FIDO is not the end of passwords (and that's OK)

December 10, 2014


The FIDO Alliance announced the release of the FIDO 1.0 specification set yesterday, a new standard that defines an authentication model that complements more comprehensive identity standards such as SAML and OpenID Connect.


no-passwords.jpg What's novel and exciting about FIDO is how it simplifies and normalizes authentication by insulating applications from the messy details of varying authentication methods. Just as we don't concern ourselves with the complexities of the retailer's supply chain when we buy something online, FIDO aims to make newer forms of authentication easy to plug in. Applications need only support the FIDO protocol to unlock a powerful set of local authentication methods, including biometrics that either replace or more realistically enhance password based security.

Press articles on FIDO emphasize the biometric options for the local authentication - the iPhone TouchID, or fancier face, voice or iris scans. These are important, and undeniably cool, but the real value of FIDO is the model of pluggable local authentication itself. With FIDO, for the server to add support for a new authentication tech requires only a policy change (logically saying the new mechanism is okay to use). No code to change, no new proprietary protocol to support, just configuration. And critically, because the only thing that the server stores for a user is a public key, the risk of compromise of password stores is completely eliminated.

The default editorial choice of this news is that FIDO will usher the 'death of passwords.' While it is indeed a step closer toward the post-password era, there are two caveats:


  • Half of the FIDO spec set is Universal Second Factor (U2F). As the name suggests, U2F normalizes a second factor authentication model. U2F presumes that the user is first authenticated by some other authentication mechanism before the U2F protocol kicks in. What do you think that other mechanism will be 98% of the time? Yup, passwords.
  • As much attention as the biometric options receive, if the device does not support the associated sensor (fingerprint reader, etc.), then the local authentication may need to fall back to something every device will support -- a password or PIN (though admittedly these local passwords are a different proposition, not stored on the server and so not vulnerable to breach).

So, if not the death of passwords, perhaps we can say that FIDO is the 'Prison of passwords', keeping them isolated (to the phone) and so protect society from the worst of their excesses?

Compared to other identity standardization efforts, FIDO's release schedule has been extremely aggressive - at the two year mark many other efforts were still on use cases and planning the first plenary in some exotic locale (although, as Ping's representative on FIDO, I wouldn't have minded such a trip had it happened).

FIDO and Federation

FIDO defines both the Universal Authentication Framework (UAF) and the Universal Second factor (U2F) specifications. Together, they define a powerful model of user authentication - one that leverages established public key cryptography at the server, but also normalizes a pluggable architecture for local authentication. In FIDO, the user logically authenticates to the local device (phone, PC, etc) via a variety of methods, that authentication serving to free up a private key (previously registered at the server) for signing an authentication challenge string. The server is insulated from the messy details of the actual user authentication and need only support a much simpler crypto protocol.

This is of course the same value proposition of federation. FIDO is effectively 'federation in the small'. When used for Web SSO, SAML & OpenID Connect insulate the relying party application from the complexity of directly dealing with the user's authentication, and instead need only support a standardized protocol by which a description of that authentication is communicated. These two abstraction layers make combining FIDO-based authentication with federated SSO particularly attractive - a web site need not directly support the FIDO protocols in order to benefit from the FIDO advantages. And note that FIDO is an 'authentication' standard, not an 'identity' standard - if the web site needs more attributes for personalization & authorization than merely a public key associated with a name, then FIDO can't provide them (but OpenID Connect etc. can).

What's Next?

My saying that FIDO does not cure the common cold should not be interpreted as meaning Ping doesn't see great value in the specifications and the authentication models they enable. The standardization of UAF and U2F are likely to encourage greater adoption (which was already happening when the specs were at 'draft' stage) and we expect to see interest and demand from customers increasing. We've already demonstrated integration between FIDO implementor Nok Nok Labs and PingFederate -- allowing a FIDO-based login to be converted into a SAML assertion or OpenID Connect id token. Stay tuned for more.