FIDO (Fast IDentity Online) authentication is an authentication standard that uses public keycryptography to create a login experience that’s more secure,phishing-resistant and convenient than passwords.
In the past, many online services relied solely on passwords forauthentication. However, passwords have some inherent weaknesses, such as weakor guessable passwords leading to attacks like phishing and dictionaryattacks.
To address these problems, a group of tech companies created the FIDOAlliance in 2012. Over the years, the Alliance has developed and evolved a setof passwordless authentication protocols that aim to make traditionalauthentication methods obsolete.
Instead of passwords, FIDO authentication relies on passkeys, which arecryptographic credentials securely stored on a user's device. These passkeysprovide a seamless way to authenticate users on websites and services.
On passkey-enabled websites, users don't need to manually "enter" anythingto sign in. Instead, they can simply present a biometric (like a fingerprintor face recognition) or use a hardware key to log in with their passkey.Behind the scenes, a rigorous cryptographic exchange takes place to verify theuser's identity, but the user doesn't need to worry about the technicalnitty-gritty.
This approach offers several advantages over passwords. Since passkeys arestored on the user's device, and not on a web server, they are lesssusceptible to data breaches. Additionally, passkeys are interoperable, whichmeans that a single passkey can be used across all of the user's devices.
For example, a user can use the same passkey to authenticate on a website,from their phone, laptop or tablet.
FIDO vs FIDO 2 protocol
FIDO (Fast IDentity Online) is an overarching term that includes many protocol specifications,including FIDO 1.0, FIDO2, FIDO UAF and FIDO U2F. To understand the differencebetween FIDO and FIDO2, it’s important to grasp the evolution of FIDOauthentication.
The original FIDO protocol, aka FIDO 1.0, was the first iteration of theFIDO authentication standard. Released in 2014, it focused on replacingtraditional passwords with biometrics and hardware tokens. It featured bothFIDO UAF (Universal Authentication Framework) and FIDO U2F (Universal SecondFactor).
The FIDO UAF specifications aimed to revolutionize the way organizations,service providers and governments managed authentication. However, they lackedstandardization, making it difficult to apply them across web applications,browsers and servers.
In 2016, the World Wide WebConsortium (W3C)and the FIDO Alliancestartedcollaborating to standardize FIDO authentication. This led to the launch ofFIDO2 in 2018, which offered a more comprehensive and standardized approach topasswordless authentication. Many famous browsers, including Firefox andChrome implemented the standard, which helped to drive its adoption.
FIDO2 has two main components: WebAuthn and CTAP (Client to AuthenticatorProtocol). Collectively, WebAuthn and CTAP deliver a cryptographically secure,convenient and interoperable login experience.
In short, the main differences between FIDO 1.0 and FIDO2 arestandardization, scope, interoperability and adoption. FIDO2 is a morecomprehensive and standardized protocol that is supported by all leadingbrowsers and operating systems, including Android, IOS, MacOS and Windows.
How does FIDO authentication work?
FIDO authentication typically involves two stages - user registration andauthentication. Let’s break down the steps involved in both stages:
Registration
- The user visits a passkey-enabled website and selects “passkeyauthentication”.
- The website prompts the user to provide a biometric (facial or fingerprintscan) or insert a physical security key to create the passkey.
- The operating system on the user’s device creates a pair of publicand private keys. The private key is stored as a passkey on the user’sdevice.
- The public key is sent to the server.
Authentication
- The user visits a website and selects “passkeyauthentication”.
- The website asks the user to select the device which contains the relevantpasskey.
- Once the user chooses the passkey, they are prompted to either perform afingerprint/facial scan or enter a security key, depending on what they choseduring registration.
- The website verifies the passkey using the public key generated duringregistration.
- The user is granted access to the website.
Is FIDO authentication the same as MFA and Passwordless auth?
No, FIDO authentication is not the same as multi-factor authentication (MFA) or passwordless authentication, but it does encompass aspects of both technologies. Let's explore how.
FIDO authentication vs MFA
MFA (Multifactor authentication) is an authentication scheme that requires more than one factor tovalidate a user. For example, a password and a retina scan, or a password anda code from an authenticator application.
FIDO authentication implements MFA in a single, user-friendly step. As faras the user is concerned, they only have to scan their fingerprint or insert ahardware key to log in. However, the actual authentication workflow involvestwo factors: the passkey signature validation and the biometric verification.
FIDO authentication vs passwordless
Passwordless authentication is an authentication paradigm that does not require users toenter a password during login. Instead, users authenticate using a more secureand convenient alternative, such as a security key, a biometric or a token.
FIDO authentication is a type of passwordless authentication because itcompletely eradicates the need to use passwords for verification.
What is a FIDO security key?
A FIDO security key is a small, physical device used during FIDOauthentication. FIDO security keys use public key cryptography to authenticateusers.
When a user wants to log in to a website, they insert the security key intotheir computer. The security key then generates a random number and signs itwith the user’s private key. The website verifies the signature usingthe user’s registered public key.
Security keys keep the user's sensitive credentials (passkey) safely lockedaway on the physical device. This means that even if a website's server iscompromised, the user's passkey remains safe.
FIDO security keys also improve the overall user experience. Usersdon’t have to remember a list of lengthy and complex passwords. Theysimply have to insert the security key to log in to all their favoriteapplications.
FIDO U2F security key
A FIDO U2F security key is a physical device that is used as a second factorfor user authentication. U2F security keys are based on the original FIDO U2Fspecifications, which focused on adding a secure secondary factor topassword/pin-based authentication.
U2F security keys are different from the modern FIDO security keys that wediscussed in the last section. To understand their differences, it’simportant to compare U2F and FIDO2.
U2F vs. FIDO2
FIDO2 (also referred to as FIDO) is an advanced version of U2F that focuseson providing a robust, passwordless login experience. Both U2F and FIDO2 offerthe same level of cryptographic security. However, FIDO2 introduces WebAuthnand CTAP, two protocols that enable cross-device and cross-platformpasswordless authentication.
The main distinction between FIDO2 and U2F keys lies in their originalpurposes. U2F was initially designed as a secondary factor for password-basedlogins, while FIDO2 was created to support (single and multi-factor)passwordless authentication.
Conclusion
FIDO authentication is a promising standard that offers several advantages over traditional passwords, including being more secure, phishing-resistant and convenient. It is supported by all popular browsers and operating systems, and an increasing number of web services have started to implement it. As FIDO authentication continues to evolve and gain traction, it is likely to become the new standard for online authentication.