Authentication

What Is FIDO (Fast Identity Online) Authentication?

What Is FIDO (Fast Identity Online) Authentication?

FIDO Authentication is a set of security protocols designed to help online services and websites replace passwords with more secure methods. These methods include biometrics (like fingerprints or facial recognition) and physical security keys. 

Passwords are often the weakest link of a security system. According to the FIDO Alliance, passwords are the root cause of over 80% of data breaches, 90% of users have more than 90 online accounts, and 51% of passwords are reused.

FIDO Authentication is not a single product or technology; instead, it’s an open standard that any company or organization can adopt. This flexibility allows it to be used across a wide range of devices and platforms, providing a universal way to secure online identities. The FIDO Alliance, a consortium of over 250 companies, including tech giants like Google, Microsoft, and PayPal, is responsible for developing and promoting these standards.

In this article:

Core Principles of FIDO Authentication 

Emphasis on User Privacy and Security

FIDO protocols are designed to ensure that a user’s private information stays private. This is achieved by not sharing your biometric data with online services or storing it on a remote server. Instead, biometric measurements are converted into cryptographic representations on the user’s device, which are then used to verify their identity.

FIDO Authentication also uses a method called ‘local authentication.’ This means the authentication process takes place directly on the device, rather than on a remote server. This approach significantly reduces the risk of remote attacks and unauthorized access to data.

Universality Across Devices and Platforms

The FIDO Alliance’s vision is to make FIDO Authentication ubiquitous, so users can enjoy the same level of security on their smartphone, laptop, or any other device they use. This universality also extends to different operating systems and browsers. This means that applications and services can support FIDO authentication regardless of the platforms used to consume them.

Reduction of Reliance on Passwords

The third core principle of FIDO Authentication is the reduction of reliance on passwords. Passwords have long been the standard method of online security, but they are also a significant weak point. They can be easily guessed, stolen, or forgotten, and managing a unique password for every online account is inconvenient for users.

FIDO Authentication aims to eliminate these issues by replacing passwords with more secure and user-friendly methods, such as biometrics and cryptographic passkeys. By doing so, it not only enhances security but also improves the authentication user experience.

How FIDO Authentication Works 

Registration Process

The first step in FIDO Authentication is the registration process. When you register for an online service that supports FIDO Authentication, you’ll be asked to provide a form of authentication, such as a fingerprint scan or a security key. This information is then converted into a cryptographic representation, which is securely stored on your device.

The online service will also create a public-private key pair. The private key is kept on your device, while the public key is sent to the online service. This key pair is unique to the specific device and the online service, ensuring a high level of security.

Authentication Process

When you try to log into an online service that supports FIDO, it will send a challenge to your device. Your device will then use the private key to sign the challenge and send it back. The online service can then use the public key to verify the signature and, if it matches, grant you access.

This process is secure, as the private key never leaves your device. Even if an attacker managed to intercept the communication, they wouldn’t be able to use the information to gain unauthorized access.

Public-Key Cryptography

FIDO Authentication uses public-key cryptography, which is a highly secure method of encryption. In public-key cryptography, a pair of keys is used: a public key, which anyone can use to encrypt data, and a private key, which only the recipient can use to decrypt the data.

This method ensures that even if someone intercepts the data, they wouldn’t be able to understand it without the private key. FIDO authentication relies on cryptographic services provided by the local device’s operating system.

FIDO Authentication Standards 

FIDO Universal Second Factor (U2F)

The FIDO U2F protocol enhances traditional password protection, without fully replacing it. It requires two pieces of evidence of a user’s identity:

  • Knowledge-based verification: This can be in the form of commonly-used credentials, such as a username and password.
  • Possession-based verification: This involves using registered hardware devices like fobs or USB devices. These devices communicate via USB, NFC (near-field communication), or Bluetooth. As the security device is triggered, the computer’s browser communicates directly with it and thereby grants access to the digital service.

FIDO Universal Authentication Framework (UAF)

The FIDO UAF protocol allows online service providers to offer passwordless login options. If more secure verification is warranted, multi-factor login can be implemented.

To take advantage of UAF, users need to register a personal device like a computer or smartphone with an online service. During registration, users are prompted to select their preferred authentication method for future interaction with the service.

Providers can offer a range of authentication options including facial or voice recognition, fingerprint scanning, or PIN entry. Should multi-factor login be necessary, users can verify their identity using a combination of these methods. Upon successful registration, users don’t need to input passwords to log in; they authenticate using their originally selected methods.

FIDO 2

FIDO2, the latest specifications from the FIDO Alliance, was developed in collaboration with the World Wide Web Consortium (W3C). 

FIDO2 includes two open standards: the FIDO Client To Authenticator protocol (CTAP) and the W3C standard WebAuthn. These work together to provide passwordless login options, or two-factor and multi-factor login for enhanced security. Authentication processes may incorporate built-in authenticators such as biometrics or PINs, or roaming authenticators like fobs or USB devices.

The FIDO2 specifications include:

  • WebAuthn: Defines a standard web API integrated into platforms and browsers to facilitate FIDO authentication. It manages the creation and control of public key credentials and communicates with both CTAP1 and CTAP2 authenticators.
  • CTAP1: Enables users to have a second-factor login experience, by plugging security devices into their computers or placing their devices in proximity to an NFC reader to access an online service.
  • CTAP2: Allows the authenticator to function as both the primary and secondary factor in authentication, enabling passwordless login or 2FA and MFA where more protection is demanded.

Best Practices for FIDO Implementation 

Offer Multiple Authentication Methods

The FIDO standards support a wide range of authentication mechanisms, including biometrics, PINs, and security keys. By offering multiple options, you can cater to diverse user preferences, enhancing their experience and increasing adoption of the authentication system.

For instance, while some users might prefer biometric authentication due to its convenience, others might be more comfortable with security keys or PINs.

Maintain a Backup Authentication Mechanism

While FIDO authentication offers robust security, it is not foolproof. Users might lose their security keys, forget their PINs, or encounter issues with their biometric devices. In such cases, having a backup authentication mechanism is essential. This not only ensures uninterrupted access to services for your users but also maintains the security of your systems.

The backup mechanism could be another FIDO-compliant method or a non-FIDO method, depending on your resources and requirements. However, it is vital to ensure that the backup method is secure and convenient for your users, and that users know when and how to switch over to the backup method.

Test Across Different Platforms and Devices

FIDO authentication is designed to work across various platforms and devices seamlessly. However, it is still important to test your FIDO implementation across them. This ensures that your users can smoothly use the authentication system, regardless of their device or platform.

Consider testing on a variety of operating systems, browsers, and devices, including both mobile and desktop platforms. Pay close attention to the user experience on each platform and device, and make necessary adjustments to ensure a positive experience.

Implement Rate Limiting

Rate limiting is a security measure that limits the number of authentication attempts a user can make within a given time frame. This helps prevent brute force attacks, where attackers try to gain access by making numerous authentication attempts in quick succession.

Implementing rate limiting in your FIDO authentication system is a best practice that can enhance its security. However, it’s important to strike a balance – the limit should be stringent enough to deter attacks, but not so restrictive that it hampers the user experience. Consider implementing a progressive rate limiting system, where the limit is decreased after each failed attempt.

Stay Updated with FIDO Alliance Recommendations

The FIDO Alliance is a consortium of leading tech companies that developed the FIDO standards. They continually update these standards based on the latest research and developments in the field of cybersecurity. Therefore, staying updated with their recommendations is crucial for maintaining the effectiveness of your FIDO Authentication.

Regularly visit the FIDO Alliance website, subscribe to their newsletters, and participate in their events and forums. This will not only keep you updated with their latest recommendations but also provide opportunities to learn from and network with other professionals in the field. 

Authentication and Authorization with Frontegg

Frontegg is a self-served and multi-tenant user management platform for SaaS businesses that are looking to cover both authorization and authentication bases with one centralized solution without worrying about in-house coding and other maintenance requirements. Just manage your roles and permissions, create strong flows based on your use cases, and customize your Login Box, all via one centralized dashboard. It’s really that easy.