What is FIDO Authentication?

What is FIDO Authentication?
What is FIDO Authentication?

FIDO (Fast Identity Online) authentication refers to a set of specifications and standards created by the FIDO Alliance. It defines alternative authentication mechanisms that reduce reliance on passwords and enhance online security.

FIDO enables users to conveniently access online accounts, websites, applications, devices, and more using biometrics, PINs, or hardware tokens instead of manually entered passwords.

With mass adoption across platforms and browsers, FIDO aims to ultimately replace password-based access control due to improved usability, stronger defence against cyber threats, and compliance benefits.

This article provides an overview of the FIDO Alliance, the goals and key concepts behind their open authentication standard, along with the benefits and adoption trends to enhance online security.

What is the FIDO Alliance?

The FIDO Alliance is an industry consortium established in 2013 focused on reducing reliance on passwords for authentication by driving the adoption of standards-based passwordless login.

Originally conceived in 2009 between PayPal and Validity Sensors, today, FIDO Alliance brings together over 250 companies, including leaders like Microsoft, Apple, Google, Visa, and Mastercard.

This alliance develops open technical specifications leveraging biometrics, PINs, and hardware tokens that define interoperable mechanisms for stronger authentication.

Additionally, FIDO certification programs verify specification compliance across certified products, easing integration complexity. By promoting global conformance, FIDO aims to facilitate frictionless user experiences with seamless passwordless authentication across accounts, devices and applications worldwide.

Overall, the FIDO Alliance strives to improve online security by replacing vulnerable passwords through an open, interconnected ecosystem of strong authentication alternatives.

Goals of FIDO Authentication

The primary goals and vision behind the FIDO standards for authentication include:

  • Eliminate reliance on vulnerable passwords: Moving beyond sole reliance on shareable, replayable passwords is critical to combat rising identity crimes and system intrusions enabled by stolen credentials.
  • Enable stronger multi-factor authentication with biometrics and tokens: FIDO aims to enable user-friendly multi-factor authentication using biometrics, security keys and other non-perishable credentials to verify identities and transactions. This thwarts unauthorised account access, even if credentials are compromised.
  • Protect sensitive user data by storing locally, not centrally: Unlike passwords stored on remote servers, FIDO mandates that sensitive template data used for verification must remain localised on users' devices, minimising the risks of large-scale data theft and exposure.
  • Provide seamless user experiences without password fatigue: Reduction in dependence on hard-to-remember, hard-to-manage passwords also drives improved end-user experiences with fast, simple access across devices and services.
  • Meet expanding regulatory requirements for authentication: Keeping pace with regulations worldwide, FIDO compliance helps entities in the finance and healthcare sectors transition to phishing-resistant, multi-factor authentication.
  • Reduce costs from fraud, data breaches, and password resets: For enterprises, FIDO adoption promises reduced costs due to fraud and fallouts of breaches and help desk loads for password management, which continue to take a high toll globally.

Core Concepts

Some of the core concepts underpinning the FIDO set of authentication specifications include:

  • Public Key Cryptography: For the protection of user authentication, FIDO protocols employ standard public key cryptography. Private keys are stored on users' devices, while public keys are held with online services.
  • Cryptographic Challenges: Users authenticate by unlocking FIDO authenticators on their devices, which hold private keys and can cryptographically sign dynamic challenges.
  • Phishing Resistance: FIDO transactions are bound to previously whitelisted domains, preventing redirection attacks to fake phishing websites.
  • User Privacy: Sensitive information like biometric templates, PINs, and transaction history remains on user devices instead of external databases.  

Authenticator Options

The FIDO approach is architected to standardise both passwordless and second-factor authentication using different types of authenticators:

  • Platform Authenticators: Leverage built-in authentication capabilities like fingerprint and face recognition sensors on devices users already own, e.g. smartphones and laptops.
  • Roaming Authenticators: External hardware tokens like FIDO Security Keys (connected via USB, NFC, Bluetooth) that enable portable second-factor authentication securely across devices.

FIDO Authentication Protocols

The FIDO Alliance has standardised different protocol specifications for enabling passwordless authentication using various types of authenticators:

FIDO UAF

The Universal Authentication Framework (UAF) allows online services to offer passwordless login leveraging user devices like smartphones or laptops.

It enables selecting from local authentication methods like biometrics or PINs during initial account registration. Subsequently, users can log in without passwords by unlocking registered authenticators.

FIDO U2F

The Universal Second Factor (U2F) specification facilitates multi-factor authentication using roaming hardware tokens as a second form of verification along with usernames and passwords.

The user's security key signs authentication challenges in a cryptographically verifiable manner on tapping to enable login.

FIDO2

FIDO2 delivers unified support for both passwordless and second-factor flows across more authenticator types.

It combines the web standard WebAuthn along with Client to Authenticator Protocol (CTAP) to enable better interoperability between websites, platforms and authenticators using modern cryptography techniques.

Overall, these protocol specifications allow applications to offer end users phishing-resistant authentication experiences meeting their security needs - whether passwordless, single-factor or multifactor - in a consistent, standards-based manner across accounts.

How FIDO Authentication Works

Registration Process

To use FIDO authentication, users first register authenticators with online services:

  • Users select an available FIDO authenticator meeting the service's policies, e.g., a fingerprint sensor.
  • The device creates a public-private key pair unique to the user account and online service.
  • The service stores the public key. The private key remains stored securely on the user's device. This allows the authenticator to cryptographically sign challenges.

Authentication Process

When subsequently authenticating, users unlock their registered FIDO authenticators, which respond to cryptographic challenges:

  • The user unlocks their FIDO authenticator, e.g., fingerprint biometrics, on their smartphone or hardware token.
  • The online service issues a cryptographic challenge or nonce, which the FIDO client signs using the registered private key.
  • The service verifies the signature with the stored public key in order to authenticate the user.

This protocol relies on standard public key cryptography for securing the authentication process without ever transmitting private user credentials.

Implementation Examples

  • Google enables FIDO login across its services like Gmail and Google Cloud, allowing passwordless access for its employees using Android devices and Titan security keys.
  • Facebook supports biometrics-based FIDO authentication leveraging native face recognition or fingerprint sensors available on Apple iOS and Android mobile platforms.
  • Microsoft has enabled FIDO2 authentication across Azure Active Directory, Outlook, and Xbox accounts, facilitating passwordless enterprise logins via Windows Hello facial recognition or FIDO security keys.

Benefits of FIDO Authentication

  • Enhanced Security: FIDO authentication enables multi-factor authentication using biometrics, security keys, and other credentials that are resilient to phishing and automated attacks. This protects user accounts and systems from identity theft, account takeovers, and unauthorised access, even if the system is compromised.
  • Improved Convenience: FIDO's passwordless authentication replaces remembering and typing complex passwords with easily available biometrics (fingerprint, face, etc.) or security keys. This allows fast, seamless access for users across devices while maintaining security. Fewer passwords also reduce frustration over managing credentials.
  • User Privacy: Unlike centrally stored passwords, biometric reference data used for FIDO authentication remains localised on users' devices. So, identity credentials are not shared across multiple applications. This limits exposure risks and provides greater privacy than single sign-on systems.
  • Regulatory Compliance: With rapidly rising data breaches and identity theft, regulations in healthcare, finance, and government sectors are mandating advanced authentication safeguards. FIDO's multi-factor phishing-resistant protocols help meet compliance standards.
  • Lower Costs: For organisations, FIDO authentication drives down costs associated with managing forgotten passwords, helps desk loads for resets/revocations, and reduces losses from account takeovers and fraudulent transactions. For users, it reduces time spent dealing with traditional authentication friction.
  • Interoperability: FIDO standards enable authentication interoperability across devices, apps, platforms and browsers so enterprises don't get locked into proprietary solutions. Smooth integration avoids usability barriers to adoption.
  • Improved Brand Trust: Implementing strong modern authentication and aligning with FIDO industry standards signals to users and regulators that an organisation takes identity security and privacy seriously. This builds brand credibility and trustworthiness.

Many leading technology providers have actively adopted FIDO authentication across their platforms and services:

  • Android, Windows, and macOS have native support for FIDO login using available biometrics sensors across consumer devices as well as enterprise machines.
  • Websites like Google, Facebook, Dropbox, Salesforce, and GitHub enable FIDO protocols as an alternative MFA option for their account login.
  • Payment card leaders like Visa and Mastercard are expanding FIDO standards support, enabling consumers to use security keys for cardholder authentication.

Conclusion

In the end, what is FIDO authentication? So, FIDO authentication represents a significant evolution in online security - enabling passwordless convenience while actually strengthening protection against identity threats.

By using public key cryptography to validate users, FIDO protocols facilitate phishing-resistant, multi-factor authentication leveraging biometrics and devices people already possess. This approach aligns security with usability while enhancing privacy.

In InstaSafe, we offer FIDO2 standard multi-factor authentication to secure enterprises.

Frequently Asked Questions(FAQs)

  • What is the difference between FIDO and MFA?

FIDO refers to specific standards around authentication mechanisms, while MFA (multi-factor authentication) is a broad concept for verifying users with multiple credentials. FIDO protocols enable various MFA approaches using phishing-resistant authenticators.

  • What does FIDO mean in cyber security?

FIDO comprises technical specifications created by the FIDO Alliance focused on reducing password reliance by enabling stronger verification of user identities online by leveraging biometrics and cryptography.

  • What is FIDO vs FIDO2?

FIDO UAF facilitates passwordless biometric login on devices users possess. FIDO U2F enables multi-factor authentication with hardware security keys. FIDO2 unified both into one standard, supporting various authenticators for passwordless and second-factor verification interoperably.