What is the FIDO Alliance?

The FIDO Alliance, FIDO meaning Fast IDentity Online, is an alliance of tech companies such as PayPal, Google, Amazon, Samsung, Lenovo, that have come together to solve the global ‘password problem’. Their aim is to provide a secure alternative to passwords.

FIDO’s mission statement explains quite clearly their intentions: ‘’The FIDO Alliance is an open industry association with a focused mission: authentication standards to help reduce the world’s over-reliance on passwords.’’

The alliance was founded in 2012 by PayPal, Lenovo, NokNok Labs, Validity Sensors, Infineon, and Agnitio, and the Alliance was launched publicly in 2013.

Members grew quickly and in 2015 FIDO launched a Government Membership Programme, attracting government agencies from the UK, USA, Australia and Germany.

The FIDO Alliance site claims that their certified products are more secure than passwords and SMS based One Time Passwords and offer a much better user experience.

The Alliance has currently published three sets of specifications, FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF), and FIDO2 which includes the W3C’s Web Authentication (WebAuthn) specification and FIDO Client to Authenticator protocol.

Two Exciting Applications of Passwordless Authentication
 Security Keys

Security keys are an exciting evolution in the post-password world. The keys are in most cases small and can be attached to your keyring. We have been playing around with one of the most popular security keys on the market called the ‘Yubikey’ which comes from the company Yubico.

The key that we are using is the Yubikey 5 NFC. It is around 2×4.5 cm, weighs next to nothing, and the company claims that it has high levels of durability.

Instead of using a password, username, or One Time Password (OTP), to log into an account, users are required to present the security key to their mobile device, which connects via Near Field Communication (NFC), or insert the key into a USB port on laptop or desktop devices. Once the key has been identified by the device and the proper requests have been sent and received login will complete.

Reports came out of Google last year that use of security keys internally reduced successful account takeovers by 100%. And statements from the manufacturers of the keys have arisen validating this and claiming that the security keys are actually phishing proof, although only time will tell.

SMS based One Time Passwords (OTP) can be intercepted with enough effort and skill. The authenticator apps are more secure than SMS based 2FA but the keys offer a more advanced and secure method of authentication.

The key can be used with a variety of online services such as Google, Facebook, LastPass, Citrix, DocuSign, Dropbox and many more, and can even be configured to log you onto your Windows machine. The key won’t integrate with Office 365 at this time but I believe that this development is on the way.

Biometrics

Unless you have been sleeping under a rock you will have come across the variety of biometric authentication options that have become mainstream over the past few years.

From facial recognition to fingerprint scanning, retina recognition, voice recognition and more. Most modern smartphones contain some form of biometric security option.

FIDO has created the first industry-wide certification programme to manage and measure the performance of biometric authentication via third-party accredited independent labs.

The certification is a market first for biometric products. Previously, vendors were required to repeatedly prove performance for each customer. The certification which requires products to be tested and certified only once saves a huge amount of time and costs for vendors.

The certification hopes to change the lack of industry-wide programmes that validate the performance and reliability of biometric solutions.

Samsung is the most notable provider of FIDO certified biometric products. With such a huge smartphone market share and the ever-expanding range of mobile digital services, it is no surprise to see the certification next to their names.

Their recent Galaxy S10 and S10+ models are the first products to market with the FIDO Biometrics certification.

The industry-wide support and investment in passwordless solutions is clear. It won’t be long before more and more online service providers enable FIDO passwordless authentication.

Breathe a sigh of relief…

Stay posted for our review of the Yubikey 5 NFC security key.