Upgrading Identity Verification and Authentication with FIDO

Post by:
July 13, 2021
Upgrading Identity Verification and Authentication with FIDO

How many online services have you registered for? And how many of them authenticate using passwords? The most probable answers to these questions are ‘too many’ or ‘most of them.’ 

Passwords and SMS-based one-time-passcodes (OTP) are the two most popular methods of authentication on digital services. However, do you know that 80% of data breaches occur due to compromised passwords? Forgotten passwords increase operational overheads for service desks and are also the prime reason for cart abandonment resulting in lost revenue. Enterprises that follow federated authentication across their corporate applications face the brunt of dealing with broken employee experience and a disproportionate number of calls to their helpdesk on account of forgotten passwords and locked accounts. Although OTPs solve some of these problems, they are increasingly becoming unpopular globally due to their vulnerability to a flourishing number of man-in-the-middle attacks and SIM swaps

Passwords, in particular, pose a dual challenge of security and friction and need to be phased out.

Overcoming these barriers calls for adopting frictionless and phishing-resistant multi-factor authentication (MFA). The FIDO (short for Fast Identity Online) Alliance, an industry consortium of over 250 leading companies promoting open standards for identity verification and authentication, was launched in early 2013 to address these challenges and has since become the de facto industry standard for passwordless authentication. Today, various FIDO protocols address the critical aspects of digital identity lifecycle management, including identity verification for account onboarding, account recovery, and user and device authentication.

Most identity breaches are achieved by attacking servers that store user credentials or malware-induced phishing attacks that impersonate local devices and steal credentials. FIDO provides device-level local authentication using various methods such as PIN, biometrics, or external hardware tokens, all interacting with the client device over a common, standardized interface. Additionally, the authenticating device (called an authenticator) connects to the online server using a standardized, challenge-response-based cryptographic protocol based on a pair of public-key and private-key. Effectively, the user interaction via any of these authentication methods unlocks a private key dedicated to the online service in question—the online service stores only public keys.

The FIDO protocols consist of three sets of public-key cryptography-based specifications, as follows.

Universal Authentication Framework (UAF): The UAF protocol allows online service providers to offer their customers a host of passwordless sign-on options as they deem appropriate for their service. These include PIN, biometrics, and external hardware devices. The registration process on the online service prompts users to select an authentication method during which the authenticator creates a new key pair. The private key is securely retained in the authenticator, whereas the public key is passed on to the online service and bound to the user’s account.

FIDO2: This is a set of two open standards jointly built by FIDO and W3C. The WebAuthn standard of W3C provides a standard API compatible with popular browsers and platforms (such as Android) to create and manage public keys. Typically used in a sign-on scenario, the online service sends a challenge to the sign-on client (a browser or app) using WebAuthn API, requesting it to sign the data with the private key. After that, the Client to Authenticator Protocol (CTAP) of FIDO works between the authenticator and the client to enable either passwordless or multi-factor authentication.

Universal Second Factor (U2F): The U2F protocol complements traditional password-based security with a second factor based on external authenticator devices like fobs and pluggable USB devices. Browsers and authenticator devices that conform to the protocol can automatically connect and communicate, thereby establishing a second-factor authentication.

Apart from reinforcing security, the standardization enforced by FIDO results in the decoupling of the authenticator from the online service, introducing better interoperability and fostering innovation in user verification methods. Furthermore, the FIDO Alliance ensures the quality and interoperability of standards through certification programs.

That said, the most significant benefits of FIDO are the simplification of authentication for the consumer, protection against identity theft & identity takeover, compliance to regulations such as PSD2, and operational ease for enterprises.

Create secure frictionless customer experiences using modern identity solutions

Join 1,000+ companies and 500 banks, including 9 of the top 10 US financial institutions, that are already using Prove to accelerate revenue, mitigate fraud, and enhance customer experience. Contact us today.

Accelerate your onboarding

Contact us to learn how leading companies are using Prove Pre-fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.

Create frictionless customer experiences

Get in touch to find out how we can help you identify your customers at every stage of their journey and offer them seamless and secure experiences.

Schedule a demo

Let our expert team guide you through our identity verification and authentication solutions. Select a date and time that works for you.

Schedule a demo

Find out how we can help you deliver seamless and secure customer experiences that comply with PSD2/SCA. Select a date and time that works for you.