FIDO2 is the umbrella term for an open standard for authentication that does not rely on passwords. It was developed by the Fast Identity Online (FIDO) Alliance, an industry consortium whose broad membership consists of banks, e-commerce companies, payment providers, original equipment manufacturers (OEMs), technology firms and others.
What is Authentication?
Authentication is the process of confirming the identity of a user before granting that user access to a device, application or network.
As the initial step in the identity verification and access control process, the user typically presents physical or nonphysical information to the authentication platform.
The History of the FIDO Alliance
While security standards and protocols are nothing new, the FIDO Alliance celebrates its 10-year anniversary this month, July 2022. Here are a few early milestones:
July 2012 – The FIDO Alliance was founded by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon and Agnitio, marking the onset of passwordless authentication protocol. In February 2013, the Alliance was launched publicly.
April 2013 – Google, Yubico and NXP joined the Alliance and brought with them the idea of an open, second-factor authentication protocol. Such second-factor devices were successfully deployed to Google employees as a precursor to publicly publishing the second-factor protocol.
February 2014 – Paypal and Samsung collaborated for the first deployment of FIDO authentication that enabled Samsung Galaxy S5 users to log in and shop with a simple finger swipe for online, mobile and in-store payments wherever PayPal was accepted.
December 2014 – The completed v1.0 passwordless protocol, FIDO Universal Authentication Framework (FIDO UAF), and the second-factor protocol, FIDO Universal 2nd Factor (FIDO U2F), were completed and published simultaneously. This is when production deployments of fully compliant v1.0 devices and servers began.
February 2015 – Microsoft announced that it would support FIDO authentication in Windows 10 based on its contributions to new FIDO specifications.
May 2015 – The Alliance introduced the FIDO Certified testing program, and the first FIDO Certified testing sessions were conducted.
The FIDO Alliance developed FIDO authentication standards in order for the process to be more secure than passwords, simpler for consumers to use, and easier for service providers to deploy and manage. The standards are based on public-key cryptography for authentication, enabling a replacement of password-only log ins with secure and fast experiences across websites and apps.
This is why such companies as Amazon, Apple, Google, Meta and Samsung are board-level members of the FIDO Alliance; as the providers of consumer-facing websites and apps, they seek more security and safety for users without compromising user experience.
“Traditional” authentication strategies, such as knowledge-based authentication (KBA), in which a user supplies a password or even an SMS one-time password (OTP), are no longer strong enough to keep devices and data safe. According to the FIDO Alliance, FIDO2 “reflects the industry’s answer to the global password problem” by addressing legacy authentication’s challenges as they pertain to security, usability, privacy and scalability.
Companies with FIDO2 authentication solutions must undergo rigorous testing and certification by FIDO to ensure that user credentials are decentralized, isolated and encrypted on users’ personal devices.
The user’s private key is generated from a biometric modality, such as a fingerprint or voice recognition, and is used to sign transactions initiated by a relying party. For even stronger security, some solutions ensure that private keys are protected in mobile devices’ hardware trust zones, separate from the device’s operating system.
FIDO in Action: FaceID & Hardware Keys
Some of the more popular devices used to authenticate a device or application include face authenticators and hardware keys.
A face authenticator app, such as FaceID offered by Apple, allows a user to log in to a mobile application like a banking or payment app using their face for authentication. Stronger than a static, two-dimensional photo, face authenticator apps provide liveness detection (such as eye blinking), to protect against fraud or spoofing. The captured face never leaves the security boundaries of the authenticator application.
Each time the user logs in to the mobile application using a FIDO-verified face authentication app, their face is biometrically verified against the template stored on the device. Once verified, the private key is unlocked from the device and a signature is created on a challenge, which is sent to the server. The server verifies the challenge using the stored public key, thus enabling the log in process to complete.
Hardware keys are another important modality offering 2FA. Security keys are cheap, easy to use, put an end to phishing attacks and offer more security than SMS-based, two-factor authentication. Hardware security key formats include USB-A and USB-C, Lightning for iPhone users and even Bluetooth-enabled keys.
Of course, a misplaced hardware key could present an issue. If a hardware key is lost or stolen, users can most likely use an alternative authentication method (such as a phone authenticator app), but they cannot create a backup key. However, hardware key manufacturers normally do provide methods to recover an account, so users can get a replacement if theirs is lost or stolen.
Benefits of FIDO2
FIDO’s promise: stronger security while not compromising on the user experience. As newer versions of the protocols are rolled out, improvements provide even more benefits for users. Let’s have a look at the multiple benefits FIDO2 provides:
FIDO2 cryptographic login credentials are unique across every website, never leave the user’s device and are never stored on a server. According to the FIDO Alliance, this security model eliminates the risks of phishing, all forms of password theft and reply attacks. It should also reassure users that multiple FIDO-approved services do not have access to the same user’s credentials across multiple sites and services.
Using simple hardware that nowadays can be found built into devices, such as fingerprint readers or cameras, or by leveraging easy-to-use FIDO security keys, users can unlock cryptographic login credentials. Oftentimes, multiple hardware options within devices exist, giving consumers even more choice and control over authentication.
Because FIDO cryptographic keys are unique for each internet site, they cannot be used to track users across sites. Additionally, biometric data stays local to the user’s device and is not stored in a cloud service that can be compromised.
How FIDO Works
The FIDO protocols use standard public-key cryptography. During registration with an online service, the user’s client device creates a new key pair, retaining the private key locally on the device and registering the public key with the online service.
Authentication is carried out by the client device proving possession of the private key. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a secure action, such as a finger swipe, speaking into a microphone, pressing a button or another action by the user.
How Is FIDO2 Different From Earlier Versions of the Standard?
FIDO2 is a successor to the previous authentication standards, FIDO UAF and FIDO U2F:
- FIDO Universal 2nd Factor (FIDO U2F): An open specification to help online services augment their password-based authentication with two-factor authentication capabilities.
- FIDO Universal Authentication Framework (FIDO UAF): An open specification that allows online services to augment their existing services with multifactor authentication and passwordless security.
As a successor to FIDO UAF, FIDO2 essentially represents a universal way to implement passwordless identity verification on top of existing identity-verification infrastructure. A passwordless system is a newer approach to verification, as passwords can serve as an attack vector and be used in social engineering attacks like phishing.
Your Authentication Solution for the Enterprise
The Migus Group can help you improve your enterprise authentication and access management strategies. Even if your organization already has authentication protocols and security policies in place, we can evaluate whether they are working optimally for your organization.
Jake Wengroff writes about technology and financial services. A former technology reporter for CBS Radio, he covers such topics as security, mobility, e-commerce and the Internet of Things.