FIDO
What is FIDO?
Fast Identity Online (FIDO) is an all-encompassing term typically used to refer to the FIDO Alliance or FIDO authentication standards. The FIDO Alliance is a non-profit organization that develops and promotes authentication standards to “help reduce the world’s over-reliance on passwords.”
FIDO authenticationWhat is Authentication?Authentication is the process by which the identity of a user or system is verified. It ensures that the entity attempting to access a resource is who or… is a set of open security standards based on public key cryptography, outlining user authentication mechanisms that, if implemented, would eliminate the need for passwords. The overarching principle of FIDO authentication is to store Personally Identifiable Information (PII)What is Personally Identifiable Information (PII)?Personally Identifiable Information (PII) is data that can be used to distinguish an individual’s identity. These can include identifiers that pinpoint the person exactly, such… locally on a user’s device, thus removing the inherent risk of storing data on external servers, such as the cloud.
Types of FIDO Authentication
There are four fundamental types of FIDO authentication:
- FIDO Universal Second Factor (FIDO U2F) – An open standard, known since the release of FIDO2 as CTAP1, promoting the security and usability of multi-factor authentication and leveraging encryptionWhat is Encryption?Encryption converts readable data (plaintext) into a scrambled and unreadable format (ciphertext) using an algorithm and a key. The primary purpose of encryption is to ensure the confidentiality… and private keys against a physical device, such as USB or NFC technology, to protect and unlock supported accounts.
- Client to Authenticator Protocols (CTAP) – A specification describing how applications and operating systems communicate with authentication devices through USB, NFC, or BLE technologies. It refers to two CTAP protocol versions:
- CTAP1 is the current name for FIDO U2F.
- CTAP2 defines how FIDO2-enabled browsers, operating systems, and external authenticators communicate with one another to allow passwordless, MFAWhat is Multi-Factor Authentication?Multi-Factor Authentication (MFA) is a robust security method that enhances digital identity verification by requiring users to provide multiple authentication mechanisms before gaining access to a system,… experience.
- FIDO Universal Authentication Framework (FIDO UAF) – A standard that defines how users connect to an application or service by leveraging one or more security factors on their device (for example, a mobile phone fingerprint scanner) to use the private key to respond to the challenge issued by the FIDO UAF server.
- FIDO2 is an extension of FIDO U2F that offers expanded authentication options, including solid single-factor (passwordless), two-factor, and multi-factor authentication.
Components of FIDO authentication
There are two separate components of FIDO authentication you should be aware of:
Passkeys
Passkeys, or multi-device FIDO credentials, aim to replace the traditional password. When a user signs up for a new application or service, it provides them with a passkey stored on the user’s device. When they want to log in to the application or service, the user completes their device and primary authentication method – a fingerprint scanner, for example – to use the passkey and log into their account. Passkeys are a roaming authenticator, meaning users can leverage them across multiple devices, while the device itself is a platform authenticator.
Security keys
FIDO security keys are small devices – such as a USB or smart card – that allow for secure access to applications or websites. When a user signs up with a new application or website, they present the security key to generate a new key pair. The security key shares the public key with the application, but the private key remains hidden. When the user logs in for the first time, the application will offer a challenge that, if matched by the calculated value of their security key, allows them to log in. Security keys are a form of roaming authenticator, but the device they interact with are platform authenticators.
The future of FIDO
FIDO is the future of authentication. The persistent threat of phishingWhat is Phishing?Phishing is a type of cyberattack in which attackers send fraudulent communications, or direct people to counterfeit websites in order to trick those individuals into revealing sensitive information,… scams and usability issues inherent in traditional password practices makes FIDO authentication an attractive option for organizations looking to protect themselves from identity-based cyber-attacks. While the general consumer needs to be educated further on FIDO authentication, it’s clear that it’s already a viable replacement for the traditional password.
For more essential cybersecurity definitions, check out our other blogs below: