This article details what FIDO is, the objectives of the FIDO alliance, how the technology works, and the different protocols involved: UAF and U2F.
What is FIDO?
Essentially, FIDO is device authentication that does not require a password.
It is estimated that the average user has more than 90 online accounts, so it should not be a surprise that passwords are the cause of 80% of worldwide data breaches, especially when we consider that approximately 50% of these passwords will be reused across a variety of websites.
When a password needs to be reset there is a maintenance overheard required, which equates to approximately $70 each time a password reset is required. Traditional passwords are also an issue for online retailers, and it is believed that a third of eCommerce purchases are abandoned due to users not being able to remember their passwords.
Luckily, there is an alternative to the traditional password, and that is FIDO Authentication. This secure alternative replaces password login with simple, fast, robust authentication across both websites and applications. FIDO Authentication is based on free and open standards developed by the FIDO Alliance. The technology’s protocols utilise standard public key cryptography to provide strong and reliable authentication.
FIDO takes many different forms, including using the user’s biometrics to identify the individual, including voice and facial recognition, and second-factor authentication devices. A central feature of FIDO is the use of a personal device such as a smartphone or token that uses cryptographic keys to enable secure access to FIDO-related services, such as Google, Facebook and PayPal.
The technology provides greater mobile device security and is supported natively across both platforms and browsers alike, including Windows 10 and Android, Google Chrome, Safari and Firefox.
What is the FIDO Alliance?
The FIDO Alliance is a non-profit organisation which aims to reduce the overall number of passwords used around the global by developing secure, open authentication standards that are user-friendly and can be easily deployed and managed by service providers.
The organisation was founded by PayPal, Lenovo, Nok Nok Labs, Infineon and Agnito when research into the development of password-less authentication commenced and was officially launched in February 2013.
Despite PKI and strong authentication solutions having existed for years, the user experience has been seen as a negative and was responsible for blocking widespread adoption. There was also resistance from online service providers who wanted to avoid the costs and complexity of developing and implementing their own solutions.
A large proportion of FIDO vendors provide the building blocks of authentication systems but leave it up to organisations to build and implement it on top of their SDKs. In the case of large enterprises, this can be a lengthy process and can take years, which in turn, leads to what is known as within the industry as ‘FIDO Zombies’. These are organisations that purchase and plan to use a FIDO product but do not actually deploy it.
This barrier is a cause for concern for the FIDO Alliance and it is currently working to address these barriers by:
- Developing technical specifications that help to define an open interoperable set of mechanisms that are scalable and reduce the reliance on passwords for user authentication.
- Operating industry certification programmes that help to ensure the global adoption of the FIDO specifications
- Producing and submitting technical specification(s) to recognised organisations for formal global standardisation.
How Does FIDO Work?
FIDO is a technology that is based on public key cryptography, in which there is a key pair: a public key and a private key. When a user is registering with an online service, the user’s client device creates a new pair of keys. The private key is then stored and the public one is registered with the online service.
In order to authenticate, the client device is required to prove possession of the private key to the service. These private keys must be unlocked locally on the device by the user before they can be used. It is possible to unlock the device using biometrics or through entering a PI or inserting a second-factor device – it is essential that the unlocking action is both user-friendly and secure.
In addition to this, privacy of the user is a key concern and if biometric information is used, it must never leave the user’s device. It is strictly forbidden to use this information to track users across other services.
UAF & U2F
The technology supports two different sets of protocols – in December 2014, the completed v1.0 password-less protocol (called FIDO Universal Authentication Framework, FIDO UAF, and the second-factor protocol (called FIDO Universal Second Factor, FIDO U2F) were completed and released.
Universal Authentication Framework (UAF) has been designed to be a simple yet secure method of authentication.
When registering with an online service, the user’s device has to prove its possession of the private key by signing a challenge. This includes methods such as entering a PIN or providing a fingerprint.
This technology has been designed to be a reliable replacement for simple authentication. It requires a strong second factor of authentication including a USB token or Near Field Communication (NFC) tap.
When logging in, the user is required to insert and touch their personal U2F device. The FIDO-enabled device then creates a new key pair, and the public key is then shared with the online service and associated with the user’s account. The user is then authenticated by the service by requesting that the registered device signs a challenge with the private key.