The FIDO Alliance started as an answer to the security problems of typical username/password login procedures. Passwords are viewed as not very secure in the current age of digital security. Despite this, there have been a few barriers to the adoption of different and better authentication services. In the past, consumers did not enjoy their user experience (UX) with alternative authentication services. The main barrier has been that online companies and service providers did not want to take on the costs and technical expertise associated with constructing and implementing their own digital security and authentication systems.
The FIDO Alliance was created to end the world’s dependence on traditional passwords as the standard authentication method. The alliance exists as an open industry association, and its mission is to foster a more secure and smoother authentication process, both for service providers to supply for consumers as well as for consumers to more comfortably authenticate.
As an open industry organization, the FIDO Alliance has many members at varying levels. Its board level members include companies such as Amazon, Bank of America, Facebook, Google, Microsoft, and American Express. Sponsor level members include organizations such as Chase, Discover, Ebay, Fidelity Investments, and Mozilla. Associate level members include companies such as Easy Dynamics, Goldman Sachs, Samsung SDS, Twilio, Inc., and Motiv. Liaison partners with FIDO Alliance include OpenID, the National Cyber Security Alliance, the International Biometrics & Identification Association, the Electronic Transactions Association, and the Secure Technology Alliance.
2-Factor Authentication (2FA) is a digital security procedure where the user gains access to an online system through verification by two different authentication factors. This is a better protection mechanism of the user’s credentials and of the systems being accessed than traditional passwords. 2-Factor Authentication provides an extra level of security than single-factor authentication (SFA) methods, which involve the user inputting one authentication factor, such as a password or a passcode. Passwords can be used in 2-Factor Authentication methods, but will also require a second factor, such as a biometric factor like a fingerprint or face scan, or an answer to a security question.
2-Factor Authentication tends to work using one of several methods:
Knowledge factor: something secret that the user knows and shares with the system to gain access to it, such as a PIN, a password, or a passcode.
Possession factor: something that the user physically possesses, such as a security USB device, a smartphone, a security token, or an ID card.
Biometric/Inherence factor: something inherent in the user’s body, one or more physical characteristics of the user. These tend to be information about personal characteristics that have been collected from the user’s physical qualities, such as voice or facial recognition from voice or face recordings, or fingerprints that have been verified by digital fingerprint readers. This can include certain behavioral biometrics, such as swiping gestures or keystroke patterns.
Location factor: restricts valid authentication attempts to only certain locations. This can be accomplished by location limiting authentication attempts to particular devices in predetermined locations. Usually, the location factor tracks the physical, geographical location of any authentication attempts using the IP address of the authenticating user, GPS information, or other sorts of pinpointing the device’s geolocation.
Time factor: limits a user’s authentication session to a preset time window. Within the time window, logging on is permissible, but the system cannot be accessed when outside of that window.
With traditional single-factor authentication (SFA), there’s only one level of security, which is typically your password or passcode. You simply enter your username and login password and that permits you to access an account or a system’s features. 2FA gives a system an additional level of security, which complicates attempts to access the account or system by unauthorized users. With 2FA, knowing the password or passcode is a necessary but not sufficient condition for gaining system or account access. Beyond that information, the authenticating user must also know or possess a different authentication factor, such as a one-time password (OTP), an answer to a personal information request, or a sort of biometric verification such as a fingerprint.
Generally, 2FA makes authentication security stronger by making it harder for hackers and other unauthorized users to gain authenticating factors from remote locations. A hacker may gain a user’s password, but that won’t be enough information for access in a 2FA-secured system. Obtaining the second authentication factor needed to gain access, such as an eye scan, a security token on the user’s person, or secretive information, will prove to be much more difficult task. Facing multiple obstacles vastly reduces the chances of a hacker gaining all of the tools and information needed to gain access to the desired account or system. As the factors are independent of one another, the compromise of one factor, such as an answer to a security question, will not impact the security of the other authentication factors.
By going into more detail about FIDO 2FA, we can discuss two important issues. First, we can answer the question: What is FIDO U2F? And afterwards, we can explain how FIDO U2F works.
What is FIDO U2F
FIDO universal 2nd factor (U2F) is a relatively new open authentication mechanism allows users to access a variety of online services and features with a single security key. U2F provides immediate access to secure online services without the need of driver installation or of software purchased or downloaded from a client.
How FIDO U2F Works
FIDO U2F Token Registration:
- The user is asked to selection one of several FIDO authenticators that are a part of a service’s acceptance policy.
- The user accesses the FIDO authenticator using an authentication factor such as a secure PIN, a key on a second-factor device, a fingerprint, or another factor.
- A special public/private key pair is created that must be used with the authenticating device, the relevant online service and the user’s account.
- The private key and other local authentication mechanism information, like biometric data, is kept on the local device. The public key is used to link the user’s account with the relevant online service’s systems and features.
FIDO U2F Token Verification:
- The user is challenged by the online service to properly login with a previously registered device that adheres to the online service’s acceptance policy.
- The user unlocks the FIDO authenticator with the same authentication factor used during the registration process.
- Using the account identification information provided by the online service, the local device picks the proper key and digitally signs the challenge of the service.
- Lastly, the device transmits the signed challenge to the online service, verifying the information with the stored public key, which results in the user being logged into the account.
FIDO U2F is quickly becoming the authentication method of choice for many different online industries and services. It offers a wide range of benefits over traditional single-factor authentication. The two-factor authentication of U2F uses public key cryptography that guards against digital threats such as session hijacking, malware attacks, and phishing attempts. U2F security keys can handle multiple accounts with different private/public key pairs for each service, ensuring that authenticating information is not shared between services. It also adds a high level of security while barely adding any extra time that users typically take to authenticate themselves by just using traditional usernames and passwords.