The FIDO (Fast Identity Online) standard strengthens the security of online authentication systems for mobile devices and web applications. Their aim is to replace the use of passwords with more secure, encryption-protected biometric authentication mechanisms.
The FIDO Alliance was born is 2012 by the hands of some of the world’s leading technology companies such as Lenovo, PayPal, Infineon, among others and its now backed up by corporate giants like Apple, Intel, Amazon, Visa, Microsoft, Google, etc. FIDO aims to change the way of ‘online’ authentication to make it more secure and convenient.
The fight against weak security
Currently, the most common method of ‘online’ authentication is the use of passwords, a system that can generate problems since, to be secure, passwords must be complex, and if they are complex, they are difficult to remember. Even more so when you take into account that users have an average of around 90 ‘online’ accounts, according to the FIDO Alliance.
To improve this situation and make the authentication of ‘online’ identity more secure, the FIDO Alliance has created a series of technical standards that enable the creation of secure and fast login experiences on websites and applications. This facilitates the identification of users through biometric systems such as fingerprint or facial recognition; as well as employing the authentication of double factor or multiple factors, which consists of checking several times through different mechanisms that the person is who they say they are.
The use of FIDO standards promotes the secure integration of these authentication alternatives in mobile devices and web browsers and is based on the use of public-key cryptographic techniques, which offers a more robust and comfortable identification method, compared to the use of passwords as the main protection system.
How it works?
The system produces a pair of encrypted keys when a user registers on an “online” service that uses the FIDO standard, so that the private key is kept in a device’s hardware and the public keys are saved online. In order to carry out authentication, the client device must show that it has a private key through a mathematical verification to the “online” service. In addition, the private key of the client can be used only once the user has unlocked it locally on the device. This unlock can be done by means of a safe and easy action such as fingerprint entry, voice prompt or PIN entry.
The privacy and access credentials of the user are therefore protected so that the user does not have to choose between better security or better user experience, as they can have both.
FIDO2: the new security standard for login
FIDO2 is the third and latest specification from the FIDO Alliance. The structure of FIDO2 is made up of two major elements, client-side and server-side. Together they enable authentication when users identify with some sort of cryptographic (such as biometric or PIN) or external authenticators (such as FIDO keys, handheld devices or mobile terminals) at a trusted remote access point (also known as a server) which usually belongs to a website or a web application.
The main objective of the FIDO Alliance is the progressive elimination of passwords from the web, which has advanced the development of FIDO2. To do this, the secure communication path between the client (browser) and the matching web services is first configured so that it is permanently available for subsequent logins. To this end, the FIDO2 keys, which provide the basic encryption of the login procedure, are generated and verified.
It works like this:
- The user logs on to an online service and generates a new key pair of keys, which includes a private key and the public key FIDO2;
- The private key is saved and known only by the customer; the public key is stored in the key web service database;
- Consecutive authentications are only possible if a private key is provided, that the user must always unlock. Amid the options the user can enter a PIN, tap a button, perform a voice command or insert a two-factor hardware individually (FIDO2 token). Some OS, including Windows 10 and Android, can now also be used as tokens for security.
Advantages of FIDO2 over password authentication
At this point, you already understand why two-factor authentication or password-less login procedures, such as FIDO2, are the future. Compared to traditional key logging, they have far fewer vulnerable areas for cybercriminals. Passwords can be found with the right tools, while attackers would need the hardware security token to gain unauthorized access to a FIDO2-protected user account. Added to this is that a FIDO2 token can be used for different web services instead of having to create and remember several different passwords.
Advantages of FIDO2 authentication:
Why do you need security specifications like FIDO2?
FIDO2 allows us to end the well-known vulnerability of the user login through username and password, as well as simple two-factor authentications (email, mobile applications, SMS) because they prevent cybercriminals from taking over the account with attack patterns typical like the man-in-the-middle or phishing.
Even if the login data is compromised, the FIDO2 login only succeeds with the corresponding hardware token or private key, which is also bound to dedicated hardware.
