If you'd like to dive deeper into the world of FIDO, we recommend reading our FIDO 201 article, our in-depth guide to FIDO Protocols, and our Evaluation of SCA Methods for PSD2.
FIDO is an acronym for “Fast Identity Online.” The FIDO Alliance is a non-profit group that was founded in 2012 with the goal of eliminating passwords from the internet through the use of cryptographic protocols. More than 200 companies internationally comprise its membership, including some of the largest companies and governments in the world, and have voted within the FIDO Alliance to standardize these cryptographic protocols.
FIDO protocols incorporate many security improvements, including:
These protocols deliver the following benefits:
For a more detailed breakdown of FIDO protocols, read our In-depth guide to FIDO protocols: U2F, UAF, and WebAuthn (FIDO2)
There are many multi-factor authentication (MFA) technologies on the market (depending on your definition of “multi-factor”). So, why FIDO?
FIDO is the first “strong authentication”³ technology that was designed to address many problems: security, affordability, ease of use, and ubiquity. It takes into account many practices accepted as being in common use: the ubiquity of web applications; support for JavaScript in browsers; USB ports on every desktop and most laptops; the availability of Bluetooth Low Energy (BLE) and the Near Field Communications (NFC) on most mobile devices; compact—but strong—cryptographic keys using standard algorithms (Elliptic Curve Digital Signature Algorithm, or ECDSA); and, most importantly, a general acceptance that passwords and other shared secret authentication schemes are simply not secure enough for modern web applications.
FIDO technology gives companies deploying websites/applications (known as Relying Parties or “RP” in FIDO terminology) the advantage that they neither have to acquire authenticators for their user community, nor force users to acquire them. Although these authenticators are extremely affordable, it is anticipated that most people will end up using their smartphones as their primary FIDO authenticators4, thanks to the prevalence of advanced encryption-capable smartphones.
FIDO is not a mutually exclusive authentication technology. It can coexist with all other authentication technologies during the transition period as long as the web application is programmed to route the user through the appropriate authentication flow. Users can choose to buy an authenticator from one of dozens of manufacturers and register a key with their account at any time to increase the security associated with access to their account.
Platform manufacturers (such as the creators of operating systems like Microsoft Windows or Google Android, as well as the creators of browsers like Mozilla Firefox, Google Chrome, and Microsoft Edge) have publicly committed to the support of FIDO. Third-party vendors have also enabled support for FIDO protocols on the Apple platform.
These benefits and features give FIDO protocols overwhelming odds of changing authentication as we know it today.
There are two primary processes in FIDO. The first, Registration, is a one-time event, per site, where a user with a specific authenticator registers a new key with a specific website. The second, Authentication, is performed each time the user authenticates to access the site.
Registration, very simply, involves the following steps:
Once registered, Authentication with the FIDO key involves the following steps:
FIDO consists of three protocols for strong authentication to web applications: Universal 2nd Factor (U2F), Universal Authentication Framework (UAF), and WebAuthn or FIDO2.
Clearly, short of avoiding web applications and sites that do not use FIDO-based strong authentication, end users can do little until these RPs implement FIDO and support it on their customer-facing registration and login pages. Fortunately, some of the most well-known websites in the world have already incorporated support for FIDO protocols, and risk-averse end users have choices to protect themselves:
Visiting the FIDO Alliance's webpage for FIDO-Certified Products allows you find all certified products from around the world for each of the protocols. Unfortunately, there isn't a web page that identifies all the RPs who have implemented FIDO, which protocols they support, and how to detect that they are using FIDO. Hopefully, this gap will be addressed in a future FIDO protocol revision.
What should RPs do given the current state of FIDO protocols?
The answer is reasonably simple. As long as web applications and sites continue to use “shared secret” authentication schemes, attackers have the potential, tools, and motivation to launch scalable attacks on such sites. While RPs may have other mitigating factors to protect themselves, to the extent these factors are based on secrets—such as one-time PINs, knowledge-based authentication, etc.—they share similar weaknesses as passwords and can be compromised without the user's and (more often than not) the RP’s knowledge.
The U2F and UAF FIDO protocols have been standardized with many dozens of commercial implementations from manufacturers, including some enterprise-scale open-source projects. These protocols and implementations will not disappear overnight even if FIDO2/WebAuthn is finalized and implemented this year.
An RP does not have to wait for the perfect solution, nor make an either-or decision. Web applications can support multiple authentication schemes simultaneously. RPs can continue to maintain existing authentication schemes in their web applications along with FIDO support; this allows users to choose the degree of strength of the authentication scheme when registering and authenticating to their sites. If an RP's user chooses to authenticate via U2F or UAF, the user has mitigated the risk for both his/herself and the RP.
The effort it takes to implement U2F, the simpler of the two standardized protocols, is minimal. Assuming the web application works with Mozilla Firefox, Google Chrome, or Opera, it can take less than a week to integrate U2F into the web application. Microsoft has chosen to support only WebAuthn, and only on its Edge browser on Windows 10.
With a few dozen Authenticators that can be procured from your preferred e-commerce site, a proof-of-concept can be deployed and tested for usability in less than a month. Even on a limited scale, this experience will provide many valuable lessons to software architects, programmers, system administrators, security officers, and support staff—not to mention the feedback from end users who are invited to test this capability. The experience enables RPs to refine their FIDO implementation strategy before the FIDO “network effect” kicks in. When it does, there will be a scramble to get web applications and sites FIDO-enabled as quickly as possible, since anyone not using FIDO at that time becomes the “easy mark” to attackers. Attempting to solve some of these challenges under pressure may force RPs to make implementation mistakes that, at a minimum, create stress or, at worst, leave them vulnerable even though they are using FIDO.
The good news is that the technology industry is rallying around a single strong authentication flag that aims to solve the problem of shared secret authentication once and for all. It is this author's opinion that all three protocols will serve an RP’s needs—there doesn't need to be a single winner. Just as there are different levels of risks, different classes of devices, and different use cases for how people and businesses use technology, there will be a business case for more than one FIDO protocol. The sooner RPs start learning about these protocols, the sooner they avail themselves of the opportunity to protect themselves, their company, and their company's customers.