Introduction to FIDO Authentication
Once devices could store data and could provide access to various services digitally, there arose a need to safeguard such devices and services from unauthorized, unintended uses. This need for increased security led to a variety of methods that are intended to authenticate users of digital platforms and storage devices. Known technically as authentication factors, we know them today as typical passcodes, passwords, login info, hardware keys, authentication certificates, among other such factors. Fast Identity Online (FIDO) is an initiative of a group of companies to reduce the use of multiple usernames and passwords through the efficient and interoperable use of authentication factors.
These authentication factors are normally split up into three types of factors:
What you are factor: the physical characteristics of the user are used to authenticate them on a device or service. Some common examples of biometric factors are your face’s shape, your fingerprints, your typing speed, or your iris patterns.
What You have factor: items or documents owned by the user which provides secure access. These could be keys, token, certificates, or other objects that have to be in the user’s possession.
What you know factors: information that only the user is expected to know, such that entering the correct information to prompts allows access to secured areas or features. The required information might be a password, a personal identification number (PIN), an answer to a secret question, or a username.
FIDO Alliance: An Overview
The FIDO Alliance grew as a reaction to the pitfalls of password use. Though the general consensus is that passwords aren’t that secure, there have been several important obstacles in the path towards alternative authentication solutions. Most notable among these obstacles is that online content and service providers are hesitant to take on the cost and the technical details of creating and supplying their own authentication solutions. Another important obstacle is that consumers typically don’t like the user experience (UX) of past authentication systems.
To mitigate the world’s dependence on passwords, the FIDO Alliance was formed as an open industry association to overhaul the worldwide authentication process. Its mission is to make the authentication process much more secure, to make the process smoother for service providers to roll out and adjust as necessary, and to make authentication easier for consumers to use.
They plan to implement industry-wide certification programs that will allow the whole global community to accept FIDO Alliance’s technical specifications. These technical specifications will detail authentication methods that are open, that allow software and systems to exchange and use information, and that scale with different business and industry requirements.
Pros of FIDO Authentication
Here are some pros to consider for FIDO Authentication:
Strong Security: One example of security comes from the FIDO universal 2nd factor (U2F), a physical sort of multi-factor authentication (MFA); it’s notable because it cannot be redirected or intercepted. Using special Universal Serial Buses (USB) or near-field communication (NFC) devices, they communicate with a given host computer. After successful communication, a public-key cryptography-based application executes a challenge–response authentication between the device and a secret unique security key designed into the device. This device key cannot be duplicated due to a central authority possessing all of the decryption keys and cannot be counterfeited or reverse-engineered due to the sophisticated level of the relevant encryptions and the physical possession of the device(s) by the user.
Secure Recovery: FIDO provides a variety of secure recovery options. In the case of U2F, users can register two U2F devices on every service provider that they work with. These service providers can provide the user with a backup code that should be securely stored for possible future use. Another option is to use two-factor authentication (2FA), which can lead to a 2FA code being sent to your fallback number, providing you another means of authenticating yourself. FIDO can also provide recovery tokens for users who lost access to their accounts when using normal means. The service can also do away with the need for passwords for recovery. For instance, employees could use FIDO security keys with a different registration method, like with mobile phone one-time passwords (OTP), and then continue to use the OTP every day while keeping the FIDO key for any account access emergencies.
Ease of Use: With FIDO U2F, various platforms and browsers utilize the service natively. There’s no need for special codes that need to be presented or drivers that need to be installed, since this service is a hardware-based authentication. A single FIDO physical token can contain security keys for various sorts of apps and sites; this alleviates the need of a user possessing multiple keys. This service also provides ease of use by allowing users to register their device with a given online service through the selection of a local authentication mechanism. Speaking into the mic, looking into the camera, inputting a PIN, or swiping a finger could all be valid local authentication mechanisms. Repeating the local authentication action would become the only necessary action to authenticate and gain access to a desired FIDO-enabled service.
Phishing Proof: Phishing attacks slyly lure the victim into giving up personal and/or confidential information such as account information to a hidden attacker or group of attackers. They can also occur when unsuspecting users mistakenly install malware through the use of fraudulent links or attachments that pose as legitimate. The phishing malware is typically sent to a victim via email as either an URL link or an email attachment under the guise of a known contact or business that the user interacts with, such as a service provider or a bank. Phishing attacks are ineffective against this system due to FIDO-enabled tools and keys only working with URLs that the user has registered.
Cons of FIDO Authentication
The following are cons of the FIDO method of authentication:
Cost: In the case of FIDO tokens, they can be quite expensive, costing somewhere in the range of $10–$20 for each token. Individually, that amount wouldn’t be considered too pricey, but the total price for every token for every employee in a large firm could be quite exorbitant. This cost is mitigated slightly due to the fact that a single token can store multiple keys for various websites and apps.
Extra Step: While FIDO surely provides additional increased security, this can come at the cost of efficiency and of the most effective use of a user’s time. Adding more authentication stages correspondingly increases the overall time and effort necessary for a user to finally become authorized to use a service. This could become a troublesome issue if a user or multiple users have to authenticate themselves many times in the same day.
FIDO authentication is still fairly new but may soon become the authentication method of choice. It offers greater levels of security compared to traditional methods of logging in with usernames and passwords. While 2nd factor authentication is more generally favored of the authentication methods, there can be benefits to using multi-factor authentication, a method that all but guarantees secure access to an online service. Of course, that increase in security levels also means a lengthier authorization process, which can be considered a significant negative for some users and particularly for companies with large number.