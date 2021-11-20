If you grew up during the time I did, when you hear the word “Fido,” you automatically think of a standard dog’s name. It, along with “Spot,” are probably the most common names for dogs ever.
These days, FIDO can mean something totally different. There is an organizational movement out there that is developing technology by that name that could eventually bypass passwords, or at least supplement them, on your electronic devices, websites, and access to electronic documents.
The inability of many online services to keep their users’ passwords secure from cybercriminals, combined with the built in weaknesses of passwords as a means of authentication, are forcing governments and the IT industry to establish a viable, long-term replacement.
Keeping passwords unbreakable is going to become more and more necessary. Right now, the majority of all successful data breaches can be tracked back to inadequate passwords. Doing so will require the development and general adoption of identity authentication technologies. Until recently, the IT industry has struggled to bring about such technologies, but new developments such as the FIDO authentication standard have started to change that.
Ease of use is the reason passwords have lasted so long, but requiring users to remember longer, more complex passwords isn’t practical given that the average user has the need for over forty across their accounts.
Ideas such as using image recognition, where users recognize pictures rather than enter passwords, only offer minor security benefits over passwords, while those offering significant security benefits like iris recognition have usually been too costly to deploy or problematical to use.
In an attempt to standardize the security of logging in to various secure sites, leading companies such as PayPal and Lenovo formed the Fast IDentity Online (FIDO) Alliance several years ago with the aim of defining a set of open standards and specifications for how multifactor authentication should work.
So what is FIDO, how does it work, and can it remove our reliance on passwords?
FIDO is based on a device, but is not designed for any specific type of authentication technology. The authentication method or provider can be changed without impacting the application being used.
It provides two ways to authenticate users, one without passwords which uses one type of confirmation, and another way called Second Factor, which you’ve probably heard of as two-factor authentication. In future versions, FIDO expects the two standards to further evolve and harmonize.
In the method without passwords, users register their device with an online service by selecting a local authentication mechanism. This can be biometric such as swiping a finger, taking a selfie or speaking into a microphone. Once registered, users repeat the process whenever they need to authenticate to the service, so no password is necessary. A service can also require multiple authentication mechanisms such as a fingerprint or voice scan and a password or PIN number. The presence of high quality cameras, microphones, and fingerprint readers in many of today’s devices means it’s now easier than ever to implement biometric authentication that establishes trust between two parties.
Second Factor involves using a password or PIN along with a hardware device to support two-factor authentication: knowledge of the PIN or password being the first factor, and ownership of the device being the second factor. The user is prompted to insert and touch their personal device during login. The user’s FIDO-enabled device creates a new key pair, and the public key is shared with the online service and associated with the user’s account. The service can then authenticate the user. A hacker would need to steal both a user’s credentials and their device to compromise an account or application log-in.
FIDO authentication credentials are never shared with an online service provider, only the public keys paired to the user’s device. This removes the threat of a breach of a user’s accounts or personal data if a service provider is compromised. Likewise, biometric measurements used in FIDO authentication never leave the user’s device. There is also no information emitted by the device that can be used by different online services to collaborate and track a user across the Internet, even though the same device can be used to log in to any number of services.
Google Chrome was the first Web browser to implement support for Second Factor authentication, but all the major browsers will eventually provide support. For users, this means instead of typing in a six-digit passcode received via text to login to an online service, users can simply insert a FIDO-compliant USB key into their computer and tap it when asked to do so by the browser.
FIDO brings substantial gains to users and businesses, which explains its rapid adoption where other initiatives have failed to displace the password. As more users discover the advantages of being free from passwords and the added security FIDO authentication provides, online services left relying on passwords may well begin to lose out. If FIDO reduces the number of abandoned online and mobile shopping carts due to account login difficulties, retailers will easily recoup any costs involved in updating their sites to be FIDO compliant.
Over the years, cybercriminals have made huge profits due to the ineffectiveness of password-based authentication, but FIDO authentication makes credential theft far more difficult and expensive, without compromising convenience for security. Hopefully it will help end the role of the password as the primary authentication factor.
So now instead of calling your dog Fido, you just may be using FIDO to order supplies online for your dog!