Have you heard of the FIDO Alliance? No, the goal is to replace the password to authenticate to any device or application. This article will discuss what id FIDO is, what is public-key encryption, how FIDO works, is secure, and the benefits of using it. This is the closest I have seen the major vendors embrace a secure way to remove the password from authentication.
The FIDO Alliance is a non-profit organization founded in 2012 that promotes the use of strong authentication methods to protect internet users. The alliance was formed by companies such as Google, Microsoft, and PayPal to provide an open standard for the authentication of devices and systems using public-key cryptography.
FIDO is an acronym for Fast IDentity Online. FIDO devices are a type of authentication token that provides a secure way to log in to websites, apps, and networks.
What is Public Key Cryptography?
Public key cryptography is a method of encrypting messages so that only the intended recipient can read them. It is also known as asymmetric cryptography because it uses two keys- a public key and a private key.
The public key is used to encrypt the message, and the private key is used to decrypt it. The public and private keys are mathematically linked so that if one changes, the other automatically changes too. This means that anyone can send an encrypted message to someone else without first exchanging any information about their private key.
Public key cryptography has been around since 1976 when Ron Rivest, Adi Shamir, and Leonard Adleman invented it while working at MIT’s Laboratory for Computer Science.
How does FIDO Authentication Work?
FIDO Authentication is a passwordless authentication technology that is designed to make the internet safer. It works by allowing users to log in to websites and services in a cryptographic signature scheme, the customer provides their private keys. The client should never allow users to access them unless they unlock them locally on the device. Getting into a mobile phone in the local environment is easy and secure – it can be done by finger swipe, PIN entry, voice commands, facial recognition, or inserting a 2nd-factor device.
There are two use cases for logging into a system whether it is a web app, a local app, or a mobile app which is a registration and authentication use case.
In the registration use case, the first step is for the user much choose an available FIDO authenticator (most vendors who support this protocol have one such as Google, Microsoft, etc). User unlocks his or her device using one or many methods which could include facial recognition fingerprint, pin, or other methods. The idea here is the user’s keys never leave the device so it is harder to break. The user’s device creates a public/private key pair unique for the local device, the service, and the user’s account. The public key is sent to the service and associated with the user’s account. The private key never leaves the user’s local device.
In the login authentication use case, the service being used challenges the user to log in with a previously registered device that matches the account information created in the registration process. The user unlocks the FIDO authenticator using the same process as the registration process. The device looks up the user’s account identifier and signs the service’s challenge. The user’s device sends the signed challenge which is verified and logs in to the user.
How secure is FIDO Authentication?
FIDO Authentication is a password-less authentication system that can be implemented with hardware and software components. It is a more secure way of identifying oneself because it requires the user to use a PIN, their fingerprint, eye, or other biometric data in order to log in. The FIDO protocol allows for different methods so long the data stays local on the device being used.
It has been proven that FIDO Authentication is more secure than traditional pass words because it uses two different factors for authentication – something you know and something you are.
FIDO authentication is more secure because all the data involved with authentication stays on the local device and is not transmitted. Now, of course, it is not 100% secure if someone is able to break into the local device and log in impersonating someone else but it a log more secure and resilient from attacks.
Benefits of Using FIDO Authentication
FIDO authentication is a very secure way of authenticating users as it is not vulnerable to phishing or malware attacks. It also doesn’t rely on any server or third-party service to verify the identity of the user. which makes it convenient for users to authenticate themselves. A FIDO authenticator is a piece of software that can be used to securely perform the FIDO authentication process.\
Who is using the FIDO Authentication standard?
Apple, Google, Microsoft, and more than 100 other companies are members of the FIDO Alliance. This group works together to develop a new standard for authentication that will replace passwords, with a more secure and convenient solution.
The FIDO Alliance is an organization that was established in July 2012 by major companies such as PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio The goal of the alliance is to create standards for strong authentication that can be used by any device or application. The alliance aims to replace the password with a more secure and convenient solution.
The FIDO Alliance has its work cut out for it but its vision is strong and has the support of the major players. Replacing the password is going to be a tough sell but the standard is simple enough that it might take over how you log into your devices and applications. Is it 100% safe? No, of course not. But at least you are not passing passwords between clients and servers. All the data stays on the local device. The method is using standard public-key encryption. The next few years is going to be exciting times to watch this new authentication take hold in the industry.
I am DrM, founder of http://techninjamasters.com. I have been working, learning, teaching, coaching, consulting, writing in technology for over 40 years.