How many online services have you registered for? And how many of them authenticate using passwords? The most probable answers to these questions are ‘too many’ or ‘most of them.’
Passwords and SMS-based one-time-passcodes (OTP) are the two most popular methods of authentication on digital services. However, do you know that 80% of data breaches occur due to compromised passwords? Forgotten passwords increase operational overheads for service desks and are also the prime reason for cart abandonment resulting in lost revenue. Enterprises that follow federated authentication across their corporate applications face the brunt of dealing with broken employee experience and a disproportionate number of calls to their helpdesk on account of forgotten passwords and locked accounts. Although OTPs solve some of these problems, they are increasingly becoming unpopular globally due to their vulnerability to a flourishing number of man-in-the-middle attacks and SIM swaps.
Passwords, in particular, pose a dual challenge of security and friction and need to be phased out.
Overcoming these barriers calls for adopting frictionless and phishing-resistant multi-factor authentication (MFA). The FIDO (short for Fast Identity Online) Alliance, an industry consortium of over 250 leading companies promoting open standards for identity verification and authentication, was launched in early 2013 to address these challenges and has since become the de facto industry standard for passwordless authentication. Today, various FIDO protocols address the critical aspects of digital identity lifecycle management, including identity verification for account onboarding, account recovery, and user and device authentication.
Most identity breaches are achieved by attacking servers that store user credentials or malware-induced phishing attacks that impersonate local devices and steal credentials. FIDO provides device-level local authentication using various methods such as PIN, biometrics, or external hardware tokens, all interacting with the client device over a common, standardized interface. Additionally, the authenticating device (called an authenticator) connects to the online server using a standardized, challenge-response-based cryptographic protocol based on a pair of public-key and private-key. Effectively, the user interaction via any of these authentication methods unlocks a private key dedicated to the online service in question—the online service stores only public keys.
The FIDO protocols consist of three sets of public-key cryptography-based specifications, as follows.
Universal Authentication Framework (UAF): The UAF protocol allows online service providers to offer their customers a host of passwordless sign-on options as they deem appropriate for their service. These include PIN, biometrics, and external hardware devices. The registration process on the online service prompts users to select an authentication method during which the authenticator creates a new key pair. The private key is securely retained in the authenticator, whereas the public key is passed on to the online service and bound to the user’s account.
FIDO2: This is a set of two open standards jointly built by FIDO and W3C. The WebAuthn standard of W3C provides a standard API compatible with popular browsers and platforms (such as Android) to create and manage public keys. Typically used in a sign-on scenario, the online service sends a challenge to the sign-on client (a browser or app) using WebAuthn API, requesting it to sign the data with the private key. After that, the Client to Authenticator Protocol (CTAP) of FIDO works between the authenticator and the client to enable either passwordless or multi-factor authentication.
Universal Second Factor (U2F): The U2F protocol complements traditional password-based security with a second factor based on external authenticator devices like fobs and pluggable USB devices. Browsers and authenticator devices that conform to the protocol can automatically connect and communicate, thereby establishing a second-factor authentication.
Apart from reinforcing security, the standardization enforced by FIDO results in the decoupling of the authenticator from the online service, introducing better interoperability and fostering innovation in user verification methods. Furthermore, the FIDO Alliance ensures the quality and interoperability of standards through certification programs.
That said, the most significant benefits of FIDO are the simplification of authentication for the consumer, protection against identity theft & identity takeover, compliance to regulations such as PSD2, and operational ease for enterprises.
Keep reading
The stakes for businesses in ensuring trust and security in digital interactions are higher than ever.
This blog post outlines best practices for integrating identity verification APIs to enhance security, compliance, and user experience in digital interactions.
Identity verification is crucial for developers to prioritize in their applications to ensure a secure and trustworthy online environment for all parties involved.