Fast identity online (FIDO) standards are authentication protocols where security and user experience meet.
FIDO standards, developed by an open industry association – the FIDO Alliance, offer more security than passwords alone or one-time passcodes and allow for fast, secure, and stronger authentication.
It encompasses several authentication techniques like biometric scans, iris scans, voice recognition, or facial recognition. FIDO also facilitates existing authentication solutions such as security tokens, smart card authentication, near field communication (NFC), and more.
Interestingly, linguistic origins of the name FIDO traces to the Latin word “fido,” which means trust, as defined in the University of Notre Dame Latin dictionary, and is just an appropriate acronym for the security environment, where trust is paramount.
The FIDO Alliance’s mission is “to reduce the world’s reliance on passwords.” What started in 2009 as PayPal and Validity Sensors’ vision for an industry standard that would allow biometrics for identification of online users instead of passwords has now become just that.
Today’s FIDO Alliance members include global tech leaders across enterprise, payments, telecom, government, and healthcare industries and include tech titans such as Amazon, Alibaba, Facebook, and Google. FIDO-enabled websites and apps now reach over 3 billion commercial users.
What are FIDO standards?
FIDO standards offer a series of open and scalable specifications like Universal Authentication Framework (UAF), Universal Second Factor (U2F), and FIDO2, allowing a simpler and more secure user authentication experience.
It makes user identification easier with biometric systems, multi-factor authentication (MFA), and other alternatives across websites and applications. IT emphasizes a device-centric model, where it uses standard public-key cryptography, where a user is challenged to prove possession of the private key through a variety of ways.
How does FIDO work?
When a user creates an account or registers on an online service that employs the FIDO standard, the device generates a set of cryptographic keys. The system registers the public key with the online services and stores the private key on the device.
During authentication, the system challenges the user to prove the possession of the private key. You can do it through different FIDO-enabled authentication methods like biometric authentication, facial recognition, multi-factor authentication, and more. You can use your private key locally on the device after unlocking it by secure methods, which includes swiping a finger, speaking into the microphone, entering a pin, or pressing a button.
FIDO protocols keep user privacy protected while you take advantage of the lightning-fast and secure access to online services. Under no circumstances do FIDO protocols provide information to online services with which they can collaborate and track the user across services.
FIDO provides the following specifications to reduce the redundancies of remembering complex passwords and addressing the lack of interoperability among strong authentication devices.
Universal Authentication Framework (UAF)
The Universal Authentication Framework was published in 2014 and was intended to facilitate passwordless authentication through biometrics. According to UAF, when a user authenticates to a service or application, they’ll be challenged by one or more security factors on their digital device. Once they succeed in passing those, the private key will be released, which can help the user to pass a challenge issued by the FIDO UAF Server.
The mechanism used by the user to verify on the device can be biometric, possession, or knowledge-based to get the private key and complete the authentication process. The UAF specification also guides on creating and managing multiple policies for transaction verification. This FIDO standard is used by several organizations to improve their security and provide a satisfactory user experience to both customers and their teams.
Universal Second Factor (U2F)
U2F standard lays guidelines on strengthening and simplifying two-factor authentication (2FA) using near-field communication (NFC) or USB devices based on the technology similar to smart cards. It was initially developed by Yubico and Google with contributions from NXP semiconductors.
The design of the standard revolves around USB devices communicating with the host system using the human interface device (HID) protocol, simply mimicking a keyboard. It allows a browser to access the security features of the device and eliminates the need to install a specific hardware driver software to read the USB device.
Once the host computer reads the USB device and a communication is established, challenge-response authentication is conducted where the device uses public-key cryptography techniques and a unique device key. Browsers such as Google Chrome, Opera, Firefox, Safari, and Thunderbird support the U2F specifications by using U2F security keys as an additional method of two-step verification on online services.
Client to Authenticator Protocol (CTAP)
CTAP empowers a roaming cryptographic authenticator such as a mobile phone or hardware security key to ensure interoperability with a client device like a laptop. It complements the WebAuthentication (WebAuthn) standard published by the World Wide Web consortium (W3C).
The protocol is based upon the U2F authentication standard released by FIDO Alliance. U2F and WebAuth were the foundation of the development of the FIDO 2.0 standard. The CTAP specification refers to two protocols CTAP1 and CTAP2. CTAP 1, the new name for FIDO U2F protocol, guides on establishing communication FIDO U2F enabled authenticators, and FIDO2 enabled browsers and OS to enable two-factor authentication.
On the other hand, CTAP 2 defines ways by which FIDO2 enabled browsers and OS can communicate with external authenticators like mobile devices or FIDO security keys to facilitate passwordless, two-factor, or multi-factor authentication.
The purpose of FIDO2 is to enable passwordless authentication. It’s built upon U2F and an expanded version of CTAP. The standard enables authentications to become passwordless by leveraging the web API – WebAuthn.
of security breaches leverage either stolen and/or weak passwords.
FIDO2 eliminates the risk caused due to password mismanagement as its cryptographic login credentials are unique for every website that is not stored on a server but stored locally on the user’s device.
The flow of communication defined by FIDO2 is:
A connection is established between the application (or browser) and the authenticator.
The application recognizes the capabilities of the authenticator and gets information on it using the authenticatorGetInfo command.
An operation command is sent by the application to the authenticator if found capable.
Authenticator sends a response data or an error message.
Before executing this protocol, it’s important that the external authenticator and the host establish a secure and mutually authenticated data transport channel.
Who uses FIDO?
FIDO helps organizations to mitigate critical risks of a data breach emerging due to weak passwords or password mismanagement. It allows your company to save on costs associated with device provisioning, password reset, customer support, and more, while providing a seamless user experience.
is the average help desk labor cost for a single password reset.
Due to such benefits and a variety of others, use cases of FIDO are found across different organizations and institutions.
Healthcare and insurance
In healthcare, FIDO authentication helps ensure that patients’ details like medical records, personal information, and other sensitive data, are accessible only to them besides the trusted providers.
It assures patients that their information rests with trustable authorities who adhere to standards like Health Insurance Portability and Accountability Act (HIPAA). It envelops medical systems and healthcare units with a strong protective layer of security to prevent a cyber attack.
Insurance companies use authentication using FIDO protocols to help ensure they have strong authentication in place.
In enterprise companies, FIDO simplifies the authentication process of users by making it fast and convenient while providing authentication. FIDO is typically used to facilitate user authentication in their life cycle within an organization. It allows users to conduct secure payment transactions and maintains a protective security layer around their digital signatures.
In environments anchored to the FIDO authentication standards, users may possess different authenticators at the same time, like one for a laptop and another for a mobile device. At the time of user registration, FIDO credentials are recorded on a local authenticator and are bound to a specific user account, which is used during the authentication phase.
For instance, where a user has lost the authentication device, FIDO standards allow admins to revoke and delete the credentials, which can be created on another device by following the registration process. In cases where the FIDO credentials need to be renewed, admins ensure that the same level of security is enforced as in the registration process. Inherently, the FIDO standard doesn’t support the concept of credentials renewal, so any renewal process will have to be designed in the system supporting FIDO authentication.
Banks and financial service providers have expanded their delivery scope to reach customers where they are. With online and mobile banking, customers can utilize financial services away from designated branches, leading to an increased demand for robust authentication security.
FIDO protocols address this need by providing secure authentication standards for banks and financial institutions, where users are delighted with an easy and straightforward banking experience.
Government agencies can use FIDO to provide fast and secure multi-factor or mobile-based authentication to online services. The standard supports derived personal identity verification (PIV) credentials, which allows issuance of public key infrastructure (PKI) credentials based on having PIV smart cards. It enables users to gain fast and secure access to critical information and apps.
Move beyond passwords
Implement FIDO standards to eliminate the risks associated with weak or stolen passwords. Equip your team with passwordless authentication to provide them a seamless login experience while maintaining robust security around your applications and online services.
Sagar Joshi is a content marketing specialist at G2 in India. He is a firm believer in the potential of content and its role in helping people. Topics related to security and technology pique his interest and motivates him to write about them. In his free time, you can find him reading books, learning a new language, or playing pool.
Secure your assets with MFA
Use multi-factor authentication software to enhance the security of your IT environment.