FIDO stands for Fast IDentity Online; the FIDO Alliance is a cross-industry group trying to replace passwords with simpler and stronger authentication that works across multiple devices and services. The first generation of FIDO supports two key protocols. The first, Universal 2nd Factor, is adding a second factor to the standard username and password; the difference from familiar authentication hardware like RSA’s SecureID is that FIDO U2F hardware like the Yubikey doesn’t only work with one service; you can use the same device to authenticate to Google Apps, PayPal, DropBox and other FIDO-compliant systems. The credentials never leave the device, so they can’t be compromised in a breach and each service uses a separate key pair.
The FIDO Universal Authentication Framework protocol uses biometrics – like a fingerprint sensor or iris scanner, or voice or facial recognition – to unlock a cryptographic key on your device and use that to authenticate to the service you want to use; at that point, you don’t need a password at all. That’s in phones like the iPhone and the Samsung Galaxy S5, but it doesn’t let you use the phone as the authentication device for your other devices.
That device-to-device capability is a key feature in the FIDO 2.0 specifications. It’s not just about being more convenient for users, who only have to register and unlock one device (although that’s important for getting people to use FIDO systems). It also means you could connect to a FIDO service on a Mac or PC with no fingerprint sensor, using an Android phone that has one. (It also helps future-proof the system; if we develop a new biometric identifier in five years, you could use that to unlock existing devices and services.)
To make that really useful, we need the other main goal of FIDO 2.0; what the FIDO Alliance calls “ubiquitous platform support.” As FIDO Alliance president Dustin Ingalls explains, “The mission of the FIDO Alliance has always been stronger, simpler authentication: stronger to help protect data, and simpler to address the problems users face trying to create and remember multiple usernames and passwords. In order to achieve this mission, FIDO authentication needs to be available everywhere … on all the devices you use and with all of the apps and services you use.” That means getting FIDO support out of the box, not as an add-on later.
The 72 FIDO-certified devices available so far are a start, as is the W3C standards organization planning to take key FIDO 2.0 protocols and turn them into the basis of a new Web Authentication Working Group and a Web API that browser and web services can use to exchange FIDO credentials. “How do we ‘kill passwords’?” asked the W3C blog about the proposed Web API. “The FIDO 2.0 specifications, which define a unified mechanism to use cryptographic credentials for un-phishable authentication on the Web,” is one answer.
Sign up for CIO Asia eNewsletters.