FIDO2: The Passwordless Web is Coming
Recently, the FIDO Alliance (Fast Identity Online) announced the availability of its FIDO2 protocol. What is this, how does it impact the traditional login password, and why should financial institutions (FIs) pay attention?
FIDO: Eliminating the Traditional Password
Improving the overall user experience and removing friction is key for financial institutions deploying online and mobile applications. User experience has a direct impact on customer retention, ROI of online services, and operational costs. In fact, studies have shown that customers who have the ability to easily engage with their financial institution anywhere and at any time are less likely to switch.
While the frictionless customer experience is a top priority for banking and security leaders, delivering the optimal user experience alone is not enough. FIs also need to comply with different regulations and guidelines (e.g., PSD2, GDPR, and NIST), maintain high standards of security, and stay within development and operational budgets. All of this makes the challenge of delivering a frictionless experience more complex.
Often, the first hurdle in customer engagement is the login password. Not only is creating and managing passwords a major annoyance, the login password is also notoriously vulnerable to data breaches.
FIDO authentication solves this problem by replacing the traditional password with strong authentication options ranging from biometrics to software and hardware tokens.
In essence, FIDO authentication offers an interoperable and standardized ecosystem of authenticators for use with mobile and online applications. It enables organizations to deploy strong authentication for login and transaction validation, without the incremental cost of in-house development.
FIDO2 and the Passwordless Web
FIDO2 is a combination of W3C’s WebAuthn API and FIDO’s Client to Authenticator Protocol (CTAP). WebAuthn is a standard API that allows developers to integrate FIDO authentication into web browsers. With CTAP, users can login without a password. They can use an external authenticator such as a mobile phone or hardware device to communicate their authentication credentials to a PC or mobile phone via Bluetooth, NFC, or USB. In other words, thanks to FIDO2 it is easier to authenticate to web browsers by using a hardware FIDO authenticator, or whatever authentication method is available on a user’s PC.
What’s more, the WebAuthn protocol is being implemented in browsers like Google, Mozilla, and Firefox. It is expected that Apple’s Safari browser may integrate WebAuthn once the FIDO2 standard has been officially approved by W3C as an international standard (note that although Apple has been silent about FIDO, the company is part of the WebAuthn working group). Once W3C ratifies FIDO2 as an international standard, the passwordless web will become a reality.
FIs that want to benefit from the WebAuthn protocol can FIDO-enable their existing online and mobile banking infrastructure or implement a comprehensive FIDO solution that handles authentication requests from any kind of FIDO authenticator.
The beauty is that FIDO2 is backwards compatible with all previously certified FIDO security hardware and software, and these solutions will continue to work with web browers supporting WebAuthn. The FIDO Alliance itself recommends that organizations looking to enable FIDO for their online and mobile services deploy a Universal Server, ensuring support for all FIDO-certified authenticators, whether that is second factor (U2F), mobile (UAF), or FIDO2.
FIDO Authentication from OneSpan
As a board member of the FIDO Alliance and active participant in the FIDO2 working group, OneSpan is part of FIDO’s initiative to standardize the authentication industry. Our FIDO authentication portfolio includes a FIDO Universal Server solution that supports U2F, UAF, and FIDO2 solutions.
Today, organizations need flexibility in authentication methods. For example, many FIs that have issued hardware authentication tokens to their customers are also introducing mobile authentication for their mobile-first customers – and require both hardware and software options for a range of customer needs and use cases. To support this, OneSpan offers:
- Full FIDO capabilities as part of the OneSpan Mobile Security Suite. This means organizations can implement passwordless authentication to enhance the customer experience by replacing static passwords with modern capabilities such as biometrics, while also protecting their mobile apps against phishing, man-in-the-middle, and replay attacks.
- A Bluetooth-enabled FIDO hardware authenticator allowing FIs to easily mix and match software and hardware to fit their authentication needs.
FIDO-certified authentication methods are supported out-of-the box as they come to market. Because of standardization, any application can work with any device and any authenticator. This gives organizations a plethora of choices on how they want to approach customer authentication.
Visit our FIDO authentication page to learn more about FIDO for passwordless login and transaction validation use cases.