FIDO 101
What is FIDO?
FIDO stands for Fast Identity Online, and is the solution to the world’s password problem. While passwords are used as the primary login method by the majority of websites, there are significant flaws with them. Aside from being one of the biggest vulnerabilities for businesses, they are also extremely inconvenient for customers.
Over 80% of data breaches (with an average cost of $3.9 Million) have a root cause related to passwords, and the average cost to reset a password through a help desk is $70 [ref] [ref]. Businesses also see the impact of the password problem on conversion rates, as a third of online purchases are abandoned due to forgotten passwords.
The FIDO protocols are designed with privacy in mind from the beginning and the FIDO Alliance has published their Privacy Principles. No information is provided which can be used by different online services to track a user across the services. Biometric information, if used, never leaves the device.
In order for a standard like FIDO to be effective, it requires broad industry cooperation, which has happened. Chip makers, device manufacturers, operating systems, and browsers have all aligned around the FIDO standard. While very few companies have implemented login using FIDO, the hardware and software prerequisites are there, with more than 4 Billion FIDO capable devices available worldwide. For example, all Android devices with an operating system 7 or greater and all devices with Windows 10 have a FIDO compliant solution. FIDO is built into common operating systems and browsers, which means there is no additional hardware or additional authenticator specific applications required to be downloaded by the user. [ref]
Why should I use FIDO?
FIDO authentication has many benefits for both end users and businesses.
End user benefits
- No need to remember passwords: According to a recent study, the average customer has 100 passwords for their online accounts. [ref] By implementing FIDO authentication, companies can remove the need for customers to create yet another password.
- Familiar low friction experience: FIDO typically leverages the same authentication mechanism a user goes through when unlocking their device. This could be TouchID on a Macbook, a PIN on Windows Hello, or Face Unlock on Android among other mechanisms.
- Better security: Because user’s can’t remember 100 passwords, they often reuse passwords across websites. 50% of people use the same password for all accounts and many people use only a few passwords for all their accounts [ref]. This means a compromised password at one website can impact many of their online accounts.
Business Benefits
- Increased usage & conversion rates: According to McKinsey, low friction authentication flows can increase overall usage by up to 20%. [ref] In our experience, we have seen users logging in with FIDO be 3-5 times more active than users logging in with a password.
- Lower support costs: As mentioned above, forgotten passwords cost a help desk $70 on average. By removing passwords, this cost goes away, which enables customer support representatives to provide more valuable support to customers.
- Reduced fraud: FIDO authentication is both phishing and man-in-the-middle resistant. On top of the fraud coming from breaches, where 80% of breaches are due to passwords, companies also face significant losses from account takeover fraud. FIDO has the potential to eliminate all authentication related fraud.
How does FIDO work?
FIDO authentication typically is the same process a user goes through to unlock their device. That could be Face ID on an iPhone, scanning a fingerprint on an Android device, or even entering a PIN through Windows Hello. That is one advantage of FIDO - customers are extremely used to the user experience.
From a technical perspective, the FIDO protocols use standard public key cryptography techniques. At the time of registration, the user’s device creates a new public/private key pair. The private key is retained, and the public key is signed with an attestation certificate and registered with the online service. This attestation certificate is built into the device at manufacturing time and is specific to a device model (e.g. all iPhone XS Max devices in a given manufacturing run have the same certificate). The FIDO credential registration process is frequently referred to as “attestation.”
Once registered, a user can then use the credential to login. When the client application requests to authenticate a user, the server creates a challenge which is then signed by the authenticator using the key pair previously registered for that service. The FIDO authentication process is frequently referred to as “assertion.”
*Image from the FIDO Alliance*Key elements of FIDO
- Highly Secure: The FIDO protocols are both phishing and man-in-the-middle resistant, significantly reducing the risk of account takeover fraud. Because unique credentials are created for every {website, authenticator} pairing, potential compromise at one website can’t impact other websites, unlike passwords that are frequently reused.
- Two-Factor Authentication: While FIDO seems like a simple single user action, it does constitute two-factor authentication. The user action (e.g. scanning biometrics, entering a pin) is the first factor (inherence or knowledge), while the assertion, saved in the device, is the second factor (possession).
- On device biometrics: While biometrics are not always required, they are frequently involved in the FIDO protocols. A critical element of the FIDO protocols is that there are no biometrics stored server side, only the public key is stored. Server-side biometrics pose many risks, as users are unable to change their biometrics if they get compromised. FIDO resolves the many issues of server-side biometric authentication, but also means the biometrics themselves cannot be used in any other situation than the on device verification and assertion.
- Domain bound credentials: The credential that is registered is also bound to a given domain. This means if you register a FIDO credential on loginid.io, you would not be able to use that same credential on loginid-example.io.
Get Started
Go to our documentation to implement FIDO today!