Upgrading Identity Verification and Authentication with FIDO

July 13, 2021

How many online services have you registered for? And how many of them authenticate using passwords? The most probable answers to these questions are ‘too many’ or ‘most of them.’ 

Passwords and SMS-based one-time-passcodes (OTP) are the two most popular methods of authentication on digital services. However, do you know that 80% of data breaches occur due to compromised passwords? Forgotten passwords increase operational overheads for service desks and are also the prime reason for cart abandonment resulting in lost revenue. Enterprises that follow federated authentication across their corporate applications face the brunt of dealing with broken employee experience and a disproportionate number of calls to their helpdesk on account of forgotten passwords and locked accounts. Although OTPs solve some of these problems, they are increasingly becoming unpopular globally due to their vulnerability to a flourishing number of man-in-the-middle attacks and SIM swaps

Passwords, in particular, pose a dual challenge of security and friction and need to be phased out.

Overcoming these barriers calls for adopting frictionless and phishing-resistant multi-factor authentication (MFA). The FIDO (short for Fast Identity Online) Alliance, an industry consortium of over 250 leading companies promoting open standards for identity verification and authentication, was launched in early 2013 to address these challenges and has since become the de facto industry standard for passwordless authentication. Today, various FIDO protocols address the critical aspects of digital identity lifecycle management, including identity verification for account onboarding, account recovery, and user and device authentication.

Most identity breaches are achieved by attacking servers that store user credentials or malware-induced phishing attacks that impersonate local devices and steal credentials. FIDO provides device-level local authentication using various methods such as PIN, biometrics, or external hardware tokens, all interacting with the client device over a common, standardized interface. Additionally, the authenticating device (called an authenticator) connects to the online server using a standardized, challenge-response-based cryptographic protocol based on a pair of public-key and private-key. Effectively, the user interaction via any of these authentication methods unlocks a private key dedicated to the online service in question—the online service stores only public keys.

The FIDO protocols consist of three sets of public-key cryptography-based specifications, as follows.

Universal Authentication Framework (UAF): The UAF protocol allows online service providers to offer their customers a host of passwordless sign-on options as they deem appropriate for their service. These include PIN, biometrics, and external hardware devices. The registration process on the online service prompts users to select an authentication method during which the authenticator creates a new key pair. The private key is securely retained in the authenticator, whereas the public key is passed on to the online service and bound to the user’s account.

FIDO2: This is a set of two open standards jointly built by FIDO and W3C. The WebAuthn standard of W3C provides a standard API compatible with popular browsers and platforms (such as Android) to create and manage public keys. Typically used in a sign-on scenario, the online service sends a challenge to the sign-on client (a browser or app) using WebAuthn API, requesting it to sign the data with the private key. After that, the Client to Authenticator Protocol (CTAP) of FIDO works between the authenticator and the client to enable either passwordless or multi-factor authentication.

Universal Second Factor (U2F): The U2F protocol complements traditional password-based security with a second factor based on external authenticator devices like fobs and pluggable USB devices. Browsers and authenticator devices that conform to the protocol can automatically connect and communicate, thereby establishing a second-factor authentication.

Apart from reinforcing security, the standardization enforced by FIDO results in the decoupling of the authenticator from the online service, introducing better interoperability and fostering innovation in user verification methods. Furthermore, the FIDO Alliance ensures the quality and interoperability of standards through certification programs.

That said, the most significant benefits of FIDO are the simplification of authentication for the consumer, protection against identity theft & identity takeover, compliance to regulations such as PSD2, and operational ease for enterprises.

Keep reading

See all blogs
Prove’s Tim Brown Explains How to Reduce Fraud and Improve Onboarding with Identity Verification

Reporters from GreenSheet, a popular publication that highlights trends in the banking, financial services, and fintech markets, recently met with Prove’s Global Identity Officer, Tim Brown to learn how advanced identity verification solutions are driving faster and better digital customer onboarding.

Kaushal Ls
May 21, 2024
Prove CEO Rodger Desai Featured on Fintech Leaders Podcast

Prove CEO and co-founder Rodger Desai was recently the featured guest on the Fintech Leaders podcast with fintech leader and entrepreneur Miguel Armaza. The two discussed the identity verification market, innovations in onboarding and customer enablement, and explained how smartphone data provides the most effective way to verify customers.

Kelley Vallone
May 16, 2024
Marketplace Risk Proudly Names Prove as the Leader in Identity Authentication

Marketplace Risk, a leading authority in risk management for online platforms, has announced the recipients of its annual Solution Provider Excellence Program. This prestigious initiative spotlights industry leaders in risk, trust, and safety solutions, showcasing their expertise in addressing the challenges encountered by digital marketplaces, gig economy, and digital platforms. Among the winners is Prove.

May 15, 2024