FIDO: Everything You Need To Know (FAQs)
What Is FIDO?
FIDO (Fast Identity Online) is a set of open-source industry standards that enforce strong, passwordless authentication for digital accounts. These standards were developed by the FIDO Alliance, a consortium of technology leaders, including Google, Microsoft, Apple, and many others. This alliance’s aim was to create a set of standards, compatible with all devices and technologies, that reduced reliance on passwords, whilst improving account security. This has led to faster, more secure login processes becoming more common. Passwords can be replaced by secure, FIDO-enabled hardware keys, or biometric checks such as TouchID and FaceID.
What Is FIDO2?
FIDO2 is used for the most recent set of specifications released by the FIDO consortium. They are based around the W3Cs’ WebAuthn specification (a global standard for secure authentication, widely supported by browsers and devices) and the FIDO Alliance’s own Client-To-Authenticator Protocol.
FIDO2 is focused around making passwordless experiences easy for developers to build into applications and services via an API. This enables developers to build authentication workflows using FIDO2 supported technologies – such as Apple Passkeys – into apps and services. This will, in turn, enable more users to have access to technologies that use the FIDO protocol, increasing its uptake and securing more users.
How Does FIDO Work?
For FIDO to work, the user must have a FIDO authentication method, such as a smartphone with FIDO supporting biometrics (Android, iOS) or a hardware key, such as a YubiKey. These are solutions listed in the article above.
Assuming the user has a FIDO-enabled device, the process is as follows:
- The user registers with an online service, which creates a new key pair, one stored locally (private) the other stored by the service (public).
- When the user logs into the service, they must pass an authentication check, such as a biometric scan or inserting a hardware token to verify their identity.
- If the check is successful, the private key is matched with the public key and the user is authenticated.
What Are The Benefits Of FIDO?
There are a huge number of benefits to using FIDO over the traditional username/password login process, both for user convenience, and for improving security:
- Streamlined authentication: With FIDO, the login process is smooth and straightforward. Users no longer need to create and manage passwords, while public keys can be synced across FIDO-enabled devices.
- Stronger credentials: Passwords are often weak, easy-to-guess, and reused by users across multiple accounts. This makes them incredibly vulnerable. Private keys, on the other hand, cannot be reused and are always strong.
- Cannot be breached: As private keys are only stored on local devices, they cannot be breached in server leaks, and are, therefore, more protected from hackers.
- Cannot be phished: Similarly, passwords are at risk from social engineering, phishing, and MFA bypass attacks.
- Wide support: FIDO has achieved wide support in the industry with some of the industry’s biggest players – Apple, Microsoft, and Google – using it across their product range. FIDO authentication can also be used alongside conventional passwords.
What Is The FIDO Alliance?
The FIDO Alliance is an open industry association that was launched in February 2013, with the goal of developing and promoting authentication standards that move away from passwords and insecure security settings. They saw the overreliance on passwords as a risk and an opportunity for innovation.
Their mission is to develop technical specifications that define an open, scalable, interoperable set of mechanisms which work to reduce that password reliance. They also operate industry certification programs to help facilitate worldwide adoption of the specifications.
The FIDO Alliance has over 250 members, including notable global tech leaders across enterprise, telecon, payments, healthcare, and government. Leading companies with board level membership include Google, Microsoft, Apple, Facebook, Amazon, American Express, Mastercard, PayPal, VISA, and OneSpan.
Is FIDO The Future?
We spoke to Microsoft’s Director Of Identity Security Alex Weinert about the future of the space. Here’s what he told us:
“As an industry, we’re trying to move away from passwords altogether. It turns out all password attacks fail if there’s no password. So, moving to things like the FIDO standard is essential. The FIDO standard is cool, in part, because, as well as being cryptographically very strong, it allows for many different form factors.
“[Apple’s] Passkey is going to bring the FIDO standard to mass market. Every single phone in everybody’s pocket is going to be a FIDO key. And it’s going be well-integrated into the operating system experience.
“As a result of that, I think we can see probably a mass market shift away from passwords. The Cybersecurity Executive Order in the United States and the NCSC in the UK also provides guidance that moves us away from passwords. So hopefully, we actually don’t get everybody to adopt password plus MFA. Hopefully, we get ready to actually switch to this single, passwordless thing.”