FIDO (Fast IDentity Online) is a set of open, standardized authentication protocols intended to ultimately eliminate the use of passwords for authentication. Passwords are costly to manage and a known security risk because they are easily compromised.
After completing an initial registration process and selecting the method by which they want to be authenticated, users can sign on to a FIDO-enabled product or service by simply providing a fingerprint, speaking into a microphone, looking into a camera, or entering a PIN, depending on the technology available on their computer or smartphone and the methods accepted by the product or service. Much of the authentication process is done behind the scenes and users are blissfully unaware that it’s even happening.
FIDO protocols use standard public key cryptography techniques to secure user authentication. All communications are encrypted, and private keys never leave users’ devices, which lessens the chances of someone discovering them during transmission. And if biometric information is used to authenticate, it’s also stored on users’ devices, which makes these authentication processes stronger and even more secure.
There are three different types of FIDO authentication protocols available. To choose the one right for your organization, you should understand how each protocol works and assess your organization’s needs, requirements, and compatibility with your systems and infrastructure.
The protocol you use will likely depend on the level of security required from a FIDO security key and the type of experience you want your users to have. For example, if you work in the financial or healthcare industries and handle sensitive information, you might want to use U2F or FIDO2 because they require users to authenticate using two pieces of information. It will also likely depend on the number of users you have, the ways in which they are deployed, and the compatibility with your existing infrastructure.
Details regarding each protocol are discussed in this article and on the User Authentication Specifications Overview page of the FIDO Alliance site.
Founded in 2013, the FIDO Alliance is an open industry association focused on creating authentication standards that “help reduce the world’s over-reliance on passwords.”
The idea of using biometrics instead of passwords to authenticate users was initially discussed at a meeting between PayPal and Validity Sensors in 2009. This meeting inspired the idea to create an industry standard using public key cryptography and local authentication methods to enable passwordless login.
Today, the FIDO Alliance has hundreds of member companies across a wide variety of industries who work together to develop technical specifications that define an open set of protocols for strong, passwordless authentication. These companies include Amazon, Apple, Google, Microsoft, Visa and, of course, Ping.
The FIDO Alliance develops technical specifications that define open standards for a variety of authentication mechanisms that all work together. They also have certification programs that allow companies to verify interoperability across certified products, which is crucial for worldwide adoption.
The fact that FIDO is an open standard is also important because it means that it is intended for widespread use, so it’s publicly available and free to adopt, implement, and update. And because open standards are managed by a foundation of stakeholders who ensure that the standards maintain their quality and interoperability, they’re widely accepted in the developer community.
The FIDO Alliance has published three sets of specifications, all of which are based on public key cryptography:
The FIDO UAF protocol allows online service providers to offer their users passwordless sign-on experiences. Multi-factor sign-on experiences are also available if additional security is required.
To use UAF, users must have a personal device, such as a computer or smartphone, that they register with an online service. During the registration process, users are asked to choose the method they want to use to authenticate with that service in the future.
Service providers determine what types of authentication mechanisms are appropriate and provide a list of available options, which might include facial or voice recognition, fingerprint reading, or entering a PIN. If a multi-factor sign-on experience is required, users can authenticate using more than one of these options.
After registering, users no longer enter their passwords to sign on, but use the methods that they selected to authenticate themselves.
Let’s start by talking about the registration process. When a user attempts to access an online service for the first time, they’re prompted to register.
Note that communication is encrypted throughout this process, and private keys and biometric information never leave users’ devices, which minimizes the chances of security breaches.
After registering, the user can quickly access the application using the authentication method that they selected.
The FIDO U2F protocol complements traditional password-based security, rather than replacing it altogether. With U2F, users must provide two pieces of evidence to verify their identities:
When the security device is activated, the computer browser communicates directly with the security device and provides access to the online service.
When a user attempts to access an online service for the first time, they’re prompted to register and provide a username and password.
Each time a user attempts to subsequently access an online service through their browser:
As with the UAF protocol, communication is encrypted throughout this process, and private keys never leave users’ devices.
You might consider using the UAF protocol if you want to require users to provide two pieces of information to authenticate: something that they know, like a username and password, and something they have, like a USB device.
FIDO2 is the name of the FIDO Alliance’s newest set of specifications and was created through a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C).
FIDO2 is built with two open standards: the FIDO Client To Authenticator protocol (CTAP) and the W3C standard WebAuthn. The two work together to provide users with passwordless authentication experiences, or two-factor and multi-factor authentication (2FA and MFA) experiences if additional protection is needed. These experiences might involve embedded authenticators, such as biometrics or PINs, or roaming authenticators, such as fobs or USB devices.
The specifications included in FIDO2 are:
Just like UAF and U2F, when a user attempts to access an online service for the first time, they’re prompted to register and provide a username and password. During registration, a new key pair is generated that has one private key and one public key. The private key is stored on the device and associated with the id and domain of the online service, while the public key is stored in the online service’s key database on a server.
Each time the user attempts to subsequently access an online service, the online service, or relying party (RP), uses APIs to verify user credentials with the authenticator.
And just like the other FIDO protocols, communication is encrypted throughout this process, and private keys never leave users’ devices.
You might consider using FIDO2 if you want to require users to provide at least two pieces of information to authenticate, and want to provide them with passwordless experiences.
FIDO2 is quickly becoming the new passwordless authentication standard. Not only does it create a much smaller window for attackers because attackers need a user’s FIDO2 authenticator that resides within the user’s device or their biometric information, which is impossible to fake, but users are no longer burdened with remembering passwords.
Authenticating is a streamlined experience that is fast, painless, and more secure than most of the other methods out there, which is why big tech companies such as Google, Microsoft, Apple, and many others support FIDO2.
To get started, refer to our Getting Started on Your Passwordless Journey guide.
FIDO uses public-key cryptography and keeps private keys on devices, so they aren’t exposed to phishing attacks, credential theft, or interception.
Yes, FIDO protocols such as U2F and FIDO2 provide two-factor authentication suitable for sectors handling sensitive information
No, biometric data used in FIDO authentication stays on users' devices, ensuring privacy and reducing the risk of data breaches.
FIDO can be used for single or multi-factor authentication depending on the protocol, with options like biometrics or security keys for added layers.
Yes, as an open standard, FIDO is compatible with a variety of devices and platforms, and major companies ensure interoperability.
Being an open standard means FIDO is publicly accessible, free to adopt, and supported by a wide community, which fosters global adoption and regular updates.
Start Today
Contact Sales
See how Ping can help you deliver secure employee and customer experiences in a rapidly evolving digital world.
Request a FREE Demo