This means that users can seamlessly authenticate across various platforms, services, and devices without the need for multiple authentication methods or credentials. It promotes a consistent and streamlined user experience while maintaining strong security measures.

3. Passwordless Authentication: FIDO standards enable passwordless authentication, eliminating the reliance on passwords as the primary authentication method. Passwords are often weak, easily guessable, and susceptible to breaches or phishing attacks. With FIDO-compliant products, users can authenticate using biometrics (such as fingerprints or facial recognition) or hardware tokens, providing a more convenient and secure authentication experience.

4. Industry Adoption and Support: FIDO authentication has gained significant industry support and adoption across various sectors, including finance, healthcare, e-commerce, and government services. By selecting a FIDO-compliant product, you align yourself with industry best practices and standards, ensuring that your authentication solution is recognized and supported by a broad ecosystem of organizations and services.

5. Future-Proofing: FIDO standards continue to evolve and adapt to emerging security challenges and technologies. By choosing a FIDO-compliant product, you future-proof your authentication infrastructure, as it can readily accommodate advancements and updates in FIDO specifications. This flexibility allows your organization to stay ahead of evolving threats and leverage emerging authentication methods as they become available.

What is a Passkey?

One of the most prominent results of FIDO2 is the development of the passkey. A passkey is a unique code or password that is used to verify the identity of a user or device and grant access to a system, network, or specific resources. Passkeys are typically used in situations where a higher level of security is required. They can be used in various scenarios, such as:

1. Wireless devices: Passkeys are often used to secure Bluetooth connections between devices. When pairing two Bluetooth-enabled devices, a passkey may be required to ensure that only authorized devices can connect.

2. Wireless networks: In Wi-Fi networks, a passkey is used as a security measure to prevent unauthorized access. When connecting to a protected Wi-Fi network, users must enter the correct passkey to gain access.

3. Encryption: Passkeys are used in encryption algorithms to protect sensitive information. The passkey is used as an input to the encryption process, ensuring that only individuals with the correct passkey can decrypt and access the encrypted data.

4. Two-factor authentication: Passkeys can be used as part of a two-factor authentication (2FA) system. In addition to a regular password, a passkey may be required to provide an extra layer of security. The passkey is typically generated by a physical or digital token and changes regularly to prevent unauthorized access.

Conclusion 

The FIDO Alliance has emerged as a driving force in the realm of secure authentication, spearheading the development of open standards that prioritize user privacy, security, and convenience. Through its collaborative approach and diverse membership, the alliance has successfully pushed for the adoption of FIDO authentication across various sectors, fostering a more secure digital environment. As the threat landscape continues to evolve, the FIDO Alliance remains dedicated to innovation, ensuring that authentication methods stay one step ahead of cybercriminals, offering users a safer and more seamless online experience.

Keep reading

See all blogs
Comparing Identity Verification Providers for Developers

Developers know identity verification is an essential element of effective digital onboarding and the customer lifecycle. Choosing the right one can feel like navigating a maze of features and complexity. 

Nicholas Dewald
November 15, 2024
Document Verification: An Outdated Identity Check in the Digital Age

In an age where our smartphones have become almost like extensions of ourselves, the identity assurance achieved through smartphone possession and data is a natural evolution.

Leandro Margulis
November 13, 2024
Gig Economy Fraud: Can Digital Identities Be the Solution?

Rodger Desai, CEO of Prove, a leading identity verification solution provider, offers a unique perspective on the rising fraud in the gig economy, advocating for robust digital identity verification as a key defense mechanism.

Brad Rosenfeld
November 6, 2024