FIDO2 is an abbreviation for Fast Identity Online, it is designed to solve the world’s password problem. Today, the primary method for logging into a website or app is to use a password, however passwords are a weakness when it comes to fraud prevention. Besides being a major vulnerability for businesses, passwords are also an inconvenience for customers.
More than eighty percent of data breaches (avg loss of $3.9M) can be directly tied to passwords with the price of resetting a password via a help desk averaging about $70. The password problem also negatively impacts conversion rates. Online merchants can expect to see a cart abandonment of about 30% caused by lost passwords.
The FIDO Alliance created the FIDO2 protocols with privacy as a chief concern. The FIDO2 protocols ensure that no PII data can ever be used by a third party to follow a user across multiple services. Any biometric information provided remains securely on the end user’s device, never leaving.
What makes a standard like FIDO2 particularly effective is that we see broad cooperation and adoption across the entire industry from the ground up.
The FIDO2 standard has been adopted by chip makers, like Intel, to device manufacturers, like Apple Android, all the way up to the internet browser level. While few companies have implemented FIDO2 authentication currently, more than 4 Billion FIDO2 capable devices are in active use globally and implementations are growing.
Any Android device with an OS version 7 or higher and any device with Windows 10 already have a built-in FIDO2 compliant solution. FIDO2 is compatible with all of the most popular operating systems and web browsers, meaning end users do not have to download any additional authentication apps or purchase hardware to utilize FIDO2.
FIDO2 End User Benefits
No More Passwords: Most consumers have about 100 passwords to remember for their online accounts. By implementing FIDO2 passwordless authentication websites and apps can cut out passwords all together.
Convenient and Familiar Experience: FIDO2 typically utilizes the native biometric authentication mechanism the end user already uses to unlock their device (TouchID or Face Scan).
Improved Security and Fraud Prevention: It’s next to impossible for anyone to remember 100 different passwords for 100 different sites, so nearly everyone recycles passwords. Half of all consumers use the same password across all their accounts and many only use a few. A compromised password on one account can lead to a breach of all accounts.
FIDO2’s Business Benefits
Improved Conversion and Usage: A recent McKinsey survey found that convenient passwordless authentication flows can lead to a 20% increase in overall usage. Users who authenticate with FIDO2 show 3-5x more activity than users who login in with a password.
Reduced Support Costs: As previously mentioned in this article, each lost password costs a help desk about $70 to resolve. By instituting FIDO2 passwordless authentication, this cost disappears and frees up customer support representatives to address more critical issues.
Enhanced Fraud Prevention: FIDO2 passwordless authentication is a powerful fraud prevention tool and stops both phishing and man-in-the-middle attacks. On top of the fraud resulting from breaches (caused mostly by passwords), account takeover fraud is also having a significant financial impact on companies. By implementing FIDO2, companies can potentially eliminate all authentication related fraud.
How Does FIDO2 Work?
FIDO2 passwordless authentication generally operates with the same process as when the user unlocks their device. The biometrics may vary based on the device, say Face ID on IPhone, or Android’s fingerprint scanner. On Windows Hello a non-biometric PIN is used. So when it comes to FIDO2 passwordless authentication, consumers are already familiar with the process.
FIDO2 utilizes the customary public key cryptography methodology. A public/private key pair is created by the end user’s device at the time of registration. The private key remains in the secure area of the end user’s device, never leaving. On an iPhone, this would be the secure enclave.
The public key registers with the online service and is signed with an attestation certificate. This attestation certificate is unique to the device and model and is built into the device when it’s manufactured. FIDO2 credential registration is often called “attestation”.
After registering, the credential is then used to login. First, the end user’s application asks to authenticate the user, the server then issues a challenge which is ultimately signed by the authenticator using the public/private key pair created during registration. FIDO2 authentication is often called “assertion.”
Powerful Fraud Prevention Measures: The FIDO2 protocols provide a powerful tool for fraud prevention, specifically against phishing and man-in-the-middle attacks as well as nearly eliminating the risk of account takeovers. With FIDO2 passwordless authentication, at registration, unique credentials are created for every site. This means that a compromise at one website will not have a cascading effect on other websites.
Multifactor Authentication: FIDO2 passwordless authentication may appear to be a simple single authentication action, however it in fact constitutes two authentication factors. The first factor is the user action which is usually a biometric scan or entering a PIN. The second authentication factor is the assertion, which is stored securely on the end user’s device.
Device Bound Biometrics: While biometrics are not a requirement of the FIDO2 passwordless authentication protocols, they are common practice. With FIDO2, biometrics are never stored on the server side. The server is only used for the not secure public key. Storing biometrics on the server side is bad practice and risky as the biometrics cannot be changed by the end user if they get compromised.
FIDO2 not only fixes the numerous problems around server-side biometric authentication, but also ensures that the biometrics are only used for on device verification and assertion.
Unique Domain Credentials: With FIDO2 passwordless authentication, when registering with a particular domain, the credential that is registered is bound to that domain alone. This means if you register a FIDO credential on loginid.io, you would not be able to use that same credential on loginid-example.io.
LoginID offers a FIDO2-certified passwordless authentication solution that can be easily integrated, with just a few lines of code, into any website or app. Created with developers and enterprises in mind, LoginID adheres to PSD2 regulations and can enhance your site’s fraud prevention methods with strong customer authentication.
Integrate FIDO2-certified passwordless authentication into your site. Click here for documentation on LoginID’s SDKs and APIs