At Apple's World Wide Developer Conference (WWDC), the tech giant often makes game-changing announcements about their product usability, features and other innovations. On June 22, 2020, Apple announced a feature to help securely and conveniently authenticate customers to any website: Face ID and Touch ID for the web. This new feature is based on the FIDO standard.
What is FIDO?
FIDO, or “fast identity online”, is a standard created by the FIDO Alliance. It’s been gaining adoption as a secure and convenient means of passwordless authentication. FIDO is an open-source standard that uses secure public-key cryptography to allow users to sign-on to digital applications or websites without using a password.
What does it use instead? It securely trusts the device you’re already logged into. Think about it. You can’t sign into a website without a device, right? Devices such as smartphones, tablets and computers require credentials to get into them. In effect, if you’re signing into a website, you’ve already unlocked a smartphone or a computer with secure credentials. Why not just reuse the trust you’ve already established with those devices, instead of a password that is much less secure? FIDO provides a secure, seamless method of passwordless authentication. The video below gives a more thorough overview of FIDO.
Why Does Apple’s FIDO Announcement Create a Tipping Point?
Now, you might say, “Wait a minute, I read on Wikipedia that FIDO was founded in 2013. Why isn’t this secure, convenient way of getting around passwords ubiquitous on all the websites I use?”
Many companies are already using it for employee authentication because of how secure the medium is. This also works because employers have more control over the types of devices their employees use and can even offer them hard-tokens (like FIDO-enabled USB keys) to carry around. None of those things are true for customers.
Even though it’s a standard, any device you may want to use to authenticate, as well as the browser running on it, has to have built-in support for FIDO. Android began supporting the FIDO2 standard (the latest version) last year. Most computers also support it. However, until this announcement, Apple devices have not. That left a big gap in FIDO adoption.
Put yourself in the shoes of a giant retailer or another popular website. You’d love to offer FIDO support for your customers—after all, convenient digital customer experiences are competitive differentiators—but there’s a giant percentage of devices that won’t support the standard. That would leave many of your customers unable to use the feature you worked so hard to build. This makes FIDO a lower priority, versus the long list of other features on your list that could be enjoyed by all of your customers.
Now, all that has changed. Apple has filled the gap that existed in FIDO support. The FIDO standard will be a higher priority for customer-facing organizations, since they’ll be able to cut passwords out of the equation for nearly all of their customers.
Get ready. FIDO is coming to customers!
Does FIDO Replace Multi-factor Authentication?
In short, no. Multi-factor authentication (MFA) has a number of advantages as another secure, convenient means of authentication, passwordless authentication or even zero login (signing on with no username or password):
FIDO is tied to your device
Right now, customers must use FIDO on the same device they’re using to browse the internet—phones, tablets or computers. That makes it an in-band authentication medium, vs. out-of-band. In the future, maybe FIDO-enabled USB keys or FIDO-enabled smart-rings will gain massive adoption. Until then, all the security of FIDO is tied to your device. If it’s ever compromised, a bad actor will have complete control of your digital accounts. While the risk is low, it’s important to offer secure backup means of authentication.
There are other convenient authentication methods
Sign-on isn’t just about security, it’s about convenience. If your sign-on process contains too much friction, your customers will abandon it, costing you valuable customer interactions and revenue. FIDO isn’t the only secure, convenient option. For example, many companies have mobile applications. Those mobile applications are also tied securely to trusted devices. MFA or passwordless authentication can occur using a push notification to your mobile device—from a company's custom mobile app. Ping offers a mobile SDK that allows you to embed this type of MFA and passwordless authentication into custom iOS or Android apps.
Support for customer preferences
Customers will have to opt-in to FIDO, and some customers simply may not do that. They’re a fickle bunch. Even though SMS is one of the less-secure methods of MFA, some customers may be used to it and not willing to change. While it should be your goal to get as many customers as possible onto secure methods (such as FIDO or MFA via push notifications in your own app), you have to provide alternatives for customers who simply aren’t going to opt in. There are many MFA methods, and any one of them is more secure than no MFA at all. That’s why it’s important to offer variety to your customers.
Welcome To Customer Identity, FIDO
With Apple’s recent announcement, they’ve filled a large gap in FIDO support. As a result, companies will be able to prioritize adoption of the standard, giving their customers a secure, convenient way to sign-in without a password.
FIDO is a great addition to your customer identity strategy, but it isn’t the end-all-be-all authentication factor. There are many use cases that other authentication factors or approaches are still well-suited to address, from zero login and measuring risk to identity verification with support reps.
With that, I’d simply like to say “FIDO, welcome to customer identity!” And thank you Apple for making sign-on even more secure and convenient.