2012: The Foundation of the FIDO Alliance
The origins of FIDO go back a decade. At that time, so many transactions were already being processed online worldwide that the development of a global industry standard for authentication – ideally, one that worked without passwords from the get-go – was needed. With this in mind, six technology specialists joined forces in 2012: PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon and Agnitio. As the non-commercial FIDO Alliance, they began developing the FIDO standard, which is now becoming increasingly widespread.
In a nutshell, FIDO (short for Fast Identity Online) is an industry-standard for secure, fast and simple authentication on the internet. It enables hardware-supported authentication using fingerprints or facial recognition for more security, speed and usability.
2014: FIDO1 goes live
As the first step towards a passwordless future, the FIDO Alliance published the first open standard, FIDO1, in 2014. It is based on:
- the FIDO UAF (FIDO Universal Authentication Framework) network protocol for passwordless authentication and
- FIDO U2F (FIDO Universal 2nd Factor) with hardware and software specifications for two-factor authentication – entering the username or a PIN in combination with facial recognition or fingerprint scanning, for example.
One of the well-known applications is the login process via Windows Hello in Microsoft’s Windows 10 operating system. This already uses facial or fingerprint recognition and a PIN for the login.
2016 marks the next milestone: FIDO2
In 2016, FIDO UAF and FIDO U2F were followed by FIDO2, the third standard to emerge from the work of the FIDO Alliance. Its development took place in cooperation with the W3C (World Wide Web Consortium). It was based on the W3C Web Authentication Standard (WebAuthn) and the Client to Authenticator Protocol (CTAP) of the FIDO Alliance. One goal was to integrate secure FIDO authentication as standard in all web browsers.
How FIDO2 works
With FIDO2, users can identify themselves to websites without a password thanks to verified hardware. This hardware may be external tokens such as USB sticks, for example. Smartphones with special apps can also serve as authenticators and enable verification via fingerprint sensor or face scan. Asymmetric public/private key encryption plays an important role here. During registration, two keys are created: a private key and a public key. While the latter is held by the provider, the private key is on the user’s device. The public and private keys are compared during the registration process or other transactions.
The benefits of FIDO2
Security:The cryptographic credentials are unique for each website, never leave the user’s device and are not stored on any server. This minimises the risk of phishing and password theft.
Convenience:Users unlock their credentials on mobile devices with the built-in fingerprint sensors, face scan camera or other easy-to-use FIDO2 authenticators.
Data protection:The FIDO keys are unique for each website, so they cannot be tracked across different websites.
Scalability:Even single-factor authentication using FIDO2 is more secure than password authentication in most cases. If different security levels are required, simple adjustments are possible – for example with FIDO2 multifactor authentication.
The latest versions of popular operating systems such as iOS, Android, Windows and macOS already support FIDO2.
Towards a passwordless future
Today, the FIDO Alliance counts globally leading companies from the tech industry among its members, including the giants Apple, Google and Microsoft. They most recently announced a cooperation in May to simplify the options for passwordless login, and they are taking the security standards of the FIDO Alliance as their guide. As part of this, new functions are planned in the operating systems, which are set to be delivered with updates over the course of the following year. At that time, the FIDO access data – known as passkeys – will automatically be available to users on several devices. Nor will it be a problem to integrate new devices in future. In addition to the backup and settings, the passkeys will also be transferred to the new device from the cloud during setup.
So passwordless, secure authentication using the FIDO2 standard is the order of the day. Online service providers and retailers should now consider whether they want to follow the big players' example and offer their users passwordless, secure login processes. The upshot: forgotten passwords will finally be a thing of the past.