Is FIDO the future instrument to prove our identity?

FIDO, short for Fast IDentity Online, is an industry consortium started in 2013 to address the lack of interoperability among strong authentication devices and the problems users face creating and remembering multiple usernames and passwords. Among the founders were those who work in the financial sector, device manufacturers, and providers of authentication solutions.

What is FIDO?

According to the FIDO Alliance website, FIDO is a set of open and scalable standards that enable simpler and more secure user authentication experiences across many websites and mobile services.

FIDO set out to make authentication devices easier to use and fix the conflicts between devices from different vendors. Their goal is to provide a set of specifications for the entire range of authentication techniques. These specifications should then provide a standard for the entire industry leading to better compatibility and more ease of use.

Logging in

Currently, there are a variety of options for users to log in to their services and devices. We have discussed the basics of two-factor authentication (2FA) in the past, and almost everyone agrees that it is impractical to remember 27 or more passwords and usernames for individual accounts—nor is it safe to re-use passwords through multiple accounts. So, what are our options for logging in?

The most common ones are divided up into these categories:

  • The classic username and password combination
  • Knowing a PIN or TAN code (ATM withdrawals, money transfers)
  • Having access to an email account (when verification codes are sent by mail) or mobile device (texted codes)
  • Secret questions (often frowned upon as they are sometimes easy to guess, or easy to obtain through phishing)
  • Physical keys (card readers, USB keys)
  • Biometrics (fingerprint readers, iris scanners, voice recognition)
  • Mobile devices that can scan barcodes or QR codes and calculate a login code for one time use (Authy, Google Authenticator)
  • Already being logged in to a verified account (e.g. Facebook login)

Problems and solutions

As FIDO seeks to standardize authentication protocols for the wide range of login options listed above, they must identify techniques that are problematic from a security standpoint and look for solutions.

One of the problems with many of the login options is the use of shared secrets, meaning that both the user and the software that checks the login need to know the correct answers. You might be able to keep a secret, but your software could be fooled into handing over all your information to attackers. On a regular basis they succeed in breaching a sites’ or services’ security and obtaining a multitude of login credentials.

One solution for this problem is to use asymmetric cryptography. Basically, a user creates two different keys, a private and a public key. When a user proves that he has the private key by responding to a challenge, the service or website can check the answer that the user provided to the challenge by using the public key, which the user provided the website or service with when he signed up. As a handshake, the server asks the user a question based on the public key that only the holder of the private key can answer. But the answer does not give away the actual private key.

The challenge is created especially for that login attempt, so the answer can’t be used for another login with the same service or a different service. This way, the user is the only one that can answer the challenge and the only one that has access to both keys.

Advantages and disadvantages

The advantages of using asymmetric cryptography are clear:

  • It’s easy to use without having to remember a password.
  • Strong asymmetric encryption can’t be brute forced, unlike weak passwords.
  • The same key combination can be used for multiple logins (not to be confused with the challenge question, which is uniquely generated for each login attempt).
  • It’s impossible to steal from websites and services, even using Man-in-the-Middle attacks, because the private key is never sent across the Internet.

A major set-back could be if the user should ever give their private key to a third party, for example, because she lost it or because she was a victim of a phishing attack that asked directly for the private key. In such a case, having used this method across a multitude of sites and services means the user is in for a multitude of problems: each service she signed in with using this combo could be compromised.

What does FIDO have to do with this?

The FIDO Alliance hosts the open authentication standard FIDO2, which enables strong, passwordless authentication built on public key cryptography using hardware devices like security keys, mobile phones, and other built-in devices. It does this using both the W3C Web Authentication specification (WebAuthn API) and the Client to Authentication Protocol (CTAP), a protocol used for communication between a client (the browser) or a platform (the operating system) and an external authenticator, i.e., the hardware security key.

With these capabilities, the hardware security key can replace weak, static username/password credentials with strong, hardware-backed public/private-key credentials.

Because FIDO2 is an open standard, the security device can be designed for existing hardware, such as phones or computers, and for many authentication modalities. In addition, it can be used for different communication methods, such as USB, Bluetooth, and Near Field Communication (NFC), which allows for contactless authentication to take place safely from many systems and devices.

FIDO2 can be enhanced further still for organizations requiring a higher level of security, as it supports the use of a hardware authentication device with a PIN, biometric, or gesture for additional protection.

Proving your identity in the future

Where FIDO has enabled the industry to make steps toward a safer method of online authentication, it is still far from being the standard it sets out to be. The current usage of FIDO is limited to high-end applications and organizations.

And even though browsers and operating systems have started to develop built-in support for FIDO2, they are not ready for market yet. Also, a new Universal Server certification for servers that operates with all FIDO authenticator types (FIDO UAF, FIDO U2F, WebAuthn, and CTAP) is on its way. And even when those stages are complete, the websites and services that require a secure authentication method will probably need some convincing to start using this new format. And finally, only once early adopters have adapted to the technology and sung its praises will more mainstream usage follow suit.

Alternatives

Using asymmetric keys is the most logical and secure method to prove your identity right now, but it could very well be replaced by a blockchain technology. Given the rate of development in blockchain technology, especially compared to the relatively slow advances made in FIDO, this seems a likely scenario. And it doesn’t help that competing standards are created like the PCI-DSS, instead of bundling the efforts into creating an all-encompassing standard.

The one standard to rule them all will probably be the one that has the widest applicability. Being able to log in anywhere without the hassle of passwords almost sounds too good to be true, but the answers are out there. Hopefully, with the application of the best standard, we will see a future with less breaches and more peace of mind.