Contact Us
Partner Login
Contact Us
Partner Login

What Is FIDO and How Does It Work?

FIDO authentication relies on standard public key cryptography to eliminate password sign-on. There are three FIDO protocols, and the most recent integrate biometrics to accomplish this feat.

FIDO-Alliance-tagline

FIDO (Fast Identity Online)

With the growing realisation that passwords were becoming ineffective and outdated means of providing security, the FIDO (Fast Identity Online) Alliance (founded in 2013) decided to work on a new solution. Backed by the big tech sector leaders (MAMAA), FIDO, an open and standardised set of authentication protocols, was designed with the goal of eliminating passwords. Since then, there have been three major FIDO standards: FIDO UAF, FIDO U2F, and FIDO 2 (WebAuthN/CTAP2).

FIDO authentication uses standard public key cryptography techniques in lieu of passwords to provide a more secure authentication process. This approach offers more robust protection against phishing attacks and other data breach attempts.

Benefits of FIDO

  • Higher security: FIDO uses cryptographic methods for authentication, making it much harder for attackers to compromise user accounts.
  • Convenience: FIDO eliminates the need for passwords, allowing users to log in with a simple touch or gesture.
  • Interoperability: FIDO standards are device and platform agnostic, enabling seamless authentication across a wide range of devices and services.
  • Better user experience: FIDO provides a more convenient and user-friendly authentication experience compared to traditional methods such as passwords.
  • Higher adoption: With FIDO, organisations can improve the security of their systems while providing a better user experience, leading to higher adoption and usage.

How Does FIDO Work?

FIDO relies on standard public key cryptography techniques to replace password authentication. When registering with an online service, a user’s device (mobile phone, tablet, etc.) creates a so-called key pair. The device itself stores the private key while the public key is registered with the respective online service.

During the registration process, users select their authentication method depending on the technical capabilities of their devices. The options include e.g. fingerprint scan, voice recognition, facial recognition, or PIN. These biometric identifiers are safely stored on the user’s device and never shared. Thereafter, authentication is a seamless process. The user’s device proves possession of the private key by signing a so-called challenge. The private key is unlocked via the user’s pre-selected method i.e. fingerprint scan, facial recognition, etc.

FIDO protocols have been devised with user privacy in mind. They do not provide user information that can be exploited by online services to track user behavior and movements across various services.

What Types of FIDO Standards/Protocols Are There?

As mentioned, the FIDO Alliance has created three standards since 2013. Each has its own pros and cons depending on how they are implemented. Let’s take a close look at the different protocols.

Universal Second Factor (U2F)

Rather than completely replacing the password, FIDO U2F protocols works alongside it by asking users to provide two factors to verify their identities:

  • Something they know: e.g. a username and password
  • Something they have: e.g. a registered fob or security key (e.g. Yubikeys), which are also known as U2F authentication tokens . They may rely on USB, NFC (near-field communication), or Bluetooth technology for the authentication processes.

Once the security key or token has been activated (often by the press of a button on the device), the browser interacts directly with said device to provide access to the online service.

Universal Authentication Framework (UAF)

By contrast, the FIDO UAF protocol allows for a passwordless sign-on experience while also providing a multi-factor (MFA) sign-on option for added security.  It was originally developed with the authenticators on mobile phones (Touch ID, Face ID) in mind. This is the most common authentication method in the financial sector in the United States and Europe.

Users relying on UAF need a computer, smartphone, etc. that they can register with the online service. When registering, users select an authentication method. Depending on the device, the service provider offers a list of possible options i.e. facial or voice recognition, fingerprint scan, or a PIN. For MFA sign-on, the authentication process simply requires more than one of these options. Once a user is registered, they can no longer sign in with a password.

FIDO2

FIDO2 is built with two open standards: the FIDO Client-to-Authenticator protocol (CTAP) and the aforementioned W3C standard WebAuthn (i.e. the World Wide Web Consortium’s Web Authentication specification). Together these standards provide passwordless authentication, or two-factor (2FA) and MFA experiences. They also sometimes rely on embedded authenticators like biometric indicators or hardware authenticators (e.g. fobs or security keys). FIDO2 relies on the following specifications:

  • WebAuthn provides the interface for creating and managing public key credentials by defining a standard web API that is built into platforms and browsers. It is able to communicate with all CTAP authenticators.
  • CTAP1 provides users with a 2FA experience. It does this by requiring security devices (NFC readers or plug-in keys/fobs) to access online services.
  • CTAP2 makes it possible to use the authenticator as both the first and second authentication factor, thereby making passwordless, 2FA, and MFA authentication all possible.

 

Nevis Products for FIDO

FAQ about FIDO

Who Supports FIDO?

orange-plus orange-minus

FIDO is supported by a broad alliance of companies and organisations, including Google, Microsoft, PayPal, Visa, Mastercard, Samsung and many others. There is also a FIDO Alliance dedicated to promoting and supporting the FIDO standard.

Did you know that the FIDO Alliance has existed for over ten years? You can find more information here.

Where Is FIDO Used?

orange-plus orange-minus

FIDO is used in various applications, including authentication for online services, mobile applications, payment systems and enterprise applications. It is also used in certain industries such as healthcare, education and government.

Why Nevis also relies on FIDO - More here in the blog.

Is FIDO Secure?

orange-plus orange-minus

FIDO is a secure standard based on modern encryption technologies. The use of biometrics or hardware security keys can further increase security as they are harder to steal or copy than traditional passwords.

We have summarised further benefits of the FIDO authentication standard for you in the following blog.

What Authentication Methods Are Supported by FIDO2?

orange-plus orange-minus

FIDO2 supports several authentication methods, including biometric factors such as fingerprints or facial recognition, security keys and passwords.