The FIDO (“Fast IDentity Online”) Alliance is an industry
association formed in 2012 to reduce the world’s reliance on
passwords. Traditional password-based authentication is vulnerable
to attack, inconvenient, risks privacy, and is often difficult to
scale. The Alliance overcomes these challenges by developing
standards that enable authentication that is scalable and
interoperable across devices, websites, and platforms.
LoginID - a committed FIDO Alliance member
LoginID joined the FIDO Alliance in 2019. We are committed to FIDO
standards because they present the best way for developers and
enterprises to give their customers simple, secure, and passwordless
authentication globally. FIDO empowers end-users with control over
their personal data - this in turn drives the success of enterprises
by improving conversion, trust, and user experience. We are FIDO2
and UAF-certified, in line with FIDO’s latest specifications.
FIDO2 – the Latest FIDO Specifications
Traditional password-based authentication is vulnerable to attack,
inconvenient, risks privacy, and is often difficult to scale. FIDO2
addresses these weaknesses through standards that ensure:
Security: the risks of phishing, password theft and
replay attacks are eliminated because login credentials are
cryptographic, unique across websites, never stored on a server, and
do not leave the user’s device.
Privacy: user behaviour cannot be tracked across sites
and biometric data does not leave the user’s device.
Convenience & choice:
consumers use whichever device they prefer, authenticating through
their device’s built-in fingerprint readers or cameras, or with
easy-to-use security keys.
Scalability:
a simple JavaScript API call allows developers to deploy FIDO
authentication that is supported by billions of devices across
browsers and platforms.
WebAuthn - A Secure Global Standard for Web Authentication
In 2019, the World Wide Web Consortium (W3C) and the FIDO Alliance
developed the web standard for web authentication (WebAuthn).
WebAuthn, a core component of the FIDO2 specifications, makes
passwords and phishing a thing of the past by authenticating through
‘something a user is’. The standard is supported across all major
browsers and platforms, providing companies with an unrivaled
opportunity to optimize security while adapting to consumer
preferences - LoginID enables its customers to leverage that
advantage.
FIDO - the Security Benefits
Secure Authentication
FIDO facilitates a digital signature scheme that uses identity
credentials that are hardware-based and protected against both
phishing and man-in-the-middle attacks. Credentials are: protected
by strong cryptography, unique across websites, never stored on a
server, and do not leave the user’s device.
Single Security Policy Across All Platforms
The FIDO protocol consists of a series of interoperable technical
standards that facilitate secure and user-friendly authentication
using biometrics, second-factor, and multi-factor methods. As a
certified FIDO2/UAF platform, LoginID applies a rule-based approach
to allow our clients to configure for various use cases using a
single security policy.
Government Validation and Involvement
FIDO standards have been developed with the active participation of
government agencies around the world, including, in the U.S., the
National Institute of Standards and Technology (NIST), a FIDO
Alliance member since 2015. NIST’s expertise has been crucial for
ensuring that FIDO authentication standards achieve best-in-class
security. As a result, FIDO enables companies to attain the highest
level of authentication assurance set out in NIST’s official
‘Digital Identity Guidelines’, and to obtain the peace of mind that
comes with that official validation.
FIDO - the Compliance Benefits
Privacy and security are among the core ideas that underpin FIDO’s
mission to end the reliance on passwords. This means that there is a
natural synergy between FIDO standards and regulatory rules that are
intended to protect privacy and ensure security.
Two of the most far-reaching pieces of legislation in this area have
come from the EU: the General Data Protection Regulation (GDPR) and
the Revised Payment Services Directive (PSD2). The GDPR is a law
that protects data of any individual that resides in the EU,
irrespective of the location of the service provider, while the PSD2
governs electronic payments into and out of the EU.
The incorporation of FIDO-based authentication facilitates
companies’ compliance with these laws in a number of ways.
How FIDO Supports GDPR Compliance
Data protection safeguards:
the GDPR requires firms to put in place safeguards to protect
personal information. Strong, multi-factor authentication is crucial
to that end, because it reduces the risk of weak or stolen
passwords, which are a key vulnerability that drive the vast
majority of breaches. However, many forms of MFA are still exposed
to phishing and malware. By contrast, FIDO makes use of public key
cryptography, which enables cutting-edge ‘high assurance
authentication’, which has the most effective safeguards.
User rights management:
the law gives individuals the right to change, delete, view, and
move their data, and, in many cases, requires firms to demonstrate
that they have obtained users’ explicit consent to collect their
data. This can only be done securely if the identity of the
requestor has been authenticated effectively. FIDO-enabled
authentication provides the most accurate, effective means of
achieving that.
Privacy-by-design:
a key requirement of the GDPR is that companies design new products
with privacy in mind. In addition, certain information, such as
biometrics, is considered particularly sensitive. FIDO has adopted a
privacy-by-design approach, which is reflected in the requirement
that biometrics never leave the user’s device.
How FIDO Supports PSD2 Compliance
Strong Customer Authentication:
the PSD2 requires that users be authenticated using a mix of at
least two elements that relate to possession (something you own),
inherence (something you are) and/or knowledge (‘something you
know’). FIDO authentication is inherently a 2-factor authentication
method that is explicitly PSD2 compliant.
Security:
in order to comply with the PSD2, companies must mitigate the risk
that any of the elements used for authentication are accessed by
unauthorized parties. FIDO ensures that the elements reside in the
authenticating device – even if the device is stolen, that
information cannot be read, copied or transferred, and the user
cannot authenticate unless they have the necessary inherent features
(e.g. biometrics) or knowledge.
Transaction Confirmation:
the PSD2 mandates that payment services must have a secure mechanism
that allows users to review and confirm the transaction. FIDO
supports this through a mechanism by which the details of the
transaction and a confirmation request are sent to the user, who in
turn authorizes payment – e.g. by scanning a fingerprint.