The FIDO alliance
The Fast Identity Online (FIDO) Alliance is a consortium of leading tech companies, government agencies, service providers, financial institutions, payment processors, and other industries that was launched in 2013 with the goal of eliminating the use of passwords on websites, apps and devices.
Who is Part of the FIDO Alliance?
The FIDO Alliance has more than 250 members, including global tech leaders across enterprise, payments, telecom, government and healthcare. Leading companies such as Microsoft, Google, Apple, Amazon, Facebook, Mastercard, American Express, VISA, PayPal and OneSpan have a board level membership.
What is FIDO authentication?
FIDO authentication is the brainchild of the FIDO Alliance. The goal of the FIDO authentication standards is to reduce the use of passwords and improve authentication standards on desktops and mobile devices. FIDO is designed to protect people’s security and privacy as private keys and biometrics, if used, never leave a person’s device. You can swipe a fingerprint or enter a one-time PIN, for example, and don’t need to remember a complex password. FIDO is also supported by major browsers and operating systems, such as Windows 10 and Android platforms, Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari web browsers.
Static passwords are easy for cybercriminals to steal using phishing, malware, and other types of attacks. In addition, large data breaches have made troves of usernames, passwords, and other personally identifiable information (PII) available to criminals on the Dark Web. This has fueled an explosive surge of financial fraud such as account takeover, social engineering and Man-in-the-Middle attacks. Governments, policymakers and regulators have since responded by introducing cybersecurity and data security laws and regulations that mandate financial institutions and other organizations to protect access to their portals, apps, and systems through multi-factor authentication (MFA) and strong customer authentication (SCA). In 2013 when the FIDO Alliance was launched, public awareness of data breaches was rising. Today, after high-profile breaches like Yahoo (3 billion accounts exposed), Marriott (500 million) and Equifax (147 million), it is clear that access to online accounts and systems must be protected by strong authentication instead of passwords.
How does FIDO authentication enable passwordless login
The FIDO Alliance has created specifications and certifications that are interoperable with many vendors’ hardware and mobile authenticators, and biometric authentication such as facial recognition, on different browsers and operating systems. This allows for a passwordless authentication and login to many apps and websites for a smoother user experience. FIDO authentication standards are based on public key cryptography and are designed to provide a safe, easy login experience and better security for web and online services, at a lower cost. FIDO’s latest authentication specification is the Client to Authenticator Protocols (CTAP). CTAP is complementary to the W3C’s Web Authentication (WebAuthn) specification; WebAuthn is the standard web API built into web browsers and platforms enabling support for FIDO Authentication. CTAP and WebAuthn combined together are known as FIDO2.
FIDO2 is the FIDO alliance’s newest Protocol
FIDO2 is the latest FIDO authentication protocol. The FIDO Alliance developed FIDO2, which is more convenient and provides more security than traditional password protection, and this standard was approved by the World Wide Web Consortium (W3C). The FIDO2 specifications are made up of the W3C’s Web Authentication (WebAuthn) protocol and the FIDO Alliance’s Client-to-Authenticator Protocol (CTAP). Together, these components make authentication possible.
CTAP allows users to login without a password by using a security key or their mobile phone to communicate authentication credentials over USB, Bluetooth or NFC (Near Field Communication) to a person’s device. As a result, CTAP makes it easier to authenticate to web browsers.
WebAuthn allows online services to use FIDO authentication through a standard web API (application programming interface) that can be built into browsers and allows devices to communicate. Together, WebAuthn and CTAP allow users to identify themselves with biometrics, PINs or external FIDO authenticators, to a FIDO2 server that belongs to a website or web app. FIDO2 is backwards compatible with previously certified FIDO security hardware.
How FIDO authentication improves security and privacy
The FIDO specifications for authentication are designed to protect user privacy because FIDO prevents a customer’s information from being tracked across the different online services that they use. FIDO was specifically designed to improve user privacy.
FIDO and Public Key Infrastructure (PKI)
FIDO is based on public key cryptography. According to Gartner, “Public-key infrastructure (PKI) was developed mainly to support secure information exchanges over unsecure networks.” A good example is a consumer transacting with their bank through the mobile banking app on their phone. The communication between the bank’s server and the customer’s phone needs to be encrypted. This is done using cryptographic keys, known as a private and public key pair. Think of these PKI keys as locking and unlocking encrypted private information about the banking transaction. The public key is registered with the online service, for example, a bank’s server. The client’s private key can be used only after it is unlocked on the device by the user. As a result, there are no server-side secrets for cybercriminals to steal.
In addition, no information is shared between the public and private keys. As an example, if you want to authenticate to an online service that supports FIDO authentication, you could do so using a FIDO 2FA authenticator device that plugs into your laptop’s USB port. Or, if using a FIDO-enabled Apple or Android smartphone, you could use your phone as your FIDO authenticator. First, you would be prompted to choose a FIDO2 authenticator, such as OneSpan’s Digipass FIDO Touch that matches the online service’s acceptance policy. You would then unlock your FIDO authenticator using a PIN, fingerprint, facial scan, or a button on a hardware device. Using FIDO authentication to login has just eliminated any need for a password.
How FIDO authentication helps prevent phishing and other attacks
FIDO authentication eliminates passwords. Passwords are the weakest link in the authentication chain. As a result, the FIDO standards are more resistant to social engineering attacks such as phishing, where criminals try to trick people with emotional or convincing appeals to click on malicious links to steal their usernames, passwords and sensitive information. FIDO authentication also combats Man-in-the-Middle (MITM) attacks, which can intercept communications between a customer’s device and a financial institution’s server. In this type of attack, a criminal can alter a financial transaction for their own benefit. FIDO’s specification addresses privacy as the private keys and biometrics templates never leave the user’s device and are never stored on a server. The keys are unique to each transaction, making a smaller attack surface for cybercriminals. By requiring a PIN, fingerprint or facial scan, the FIDO authenticator verifies that the person logging in is a real, live human behind the computer, and not a remote hacker or trojan.
How FIDO authentication simplifies the customer experience
The customer no longer needs to remember complex, multiple passwords for different devices or websites. Their biometric or PIN allows them to unlock their private key on their device with an easy action, such as a fingerprint or face scan, entering a one-time passcode (OTP), using voice recognition, or typing in an OTP generated by a hardware token. The public key is stored on the bank’s server to verify what was signed on the private key either for authentication or for a transaction. Credentials are never sent to or stored by a company you are transacting with. This protects privacy and helps safeguard login credentials from criminal access. The standards also improve the online customer experience and can help increase customer loyalty by making strong authentication easier to use.
The FIDO standards are compliant with regulations for stronger user authentication. FIDO is designed to meet the requirements in the European Union’s revised Payment Services Directive (PSD2) Regulatory Technical Specifications (RTS) because customer authentication must be based on two or more factors, including passwords or PIN, tokens or mobile devices, or biometrics.
The FIDO standards are also designed for compliance with:
- The General Data Protection Regulation (GDPR): Every organization operating, storing, or processing the data of EU citizens is subject to GDPR requirements. Using a PIN or biometrics to verify that someone is in fact who they say they are, is an example of multi-factor authentication required by the GDPR.
- The Financial Action Task Force (FATF): Digital Identity guidance from the FATF states that, “The risk-based approach recommended by this Guidance relies on a set of open source, consensus-driven assurance frameworks and technical standards for digital ID systems.”
- Cybersecurity regulations from the New York Department of Financial Services (NYDFS): The State of New York’s largest state regulator is the NYDFS. The NYDFS introduced Cybersecurity Requirements for Financial Services Companies, which require the use of MFA “to protect against unauthorized access to non-public Information or Information Systems” – with non-public information being the individual’s private information.
- The National Institute of Standards and Technology (NIST): FIDO authentication is designed to adhere to the requirements set out by NIST, for authenticating users to its networks because it meets NIST guidelines for strong authentication.