The FIDO ("Fast IDentity Online") Alliance and the passwordless future
What is FIDO Alliance
In today's world, security is a top priority for individuals and businesses alike. With the increasing amount of sensitive information being shared online, it is crucial to ensure that the information remains secure. One of the most significant challenges in this regard is authentication, i.e., ensuring that the person accessing the information is who they claim to be. The FIDO Alliance was formed in 2012 to address this issue by developing open standards for strong authentication.
FIDO, which stands for Fast IDentity Online, is an industry consortium made up of over 250 member organizations from various industries, including technology, finance, healthcare, and government. The organization's mission is to reduce the world's dependence on passwords by enabling interoperability between authentication technologies, devices, and services.
A Passwordless Future
FIDO has developed two authentication standards, FIDO UAF (Universal Authentication Framework) and FIDO U2F (Universal 2nd Factor). These standards aim to provide strong authentication while also being easy to use for end-users.
FIDO UAF is a biometric-based authentication standard that allows users to authenticate using biometric factors such as fingerprints, iris scans, and facial recognition. This method of authentication is more secure than traditional passwords, which can be guessed, stolen, or hacked. FIDO UAF uses public-key cryptography to secure the authentication process, with the user's device generating a public-private key pair and the private key securely stored on the device. When the user wants to authenticate, the device sends a signed message to the server, which verifies the message using the user's public key.
FIDO U2F is a hardware-based authentication standard that uses a physical security key, such as a USB token, to provide strong authentication. This method of authentication is also more secure than traditional passwords, as the physical key is unique to each user and cannot be easily duplicated. FIDO U2F uses public-key cryptography to secure the authentication process, with the user inserting the physical key into their device and pressing a button on the key to authenticate.
Both FIDO UAF and FIDO U2F are interoperable, which means they can be used together or separately to provide strong authentication. This interoperability is important as it allows users to choose the authentication method that best suits their needs, whether that be biometric-based or hardware-based authentication.
FIDO-based authentication is becoming increasingly popular among consumers, who are looking for more secure and convenient authentication methods. The FIDO Alliance has made significant progress in advancing strong authentication standards, with its members now offering FIDO-based solutions across a wide range of industries.
One of the benefits of FIDO-based authentication is that it is more privacy-friendly than traditional password-based authentication. Biometric data is securely stored on the user's device and not shared with third-party services. Similarly, the physical key used in FIDO U2F does not store any biometric data and is not linked to the user's identity.
How FIDO Passwordless works
FIDO-based passwordless authentication replaces traditional passwords with a more secure and user-friendly method of authentication. Instead of relying on a memorized secret, such as a password, FIDO uses public-key cryptography to authenticate users.
The FIDO authentication process involves three key components: the user's device, the FIDO server, and the relying party (RP), which is the service that the user is attempting to access. Let's look at each of these components in more detail.
The User's Device: The user's device generates a public-private key pair that is unique to the user. The private key is securely stored on the device, while the public key is sent to the FIDO server.
The FIDO Server: The FIDO server is responsible for verifying the user's identity. It receives the user's public key from the device and stores it securely. When the user attempts to log in to a relying party, the FIDO server sends a challenge to the user's device, which the device signs using the private key and sends back to the server.
The Relying Party: The relying party is the service that the user is attempting to access. When the user attempts to log in, the relying party sends a request to the FIDO server to verify the user's identity. The FIDO server then sends a challenge to the user's device, and the device signs the challenge using the private key and sends it back to the server. The FIDO server verifies the signature and confirms the user's identity to the relying party.
What is Yubikey?
YubiKey is a physical authentication device developed by Yubico, a company that specializes in hardware authentication solutions. The YubiKey is a small USB device that can be plugged into a computer or mobile device and used for secure authentication.
The YubiKey supports a range of authentication protocols, including the FIDO Alliance's Universal 2nd Factor (U2F) protocol, which allows users to authenticate themselves using public-key cryptography. With the YubiKey, users can protect their accounts from phishing and other types of attacks that rely on stealing passwords or other credentials.
To use the YubiKey, users simply plug it into their computer or mobile device and tap a button on the device. The YubiKey then generates a one-time password or cryptographic signature, which is sent to the service being accessed to verify the user's identity. Because the YubiKey generates a unique code every time it is used, it provides an extra layer of security against replay attacks.
The YubiKey is a popular choice for individuals and businesses looking for a more secure way to authenticate users. It can be used with a variety of services and applications, including Google, Facebook, Dropbox, and many others. Additionally, the YubiKey is compatible with a wide range of operating systems and devices, making it a versatile authentication solution.
Benefits
The FIDO passwordless authentication process is based on public-key cryptography, which is more secure than traditional password-based authentication. Public-key cryptography relies on a key pair, consisting of a public key and a private key, to authenticate users. The private key is kept secret and used to sign data, while the public key is shared with the FIDO server and used to verify the signature.
FIDO-based passwordless authentication also offers other benefits, including ease of use and privacy protection. Users no longer have to remember and manage complex passwords, making it easier for them to access services securely. Additionally, the FIDO authentication process does not require the user to share their personal information with the service they are accessing, protecting their privacy.
Conclusion
FIDO-based passwordless authentication is a secure and user-friendly alternative to traditional password-based authentication. By using public-key cryptography to authenticate users, FIDO offers a more secure and privacy-friendly authentication method. As more relying parties adopt FIDO-based authentication, users will benefit from a more convenient and secure authentication experience.
Discover OnzAuth's passwordless product
OnzAuth offers a frictionless passwordless solution that includes Email Magic Link and WebAuthn FIDO Compatible biometric solutions, which can be fully customized to your needs.
Sign up for a free account to try our platform out for yourself.