FIDO: Everything You Need to Know About Fast Identity Online
Passwords are hard to remember, often reused and need to be changed frequently. These days, people have more than 90 online accounts and abandon one-third of their online purchases because they can’t remember their passwords, according to the FIDO Alliance. And resetting passwords is expensive, with help desk labor costs running an average of $70 for each password reset.
FIDO protocols were designed to stop the password chaos and improve the user experience. Read on to discover what FIDO is, how the FIDO Alliance works, and why FIDO-enabling your products can help you better serve your end users.
What is FIDO?
FIDO (Fast Identity Online) is a set of open, standardized authentication protocols intended to ultimately eliminate passwords, which are often ineffective and outdated from a security perspective.
After completing an initial registration process and selecting the method by which they want to be authenticated, users can sign on to a FIDO-enabled product or service by simply providing a fingerprint, speaking into a microphone, looking into a camera or entering a PIN, depending on the technology available on their computer or smartphone and which methods the product or service accepts. Much of the authentication process is done behind the scenes and users are blissfully unaware that it’s even happening.
These protocols were also designed to protect user privacy.
FIDO protocols use standard public key cryptography techniques to secure user authentication. All communications are encrypted and private keys never leave users’ devices, which lessens the chances of someone discovering them during transmission. And if biometric information is used to authenticate, it is also stored on users’ devices, which makes these authentication processes stronger and even more secure.
What is the FIDO Alliance?
Founded in 2013, the FIDO Alliance is an open industry association focused on creating authentication standards that “help reduce the world’s over-reliance on passwords.”
The idea of using biometrics instead of passwords to authenticate users was initially discussed at a meeting between PayPal and Validity Sensors in 2009. This meeting inspired the idea to create an industry standard using public key cryptography and local authentication methods to enable passwordless login.
Today, the FIDO Alliance has hundreds of member companies across a wide variety of industries, who work together to develop technical specifications that define an open set of protocols for strong, passwordless authentication. These companies include Amazon, Apple, Google, Microsoft, Visa and, of course, Ping.
The FIDO Alliance develops technical specifications that define open standards for a variety of authentication mechanisms that all work together. They also have certification programs that allow companies to verify interoperability across certified products, which is crucial for worldwide adoption.
The fact that FIDO is an open standard is also important because it means that it is intended for widespread use, so it is publicly available and free to adopt, implement and update. And because open standards are managed by a foundation of stakeholders who ensure the standards maintain their quality and interoperability, they are widely accepted in the developer community.
What types of protocols are available?
The FIDO Alliance has published three sets of specifications, all of which are based on public key cryptography:
Universal Authentication Framework (UAF)
Universal Second Factor (U2F)
FIDO2
Universal Authentication Framework (UAF)
The FIDO UAF protocol allows online service providers to offer their users passwordless sign-on experiences. Multi-factor sign-on experiences are also available if additional security is required.
To use UAF, users must have a personal device, like a computer or smartphone, that they register with an online service. During the registration process, users are asked to choose the method they want to use to authenticate with the service in the future.
Service providers determine what types of authentication mechanisms are appropriate and provide a list of available options, which might include facial or voice recognition, fingerprint reading or entering a PIN. If a multi-factor sign-on experience is required, users can authenticate using more than one of these options.
Once registered, users no longer enter their passwords to sign on, but use the methods that they selected to authenticate themselves.
So how does it work, specifically?
Let’s start by talking about the registration process. When a user attempts to access an online service for the first time, they are prompted to register.
During the registration process, the user selects the authentication method they want to use to sign on. Only methods that match the service’s acceptance policy are available.
The user’s device, which could be a personal computer or a cell phone, creates a new key pair unique to the device, online service and user account.
The user’s device retains the private key and sends the public key to the online service associated with the user’s account, which completes the registration process.
Note that communication is encrypted throughout this process, and private keys and biometric information never leave users’ devices, which minimizes the chances of security breaches.
After registering, the user can quickly access the application using the authentication method they selected.
The user signs on to the online service using the method they selected to verify their identity.
The device uses the account identifier to select the appropriate private key and signs the online service’s challenge in a way that proves the device has possession of the private key.
The device sends the signed challenge back to the online service, where it is verified with the public key, and the user gains access to the online service.
Universal Second Factor (U2F)
The FIDO U2F protocol complements traditional password-based security, rather than replacing it altogether. With U2F, users must provide two pieces of evidence to verify their identities:
Something that they know, like their username and password
Something that they have, like a registered fob or USB device. These security devices are known as U2F authentication tokens or security keys, and can use USB, NFC (near-field communication) or Bluetooth technology to complete authentication processes.
When the security device is activated, the computer browser communicates directly with the security device and provides access to the online service.
How does it work?
When a user attempts to access an online service for the first time, they are prompted to register and provide a username and password.
Each time a user attempts to subsequently access an online service through their browser:
The user enters their username and password recognized by that online service.
The service sends a challenge to the registered security device.
The security device activates, acknowledges that it received the challenge, signs the challenge in a way that proves it has possession of the private key, and sends the signed challenge to the online service.
The user gains access to the online service. As with the UAF protocol, communication is encrypted throughout this process, and private keys never leave users’ devices.
FIDO2
FIDO2 is the name of the FIDO Alliance’s newest set of specifications, and was created through a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C).
FIDO2 is built with two open standards: the FIDO Client To Authenticator protocol (CTAP) and the W3C standard WebAuthn. The two work together to provide users with passwordless authentication experiences, or two-factor and multi-factor authentication experiences if additional protection is needed. These experiences might involve embedded authenticators, like biometrics or PINs, or roaming authenticators, like fobs or USB devices.
The specifications included in FIDO2 are:
WebAuthn, which defines a standard web API that is built into platforms and browsers to support FIDO authentication. It provides an interface for creating and managing public key credentials and can communicate with both CTAP1 and CTAP2 authenticators.
CTAP1, which is the new name for the FIDO U2F protocol. It provides users with a second-factor authentication experience, which requires that they plug security devices into their computers, or tap their devices near an NFC reader, to gain access to an online service.
CTAP2, which allows the authenticator to be used as both the first and second factor of authentication and can provide users with a passwordless authentication experience, or two-factor and multi-factor authentication experiences if additional protection is needed.
How does it work?
Just like UAF and U2F, when a user attempts to access an online service for the first time, they are prompted to register and provide a username and password. During registration, a new key pair is generated that has one private key and one public key. The private key is stored on the device and associated with the id and domain of the online service, while the public key is stored in the online service’s key database on a server.
Each time the user attempts to subsequently access an online service, the online service, or relying party, uses APIs to verify user credentials with the authenticator.
When the user attempts to sign on to an application, the relying party, also known as a FIDO2 server, sends the FIDO client a challenge using WebAuthn, asking it to sign the data with the private key. The FIDO client could be a browser, desktop application, mobile application or platform.
The user consents to the request by using the method of authentication they selected during the registration process.The domain of the relying party is checked against the domain that was associated with this relying party at registration time. If the two do not match the authentication will not be allowed to continue and an error will be displayed. This association and runtime check is what gives FIDO its strong phishing resistance.
The client obtains the private key from the authenticator. The authenticator can be part of the user’s computer or smartphone, or an external piece of hardware.
The client signs the challenge in a way that proves the device has possession of the private key, and the user gains access to the online service.
And just like the other FIDO protocols, communication is encrypted throughout this process, and private keys never leave users’ devices.
Start your journey to passwordless authentication with Ping
FIDO protocols were designed to end password chaos, improve the user experience and protect user privacy. All communications are encrypted and private keys never leave users’ devices, nor does biometric information if it is used to authenticate, which lessens the chance of this information being intercepted and makes these processes even more secure.
So why wouldn’t you want to use them to support your online services? FIDO-enabling your products and services is easier than ever. PingZero supports FIDO protocols and makes it easy to customize your users’ sign-on experiences to meet your needs and theirs.
To learn more, see the following:
FIDO Alliance - Open Authentication Standards More Secure than Passwords
Web Authentication: An API for accessing Public Key Credentials Level 1
Web Authentication: An API for accessing Public Key Credentials - Level 2
FIDO FAQs
What is FIDO (Fast Identity Online)?
FIDO (Fast Identity Online) is a set of open, standardized authentication protocols intended to ultimately eliminate passwords.
After completing an initial registration process and selecting the method by which they want to be authenticated, users can sign on to a FIDO-enabled product or service by simply providing a fingerprint, speaking into a microphone, looking into a camera or entering a PIN, depending on the technology available on their computer or smartphone and which methods the product or service accept.
FIDO protocols use standard public key cryptography techniques to authenticate users, which means that all communications are encrypted, and private keys and biometric information used to authenticate never leave users’ devices.
What are the benefits of FIDO?
With FIDO authentication, you can:
Simplify the customer sign-on experience by making it possible for users to simply swipe a finger or look into a camera to access an application.
Mitigate common cybersecurity threats by using public key cryptography techniques that encrypt communication throughout the authentication process, and store private keys and biometric information on users’ devices.
Achieve regulatory compliance by using protocols that are intended for widespread use, so they are publicly available and free to adopt, implement and update. These standards are also managed by a foundation of stakeholders who ensure the standards maintain their quality and interoperability.
Save money by reducing password resets, device provisioning and customer support.
What is the FIDO Alliance?
The FIDO Alliance is an open industry association focused on creating authentication standards that “help reduce the world’s over-reliance on passwords.”
The FIDO Alliance comprises more than 250 leading organizations, including the world’s leading vendors, relying parties, service providers and platform and browser providers like Google, Firefox and Microsoft.
The organization works to fulfill their mission by developing technical specifications that define open standards for a variety of authentication mechanisms that all work together. They also have certification programs that allow companies to verify interoperability across certified products, which is crucial for worldwide adoption.
The fact that FIDO is an open standard is also important because it means that it is intended for widespread use, so it is publicly available and free to adopt, implement and update. And because open standards are managed by a foundation of stakeholders who ensure the standards maintain their quality and interoperability, they are widely accepted in the developer community.
What is UAF?
The FIDO UAF protocol allows online service providers to offer their users passwordless sign-on experiences. Multi-factor sign-on experiences are also available if additional security is required.
To use UAF, users must have a personal device, like a computer or smartphone, that they register with an online service. During the registration process, users are asked to choose the method they want to use to authenticate with the service in the future.
Service providers determine what types of authentication mechanisms are appropriate and provide a list of available options, which might include facial or voice recognition, fingerprint reading or entering a PIN. If a multi-factor sign-on experience is required, users can authenticate using more than one of these options.
Once registered, users no longer enter their passwords to sign on, but use the methods that they selected to authenticate themselves.
What is U2F?
The FIDO U2F protocol complements traditional password-based security, rather than replacing it altogether. With U2F, users must provide two pieces of evidence to verify their identities:
Something that they know, like their username and password
Something that they have, like a registered fob or USB device. These security devices are known as U2F authentication tokens or security keys, and can use USB, NFC (near-field communication) or Bluetooth technology to complete authentication processes.
When the security device is activated, the computer browser communicates directly with the security device and provides access to the online service.
What is FIDO2?
FIDO2 is the name of the FIDO Alliance’s newest set of specifications, and was created through a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C).
FIDO2 is built with two open standards: the FIDO Client To Authenticator protocol (CTAP) and the W3C standard WebAuthn. The two work together to provide users with passwordless authentication experiences, or two-factor and multi-factor authentication experiences if additional protection is needed. These experiences might involve embedded authenticators, like biometrics or PINs, or roaming authenticators, like fobs or USB devices.
The specifications included in FIDO2 are:
WebAuthn, which defines a standard web API that is built into platforms and browsers to support FIDO authentication. It provides an interface for creating and managing public key credentials and can communicate with both CTAP1 and CTAP2 authenticators.
CTAP1, which is the new name for the FIDO U2F protocol. It provides users with a second-factor authentication experience, which requires that they plug security devices into their computers, or tap their devices near an NFC reader, to gain access to an online service.
CTAP2, which allows the authenticator to be used as both the first and second factor of authentication and can provide users with a passwordless authentication experience, or two-factor and multi-factor authentication experiences if additional protection is needed.
What is a FIDO key?
A FIDO key is a portable security key hardware device that is used in addition to a username and password in a two-factor authentication scenario. FIDO keys can look like USB flash drives that you need to plug into a computer, or look like fobs that you scan over a reader.
What is a CrucialTec FIDO client?
A FIDO client could be a browser, desktop application, mobile application or platform that serves as an intermediary between FIDO authenticators and the relying party mobile application in a FIDO2 authentication process. CrucialTec is the world's largest manufacturer of Optical Track Pad (OTP) mobile input devices.