FIDO is an open standard authentication technology which enables highly secure, passwordless and phishing resistant multi-factor authentication for users. From its conception in 2009, FIDO has been an open standard protocol, developed by an alliance of major technology leaders for use across different technologies, devices and operating systems. FIDO is now widely supported by the Chrome, Windows, FireFox, iOS, MacOs, and Android systems.
FIDO2 (also referred to as WebAuthn) uses standard public key cryptography protocols to bypass the need for a password. When a user registers with an online service, the FIDO2 supported device creates a new key pair. The trusted device stores this private key locally, while the public key is registered to the online service.
When the user logs into the online service, the local device issues an authentication challenge, such as asking for the device password, a biometric check, or a hardware token. When the challenge is passed, the private key can be matched with the public key, and the user can access their accounts or services.
Replacing passwords with FIDO-supported authentication profoundly improves security. It reduces the risk of account compromise by enforcing phishing resistant two-factor authentication, removing the risk of weak passwords, and supporting the use of biometrics which make it extremely difficult for attackers to compromise your accounts.
As FIDO is open standard, a range of identity and technology applications and devices have emerged which support FIDO authentication standards and integrations. Some are linked to specific operating systems and devices – such as Apple Passkeys and Windows Hello – while others are designed for enterprise use cases, such as Yubico’s Yubikey and Cisco’s Duo. Some of these platforms also support secure single sign-on (SSO). In this guide we’ll take a look at the top 11 FIDO supported authentication solutions, comparing features, pricing, and more.
Prove is a market leading customer identity verification and access management provider that offers multi-factor and conditional access solutions to prevent account breach and identity fraud. Prove’s solutions leverage their unique Phone-Centric Identity™ technology, which uses mobile phones as a primary authentication method. This is designed to be highly secure, thereby improving end-user ease of use and convenience. Prove is used by more than 1,000 companies globally, including 9 of the top 10 U.S. bank, processing more than 20 billion customer requests annually, and is a member of the FIDO alliance.
Prove Features
- ProveAuth™ enables customers to have a comprehensive suite of authenticators ranging from traditional OTPs to sophisticated mobile authentication and biometric authenticators, including FIDO passkeys for passwordless login and/or as a seamless second factor method of authentication
- With this authenticator suite, customers can tailor authentication across low to high-risk transactions to minimize friction while prioritizing customer experience
- Prove Pre-Fill® leverages phone signals to verify identities and reduce the time it takes for customers to sign up to under 10 seconds
- Prove Identity Manager™ offers a holistic and persistent view of customer identities across your platform, resulting in improved servicing and contactability and an optimal consumer experience
- Prove Identity™ helps thwart the major vectors of digital fraud such as SIM Swaps by verifying a consumer’s identity by validating consumer provided information, with a real-time “Trust Score”
How FIDO Works: The Prove Auth solution enables teams to implement passwordless and OTP-less authentication process for mobile and web apps. This includes a wide range of authentication methods to reduce fraud, including FIDO2 web-based authentication. Customers can authenticate directly with Prove or utilize on-device biometrics.
Expert Insights Comments: Prove is a trusted, leading provider of authentication and identity verification solutions in the customer identity and access management space. We recommend Prove’s solutions for SMBs and enterprises looking to implement secure, passwordless FIDO-processes to reduce fraud and improve customer experiences.
Yubico is a leading manufacturer of FIDO-enabled hardware tokens that enable secure authentication for devices, digital accounts, and services. These small, convenient devices use USB or NFC connections for highly secure authentication. Users can simply insert or tab their Yubikey device to authenticate their identity and access accounts and services. Yubico is widely supported by hundreds of applications and services.
Yubico YubiKey Features:
- Secure, phishing resistant authentication methods with FIDO enabled hardware keys and passwordless software tokens
- Simplified end-user experience with faster authentication process
- Widely supported form factor with pre-built support for over 1,000+ applications and services
- Can be used to secure access to devices as well as digital accounts and services
- Alongside FIDO, YubiKey’s support multiple authentication protocols including Smart card, OTP, OpenPGP 3
How FIDO Works: Users simply enter their username and password, tap or insert their FIDO supported YubiKey, and will then be authenticated to the account, service or trusted device.
Yubico YubiKey Pricing: Pricing for the YubiKey series starts at $45 USD for a single device. Reseller and enterprise pricing can be requested from Yubico directly.
Expert Insights’ Comments: The YubiKey is a secure, convenient FIDO-supported authentication method. Yubico customers praise the devices for their simplicity and ease of use, enabling more secure, more seamless login processes. We recommend this service to enterprise organizations looking to implement secure authentication processes to protect against phishing attempts and multi-factor authentication bypass attacks.
SafeNet Trusted Access is an identity and access management solution for enterprise organizations. It enables admins to configure granular risk-based access policies to ensure only authenticated users can access solutions and services, while enforcing secure MFA, with support for passwordless FIDO authentication. SafeNet Trusted Access supports a wide range of authentication methods and form factors – these include hardware tokens, software, OTPs, pattern-based authentication, and more.
SafeNet Trusted Access Features:
- Passwordless FIDO authentication with wide support for multiple form factors, including Thales’ own hardware, YubiKeys, Windows Hello, and more
- Granular access policies based on contextual risk, with robust reporting and admin controls
- Supports integrations with hundreds of applications and all devices and operating systems
- User self-provisioning to ensure smooth deployment; admins can easily disable, enable and manage linked FIDO authentication devices from their dashboard
How FIDO Works: Users are able to self-enrol and add FIDO supported authenticators by logging into the Thales system. Once added (and depending on access policies set by the organization) they can select a FIDO-enabled authentication method, such as Windows Hello or Thales own hardware keys, and add this to their supported authentication method to enable secure passwordless account access.
Expert Insights’ Comments: SafeNet Trusted Access is a leading identity and access management provider, supporting a broad range of FIDO-enabled authentication process including their own hardware tokens, or OS specific protocols such as Windows Hello. The ability to configure contextual access policies, with SafeNet Trusted Access, adds an extra layer of security on top of the FIDO standard to prevent enterprise account compromise. We recommend this solution this solution for enterprise organizations.
RSA Security is a globally leading authentication provider of identity governance and access management solutions for both cloud and on-premises deployments. SecureID is their portfolio of authentication solutions covering a broad range of methods including physical keys, digital tokens, push notifications, and passwordless authentication.
RSA SecureID Features:
- Supports FIDO2 security keys for passwordless or second-factor authentication checks, and U2F keys for additional authentication
- Secure single sign-on supporting a broad range of authentication options, including MFA, tokens, OTPs, passwordless
- Identity governance and lifecycle management for full visibility and compliance with granular access policies
- Seamless, easy to use multi-factor authentication process for the end user
- Ideal for large organizations, public sector, and government agencies looking to implement zero trust
How FIDO Works: SecurID supports FIDO2 certified keys and U2F-compliant security keys as an authentication option, including YubiKeys. FIDO2 can be used as a passwordless authentication option, or for a second factor of authentication with a username and passwords. U2F keys enable additional factors of authentication.
RSA SecureID Pricing: RSA SecurID pricing can be obtained by contacting SecurID directly.
Expert Insights’ Comments: RSA SecurID is a trusted authentication provider, offering a secure, easy to use FIDO-enabled authentication suite. Their broad range of hardware tokens and digital authentication options, with granular identity governance and compliance policies, mean this solution is a strong option for large enterprises, the public sector, and government agencies.
Ping Identity is a digital identity security provider offering a portfolio of identity and access management and zero trust solutions, including FIDO-compliant authentication. Headquartered in Denver, Colorado, with offices around the globe, Ping Identity manages over three billion workforce and customer identities. In 2022, Ping Identity was acquired by Thoma Bravo.
Ping Identity PingOne For Workforce Features:
- Secure, adaptive multi-factor authentication and single sign-on for workforce security
- Centralized management and control with granular authentication policies and drag and drop workflows
- Covers all enterprise applications and services including cloud, on-prem, and custom applications
- Clear reporting and easy-to-manage administration dashboard
- Supports a broad range of authentication methods and form factors
How FIDO Works: PingID supports FIDO2 biometrics and security keys for authentication, meaning users can use FIDO enabled biometric checks. Out of the box, this includes Windows Hello, Mac TouchID, dedicated FIDO security keys, and Android biometrics. API- based connections using custom UIs can also be configured.
Ping Identity PingOne For Workforce Pricing: PingOne for Workforce starts at $3 per user, per month, for centralized SSO, MFA and directory services for SaaS applications. A Plus which offers enhanced adaptive MFA and passwordless authentication is available for $6 per user, per month. For Premium enterprise pricing, contact the PingOne sales team directly.
Expert Insights’ Comments: Ping Identity is a leading authentication provider. Their identity suite is comprehensive, with a granular feature set, broad integrations, and a simple, no code engine for managing user identities and access. We recommend Ping Identity for organizations of all sizes, particularly those in the financial services, retail, manufacturing healthcare, and government sectors.
Okta Workforce Identity is a market leading identity provider, offering a range of solutions designed to help organizations manage both workforce and consumer identities, including SSO, MFA, active directory, and identity governance. Okta are headquartered in San Francisco, CA, and currently manage identities for over 10,000 organizations, including Slack, T-Mobile, JetBlue, Twilio, and more.
Okta Workforce Identity Features:
- Secure single sign-on with over 7,000 pre-built integrations in the Okta Integration Network
- Adaptive, multi-factor authentication – with proactive security controls to block suspicious attempts
- Lifecycle management and no-code workflow management
- Comprehensive identity governance and administration with granular access policies and workflows
How FIDO Works: Okta’s FDIO2 authenticator enables users to authenticate using biometrics. There is support for both security keys, such as YubiKey, and device authentication methods such as Windows Hello, or Apple’s TouchID. Admins can choose whether to enable FIDO-supported authentication methods from the admin console.
Okta Workforce Identity Pricing: With Okta Workforce Identity you can build your own plan, based on the features you require – for example SSO starts at $2 per user, per month, MFA starts at $3 per user, per month, and lifecycle management starts at $4 per user, per month. There are volume discounts available for Enterprise customers (over 5,000 users), and there is a minimum contract spend of $1,500.
Expert Insights’ Comments: Okta Workforce Identity is a leading identity management and governance platform, with a strong feature set, thousands of pre-built integrations, and a wide range of supported authentication methods. We’d recommend this solution to mid-sized and larger organizations, particularly for the public sector, financial services, retail, healthcare, and technology industries.
Microsoft Entra encompasses Microsoft’s full suite of identity and access management solutions for enterprises. It includes Microsoft Azure Active Directory, Microsoft’s cloud-based directory service which is widely used for employee access management and user authentication. Entra is designed to protect access to all applications and services.
Microsoft Entra Features:
- Protect access to applications and resources with permissions management and multi-factor authentication
- Manage lifecycles and user privileges to enforce zero trust principles
- Simple and convenient sign-in experience for users with multiple authentication methods supported
- Secure identities for all employees, customers, partners, apps, devices, and workloads
How FIDO Works: Microsoft governs user authentication through Azure AD, which supports multiple authentication methods, including FIDO2 security keys for passwordless authentication. This includes Windows Hello, with biometrics credentials tied to the user’s PC, and third-party FIDO hardware such as YubiKeys. Users can register and select a FIDO2 security key when configuring their account sign-in preferences.
Microsoft Entra Pricing: Microsoft Entra pricing is dependent on specific products and Microsoft 365 licensing options. Pricing can be obtained by contacting Microsoft directly.
Expert Insights’ Comments: Microsoft’s Entra suite of identity and access management solutions are a strong choice for organizations looking to roll our FIDO-enabled multi-factor authentication for employees. It is particularly suited to those operating in the cloud-based Microsoft ecosystem with Microsoft 365 and Windows devices. Microsoft’s device biometrics, Windows Hello, can also be used as an authentication method with many of the other identity and access management solutions on this list.
HID are a global authentication provider, securing identities for millions of people all over the world. They work with governments, hospitals, universities, financial institutions, and large enterprises to deliver secure authentication process and access management capabilities across a huge product portfolio. HID’s Crescendo key cards offer high assurance digital authentication and implements multiple authentication methods, including FIDO.
HID Crescendo Key Series Features:
- Seamless and secure access to networks, computers, and applications
- Data encryption to ensure only authorized users can access sensitive information
- Small and convenient hardware cards
- Can be used stand-alone or alongside HID’s cloud-based Workforce ID credential manager solution or as an authentication method for HID MFA
- Fully compliant, enabling compliance with GDPR, CCPA, HIPAA etc.,
- Unified cloud-and on-premises authentication and lifecycle credential management system
How FIDO Works: The HID Crescendo Key Series offers FIDO2 and FIDO U2F enabled authentication for both passwordless authentication and an additional authentication process alongside the username and password. Form factors include smart cards, security keys, and more.
HID Crescendo Key Series Pricing: HID Crescendo Key Series pricing can be obtained by contacting HID’s sales team directly.
Expert Insights’ Comments: HID are a leading authentication provider, offering a huge range of authentication solutions to secure and manage access to workforce applications, networks, and devices. The Crescendo key series is a strong choice for organizations looking to implement compliant, FIDO-based authentication, with full lifecycle credential management provided by HID’s comprehensive identity management solution. We recommend this solution for the enterprise, banking, retail, education, government, healthcare, manufacturing, and retail sectors.
Google Cloud offers a range of identity and access management security features to help simplify and control access to applications and manage user identities as part of its BeyondCorp enterprise zero trust security suite. This includes using Android 7+ phones as secure FIDO2 keys, enabling seamless and secure user access.
Google Cloud Features:
- Context-aware access and authentication security checks
- FIDO2 keys built into Android 7+ phones to enable secure and seamless access for Android users
- Single sign-on to thousands of applications and services
- Identity management platform for managing access to your own applications and services
How FIDO Works: FIDO2 security keys are built into all smartphones and devices running Google’s Android 7+ operating system, enabling phishing resistant authentication using biometrics or a PIN. Google also offers a FIDO security key: Titan.
Google Cloud Pricing: Contact Google Cloud directly or use their online pricing calculator to obtain pricing for your organization.
Expert Insights’ Comments: Google has been a key driver of the FIDO authentication technology standard. Rolling FIDO2 keys out across Android 7+ devices will enable millions of Google users to securely use their smartphone device for secure, phishing resistant authentication, both for Google services and third-party applications. Google Cloud is a strong choice for organizations looking to implement enterprise ready IAM solutions.
Duo is a leading authentication solution acquired by Cisco in 2018. Duo provides secure authentication and zero trust security for organizations of all sizes, securing access to all devices and applications with multi-factor authentication and single sign-on. Duo support over 35,000 customers across 100 countries and are headquartered in Ann Arbor, MI.
Duo Security Features:
- Scalable MFA that works across most major apps out of the box and integrates with custom applications
- Secure remote access with granular access policies for home and office workforce users
- Device trust verification to enforce contextual access policies and prevent device compromise
- Single sign-on with a user-friendly dashboard to access all applications
- Granular, adaptive custom access policies for all apps and networks
How FIDO Works: Duo supports security keys using the WebAuthn (FIDO2) authentication standard for user authentication. Duo also supports FIDO2 with device authentications, such as Touch ID on MacOS.
Duo Security Pricing: Duo is available as a free application for up to ten users. Paid plans start at $3 per user, per month, for Duo MFA. Duo Access starts at $6 per user, per month, with secure application access and SSO. Duo Beyond includes all features and starts at $9 per user, per month, including additional endpoint monitoring features.
Expert Insights’ Comments: Duo Security offer a leading authentication platform for organizations of all sizes. Their authentication solution is easy-to-use for end users, with granular control and access management capabilities for admins. The device trust feature secures workforce devices, helping to prevent compromise, while secure single sign-on makes the authentication process seamless for end users. We recommend this solution to teams looking for a secure, adaptive authentication solution.
Apple has rolled out Passkeys (a term for FIDO2 credentials) for all iCloud users. Passkeys are based on the FIDO 2/WebAuthn standard and can be used across all Apple and non-Apple devices. On Apple devices, Touch ID or Face ID can be used to authenticate user identities and replace the use of a password for more secure, phishing resistant authentication process.
Apple Passkeys Features:
- Passwords are removed entirely to minimize the risk of a phishing attack
- Available for all iCloud devices, synced via the Apple iCloud ‘Keychain’ features
- Existing accounts can be switched to passwordless, FIDO2 authentication methods, and new accounts can be set-up via the “Login with Apple” feature where supported
- iPhone’s can now be used as FIDO supported security tokens on third-party enterprise applications
How FIDO Works: Passkeys replace passwords with cryptographic key pairs. One is public, one is held on your personal device and can only be accessed with biometric verification on supported Apple devices. iCloud Keychain syncs keys across your Apple devices and are end-to-end encryption, so even Apple cannot read them.
Apple Passkeys Pricing: Apple Passkeys are available for all iCloud users.
Expert Insights’ Comments: Apple Passkeys are a secure and convenient way for iCloud users to start replacing passwords with the secure, phishing resistant FIDO2 authentication standard. Support for this method authentication is, however, down to developers to build into their applications – though it is likely to become widespread over time. Passkeys also mean Apple devices can now also be used as FIDO2 enabled security keys with third party applications and other identity providers on this list.
FAQs
What Is FIDO?
FIDO (Fast Identity Online) is a set of open-source industry standards that enforce strong, passwordless authentication for digital accounts. These standards were developed by the FIDO Alliance, a consortium of technology leaders, including Google, Microsoft, Apple, and many others. This alliance’s aim was to create a set of standards, compatible with all devices and technologies, that reduced reliance on passwords, whilst improving account security. This has led to faster, more secure login processes becoming more common. Passwords can be replaced by secure, FIDO-enabled hardware keys, or biometric checks such as TouchID and FaceID.
What Is FIDO2?
FIDO2 is used for the most recent set of specifications released by the FIDO consortium. They are based around the W3Cs’ WebAuthn specification (a global standard for secure authentication, widely supported by browsers and devices) and the FIDO Alliance’s own Client-To-Authenticator Protocol.
FIDO2 is focused around making passwordless experiences easy for developers to build into applications and services via an API. This enables developers to build authentication workflows using FIDO2 supported technologies – such as Apple Passkeys – into apps and services. This will, in turn, enable more users to have access to technologies that use the FIDO protocol, increasing its uptake and securing more users.
How Does FIDO Work?
For FIDO to work, the user must have a FIDO authentication method, such as a smartphone with FIDO supporting biometrics (Android, iOS) or a hardware key, such as a YubiKey. These are solutions listed in the article above.
Assuming the user has a FIDO-enabled device, the process is as follows:
- The user registers with an online service, which creates a new key pair, one stored locally (private) the other stored by the service (public).
- When the user logs into the service, they must pass an authentication check, such as a biometric scan or inserting a hardware token to verify their identity.
- If the check is successful, the private key is matched with the public key and the user is authenticated.
What Are The Benefits Of FIDO?
There are a huge number of benefits to using FIDO over the traditional username/password login process, both for user convenience, and for improving security:
- Streamlined authentication: With FIDO, the login process is smooth and straightforward. Users no longer need to create and manage passwords, while public keys can be synced across FIDO-enabled devices.
- Stronger credentials: Passwords are often weak, easy-to-guess, and reused by users across multiple accounts. This makes them incredibly vulnerable. Private keys, on the other hand, cannot be reused and are always strong.
- Cannot be breached: As private keys are only stored on local devices, they cannot be breached in server leaks, and are, therefore, more protected from hackers.
- Cannot be phished: Similarly, passwords are at risk from social engineering, phishing, and MFA bypass attacks.
- Wide support: FIDO has achieved wide support in the industry with some of the industry’s biggest players – Apple, Microsoft, and Google – using it across their product range. FIDO authentication can also be used alongside conventional passwords.
Is FIDO The Future?
We spoke to Microsoft’s Director Of Identity Security Alex Weinert about the future of the space. Here’s what he told us:
“As an industry, we’re trying to move away from passwords altogether. It turns out all password attacks fail if there’s no password. So, moving to things like the FIDO standard is essential. The FIDO standard is cool, in part, because, as well as being cryptographically very strong, it allows for many different form factors.
“[Apple’s] Passkey is going to bring the FIDO standard to mass market. Every single phone in everybody’s pocket is going to be a FIDO key. And it’s going be well-integrated into the operating system experience.
“As a result of that, I think we can see probably a mass market shift away from passwords. The Cybersecurity Executive Order in the United States and the NCSC in the UK also provides guidance that moves us away from passwords. So hopefully, we actually don’t get everybody to adopt password plus MFA. Hopefully, we get ready to actually switch to this single, passwordless thing.”
