FIDO, or Fast IDentity Online, is a group of open standard authentication protocols created to strengthen and simplify the security of online authentication by reducing the reliance on passwords. These protocols make use of public key cryptography, where private keys never leave a user’s device and public keys serve to validate specific endpoints. These protocols provide a unified way for users to securely log into online services using an assortment of devices such as mobile phones, laptops, and tablets.
The FIDO Alliance is the association overseeing these authentication standards and serves to educate with certification programs, memberships, and member-driven working groups. Founded in July of 2012 by PayPal, Lenovo, etc. and publicly launched in 2013, the alliance has since added names such as Google, Yubico, Apple, and NXP, and continues to evolve with its core component, WebAuthn, being named an official web standard with support for major browsers and smartphones.
There are currently three sets of specifications for simple and strong user authentication. The first generation of FIDO consisted of U2F and UAF, and has now evolved into FIDO2.
FIDO U2F (Universal 2nd Factor) is a universal authentication standard that provides an additional layer of security for traditional password-based online accounts. Think of this as adding something you have (a physical security key) with something you know (a password). After authenticating with a password, a challenge is then sent to a physical device, a security key plugged into a USB port, prompting the user to tap. The user taps the key and the authentication process completes. With the emergence of FIDO2, U2F is now called CTAP1.
FIDO UAF (Universal Authentication Framework) offers users a passwordless experience. With UAF, the user will register a UAF-enabled device (i.e. smartphone) with an online service and register a local authentication method such as fingerprint, facial recognition, or by speaking into the mic. After registration, the user simply needs to repeat this action to authenticate without having to enter a password.
FIDO2 is the second, and latest, generation of FIDO, combining the features of U2F and UAF into a more modern, global standardization. There are two main parts to FIDO2:
With these FIDO open standard authentication protocols, we can eliminate the need for complex passwords and the bad practices that associate with them. Instead, users can access their online accounts with a combination of biometric data such as fingerprints, facial recognition or via security keys that can be plugged into a USB port or used wirelessly.
As the threats of data breaches increase, protocols like FIDO compliance, adopted by big companies in tech, will prove more and more to be the way forward in protecting the sensitive information of online users.