How the FIDO Alliance Aims to Make Logging In More Secure
The Fido Alliance is an association of businesses from many different industries with a shared vision – to make logging in to online services more secure. The Alliance aims to achieve its vision by developing standards for user authentication and device attestation that will – it is hoped – replace the world´s “over-reliance on passwords”.
The failure to use strong, unique passwords for each account – and the failure to keep the passwords secure – is the leading cause of data breaches; and while technologies exist that can prevent password-related data breaches, they are not as widely adopted as they should be because end users would rather sacrifice security for convenience.
Acknowledging that poor online security is an issue that´s not going to go away, the FIDO Alliance evolved from an idea initiated by PayPal and Validity Sensors to replace passwords with biometric logins. The idea gained traction, and the Alliance was launched in 2013 with the support of companies such as Google, Lenovo, Samsung, and Yubico.
Since its launch, the FIDO Alliance has published three sets of specifications that resolve interoperability issues between technologies such as security keys, fingerprint scanners, voice recognition software, and near field communicators (NFCs). When a web site or application adopts the specifications, it makes it easier for end users to log into the online service by eliminating the need for a username and password.
How FIDO Works
If a website or application has adopted FIDO specifications, an end user can register for an account by selecting the FIDO authentication method adopted by the online service instead of registering with a username and password. The user´s device creates a cryptographic key pair and sends the public key to the online service. The private key and any information associated with the local authentication method (i.e., PIN number) never leave the user´s device.
When the user wants to log back into the online service, they visit the web site or application, click “log in” and the online service sends a “login challenge” to the user´s device. The user´s device responds by using the private key to “sign” the challenge; and, once the online service recognizes the signature, it verifies the user´s device and the end user is logged in. The process is quicker than entering a password and super convenient for end users.
Most companies that have adopted FIDO standards allow end users that have created an account with a username and password to switch to passwordless login. For example, if you already have a PayPal account, you can change the login method to (for example) fingerprint authentication by visiting the Login and Security area (in Settings) and sliding the toggle to turn on Touch ID. You then need to register your device with PayPal to use passwordless logins in future.
Which Services Support Passwordless Logins?
Although the FIDO Alliance has been in existence for almost ten years, the number of websites and services that have adopted the FIDO specifications is relatively small. However, they do include some of the world´s most popular websites, for example:
- Bank of America (Mobile only)
- GitHub (Desktop Only)
- Microsoft (Windows only)
- PayPal (Mobile only)
- Verizon (Mobile only)
In addition, other companies have adopted the FIDO Security Key specification which allows users to log into an online service via a plugged-in security key or NFC swipe card that works like a contactless payment at the store, except you swipe the card over a reader that authenticators your device to the online service. Web sites that have adopted this specification include Facebook, Google, Twitter, and YouTube.
As the popularity of passwordless logins grows, so will the number of services that adopt FIDO specifications. Organizations currently working with the FIDO Alliance to provide secure login solutions to end users include Amazon, Amex, Chase, Hitachi, IBM, Salesforce, and VMware. Vendors of password managers (for example, Bitwarden) are also working alongside the FIDO Alliance to support secure passwordless login methods and user-friendly two-factor authentication (2FA).
Why 2FA Will Still be Important
Despite the progress made with passwordless login, there will still be occasions when end users and organizations have to revert to usernames and passwords. These may be because the FIDO specifications only work across encrypted channels, because authentication devices are spoofed, or because of a hardware issue that prevents a user logging into an account – notwithstanding that hardware devices (Smartphones, security keys, NFC readers, etc.) can be lost, stolen, or damaged.
Consequently, organizations are going to need a backup process for accessing accounts and databases containing critical data. As mentioned previously, the failure to use strong, unique passwords for each account – and the failure to keep the passwords secure – is the leading cause of data breaches; and until such time as passwords are completely eliminated by the FIDO Alliance, protecting sensitive accounts and databases with 2FA remains the best way to protect critical data.