21 Apr Elevating trust by providing proof of presence
Stephen Allen, Senior Product Manager for HID IAMS’ Authentication portfolio, looks at Fast Identity Online (FIDO), a form of cryptographic passwordless authentication.
How can we be sure that people are who they say they are? The search for a secure, scalable and convenient way to authenticate users has been a constant in the digital age. Passwords clearly don’t cut it, in spite of their ubiquity – in fact, more than 80% of data breaches involve weak or stolen passwords. Enter FIDO, a set of authentication standards based on public key cryptography that replaces passwords with fast, secure logins powered by cryptographic credentials that never leave the user’s device. FIDO, which stands for Fast Identity Online, originates with a group of leading tech companies, who banded together to make authentication easier and more secure. The FIDO standards, established by the FIDO Alliance can be built directly into almost any device – as opposed to proprietary, device-specific security.
What is FIDO?
In short, FIDO is an open standard for multifactor-authentication (MFA) used to enable secure passwordless login and access granting. It leverages public key cryptography to authenticate users on websites and applications. FIDO essentially works like a lock and key. First, a user registers a device and chooses any authentication option provided locally by this device (either a biometric, like a fingerprint, or password or smart card). During this registration, a public/private key pair is created. The private key stays on the local device and is used to authenticate the device to the service. Access to this key is protected by the local authentication chosen.
In addition, a second authentication factor can be registered (like a FIDO token or a smart card supporting FIDO U2Fspecification).When the user needs to access the service, they confirm their identity on their device with their authenticator. That information is sent to the service. Essentially, the device acts as a translator between the authenticator’s security and the service’s security. This combination of layered protocols provides extremely robust access control.
By storing the private keys on the device and not on a server, FIDO prevents the keys being breached through a single attack on the corporate network or cloud service, unlike password manager solutions where a single security breach can expose millions of credentials. No wonder Apple, Google and Microsoft committed to expand their support for FIDO across their devices and ecosystem in 2022 and gave organisations the ability to offer an end-to-end passwordless experience. As of January 2023, Apple added the ability to use physical security keys to login to your Apple ID account – enabling even stronger protection of Apple users’ accounts
FIDO’s power goes beyond passwordless login
FIDO enables organisations to secure log-ins and digital assets via password-less authentication – a method that’s convenient for users, cuts down on expensive reset requests and cannot be intercepted or cracked by attackers. But passwordless login is not the only use case. In the realm of consumer authentication, organisations can use FIDO to:
- Prove their customer’s identity prior to authorising a high-value transaction
- Provide additional verification when requesting a high-risk transaction
Enable users with intuitive self-managed recovery of old accounts on an active device. Alternatively, help them get fast and secure access to their active accounts from a new device, all while keeping device enrolment and user verification costs down. At the enterprise level, FIDO greatly reduces the risk of social engineering attacks, which are involved in up to98% of cyber attacks and 90% of data breaches. Other use cases for workforce authentication include:
- Self-service recovery of user account credentials on enterprise applications.
- Gaining fast passwordless access to corporate resources from anywhere, at any time.
- Enhancing security on more sensitive applications by requiring users to authenticate with FIDO before unlocking access – eliminating the risk for man-in-the-middle or phishing attacks.
According to Jen Easterly, Director of the US Cybersecurity and Infrastructure Security Agency (CISA): “FIDO is the gold standard for MFA and the only widely available phishing resistant authentication.” In a FIDO-enabled world, people can forget about memorising complicated passwords and keep their data private. Organisations can reduce the financial and reputation hit of all-too-common security breaches caused by weak or exposed passwords. As cyber attacks continue to break records in terms of both volume and cost, that makes it a wise investment.