With the growing realisation that passwords were becoming ineffective and outdated means of providing security, the FIDO (Fast Identity Online) Alliance (founded in 2013) decided to work on a new solution. Backed by the big tech sector leaders (MAMAA), FIDO, an open and standardised set of authentication protocols, was designed with the goal of eliminating passwords. Since then, there have been three major FIDO standards: FIDO UAF, FIDO U2F, and FIDO 2 (WebAuthN/CTAP2).
FIDO authentication uses standard public key cryptography techniques in lieu of passwords to provide a more secure authentication process. This approach offers more robust protection against phishing attacks and other data breach attempts.
FIDO relies on standard public key cryptography techniques to replace password authentication. When registering with an online service, a user’s device (mobile phone, tablet, etc.) creates a so-called key pair. The device itself stores the private key while the public key is registered with the respective online service.
During the registration process, users select their authentication method depending on the technical capabilities of their devices. The options include e.g. fingerprint scan, voice recognition, facial recognition, or PIN. These biometric identifiers are safely stored on the user’s device and never shared. Thereafter, authentication is a seamless process. The user’s device proves possession of the private key by signing a so-called challenge. The private key is unlocked via the user’s pre-selected method i.e. fingerprint scan, facial recognition, etc.
FIDO protocols have been devised with user privacy in mind. They do not provide user information that can be exploited by online services to track user behavior and movements across various services.
As mentioned, the FIDO Alliance has created three standards since 2013. Each has its own pros and cons depending on how they are implemented. Let’s take a close look at the different protocols.
Rather than completely replacing the password, FIDO U2F protocols works alongside it by asking users to provide two factors to verify their identities:
Once the security key or token has been activated (often by the press of a button on the device), the browser interacts directly with said device to provide access to the online service.
By contrast, the FIDO UAF protocol allows for a passwordless sign-on experience while also providing a multi-factor (MFA) sign-on option for added security. It was originally developed with the authenticators on mobile phones (Touch ID, Face ID) in mind. This is the most common authentication method in the financial sector in the United States and Europe.
Users relying on UAF need a computer, smartphone, etc. that they can register with the online service. When registering, users select an authentication method. Depending on the device, the service provider offers a list of possible options i.e. facial or voice recognition, fingerprint scan, or a PIN. For MFA sign-on, the authentication process simply requires more than one of these options. Once a user is registered, they can no longer sign in with a password.
FIDO2 is built with two open standards: the FIDO Client-to-Authenticator protocol (CTAP) and the aforementioned W3C standard WebAuthn (i.e. the World Wide Web Consortium’s Web Authentication specification). Together these standards provide passwordless authentication, or two-factor (2FA) and MFA experiences. They also sometimes rely on embedded authenticators like biometric indicators or hardware authenticators (e.g. fobs or security keys). FIDO2 relies on the following specifications:
Who Supports FIDO?
FIDO is supported by a broad alliance of companies and organisations, including Google, Microsoft, PayPal, Visa, Mastercard, Samsung and many others. There is also a FIDO Alliance dedicated to promoting and supporting the FIDO standard.
Where Is FIDO Used?
FIDO is used in various applications, including authentication for online services, mobile applications, payment systems and enterprise applications. It is also used in certain industries such as healthcare, education and government.
Is FIDO Secure?
FIDO is a secure standard based on modern encryption technologies. The use of biometrics or hardware security keys can further increase security as they are harder to steal or copy than traditional passwords.
What Authentication Methods Are Supported by FIDO2?
FIDO2 supports several authentication methods, including biometric factors such as fingerprints or facial recognition, security keys and passwords.