In recent times, there have been frequent media reports about how the major players such as Apple, Google and Microsoft are working towards a passwordless future for logins. A new technology called the FIDO standard is always mentioned in this context. However, this technology is not actually new at all. As it happens, this year sees the FIDO Alliance, which developed the standard, celebrating its tenth anniversary. However, the alliance favours doing away with passwords and adopting strong data protection principles: the FIDO Privacy Principles.
In this blog post, we explain what’s behind them.
The FIDO Alliance
In the FIDO Alliance – the abbreviation for Fast IDentity Online – several hundred companies and organisations have joined forces to develop uniform internet authentication standards. In addition to the key players mentioned above, members include PayPal, for example, and the BSI (the Federal Office for Information Security in Germany). Recently, the focus has been on what is called the FIDO2 standard, which enables passwordless logins with all web browsers.
FIDO and privacy
FIDO technology cannot avoid permanently storing information about individual users to guarantee secure user verification and authentication. Since the FIDO Alliance aims to provide login processes with maximum protection against external attacks, this also applies to the protection of data entrusted to it. It sets out how it collects and uses this personal data while also championing its privacy in the FIDO Privacy Principles. They regulate what is permitted to happen to the data used during the two typical FIDO processes – registration and subsequent authentication for an online service. Let’s take a closer look at these processes.
User registration and verification
To use the FIDO process, each user requires an authenticator. This can be a special hardware token but also a smartphone equipped with a fingerprint sensor. The user environment also includes the FIDO client, which allows the authenticator to communicate with the FIDO server. The server itself is part of the infrastructure of the online service in question. Asymmetric public/private key encryption plays an essential role in this process. During registration, the authenticator creates a new key pair. The provider holds the public key, and the private key is kept on the user’s authenticator. The device can also detect that the domain of the participating online provider can only use the public key. During the login procedure, the public key is compared with the private key, and registration is only successful if they match.
Thus, the use of FIDO-based authentication methods also provides an additional level of security for transaction confirmations, as they ensure that the payment is actually made by the person authorised to use the account.
Only available as a twin pack: privacy and security
How are the FIDO Privacy Principles applied in this context? Very simply: privacy and the realisation of security during the registration process are inseparably linked. Both pursue the same goal: to authenticate the correct user and only when the user requests this. To ensure that this happens, FIDO authenticators, clients and servers must comply with the following privacy principles:
FIDO Privacy Principles
- The user must be informed of and explicitly consent to every process using personal data.
- All FIDO processes occur in a context that is clear to the user. This also means that it must be clear which user and server identities are used.
- Personal data is collected solely for FIDO-related purposes such as registration and verification. In contrast, the online provider may collect information at the same time that is not required for the FIDO application.
- Data collected during a FIDO operation may be used solely and exclusively for identification processes, such as registration, user verification or authorisation.
- FIDO-related data must not be used to identify a user outside the scope of a FIDO operation or an identification procedure the user requests and expects, such as a system login.
- Biometric data, its measurements and derivatives must be protected so that the authenticator or computer cannot access it.
- FIDO-related data must be protected against unauthorised access or disclosure.
- Users must be able to manage and view their FIDO authenticators without difficulty. This means, for example, that a lost authenticator can easily be unregistered.
The FIDO Privacy Principles reflect the commitment of the FIDO Alliance to protect user privacy. The FIDO protocols were developed accordingly to adhere to the ‘privacy-by-design approach. This means that privacy was already integrated into the data processing operations when the comprehensive technical mechanisms were developed.