What is FIDO?
The FIDO (“Fast IDentity Online”) Alliance is an industry association formed in 2012 to reduce the world’s reliance on passwords. Traditional password-based authentication is vulnerable to attack, inconvenient, risks privacy, and is often difficult to scale. The Alliance overcomes these challenges by developing standards that enable authentication that is scalable and interoperable across devices, websites, and platforms.
LoginID - a committed FIDO Alliance member
LoginID joined the FIDO Alliance in 2019. We are committed to FIDO standards because they present the best way for developers and enterprises to give their customers simple, secure, and passwordless authentication globally. FIDO empowers end-users with control over their personal data - this in turn drives the success of enterprises by improving conversion, trust, and user experience. We are FIDO2 and UAF-certified, in line with FIDO’s latest specifications.
FIDO2 – the Latest FIDO Specifications
Traditional password-based authentication is vulnerable to attack, inconvenient, risks privacy, and is often difficult to scale. FIDO2 addresses these weaknesses through standards that ensure:
the risks of phishing, password theft and replay attacks are eliminated because login credentials are cryptographic, unique across websites, never stored on a server, and do not leave the user’s device.
user behaviour cannot be tracked across sites and biometric data does not leave the user’s device.
Convenience & choice:
consumers use whichever device they prefer, authenticating through their device’s built-in fingerprint readers or cameras, or with easy-to-use security keys.
WebAuthn - A Secure Global Standard for Web Authentication
In 2019, the World Wide Web Consortium (W3C) and the FIDO Alliance developed the web standard for web authentication (WebAuthn). WebAuthn, a core component of the FIDO2 specifications, makes passwords and phishing a thing of the past by authenticating through ‘something a user is’. The standard is supported across all major browsers and platforms, providing companies with an unrivaled opportunity to optimize security while adapting to consumer preferences - LoginID enables its customers to leverage that advantage.
FIDO - the Security Benefits
FIDO facilitates a digital signature scheme that uses identity credentials that are hardware-based and protected against both phishing and man-in-the-middle attacks. Credentials are: protected by strong cryptography, unique across websites, never stored on a server, and do not leave the user’s device.
Single Security Policy Across All Platforms
The FIDO protocol consists of a series of interoperable technical standards that facilitate secure and user-friendly authentication using biometrics, second-factor, and multi-factor methods. As a certified FIDO2/UAF platform, LoginID applies a rule-based approach to allow our clients to configure for various use cases using a single security policy.
Government Validation and Involvement
FIDO standards have been developed with the active participation of government agencies around the world, including, in the U.S., the National Institute of Standards and Technology (NIST), a FIDO Alliance member since 2015. NIST’s expertise has been crucial for ensuring that FIDO authentication standards achieve best-in-class security. As a result, FIDO enables companies to attain the highest level of authentication assurance set out in NIST’s official ‘Digital Identity Guidelines’, and to obtain the peace of mind that comes with that official validation.
FIDO - the Compliance Benefits
Privacy and security are among the core ideas that underpin FIDO’s mission to end the reliance on passwords. This means that there is a natural synergy between FIDO standards and regulatory rules that are intended to protect privacy and ensure security.
Two of the most far-reaching pieces of legislation in this area have come from the EU: the General Data Protection Regulation (GDPR) and the Revised Payment Services Directive (PSD2). The GDPR is a law that protects data of any individual that resides in the EU, irrespective of the location of the service provider, while the PSD2 governs electronic payments into and out of the EU.
The incorporation of FIDO-based authentication facilitates companies’ compliance with these laws in a number of ways.
How FIDO Supports GDPR Compliance
Data protection safeguards:
the GDPR requires firms to put in place safeguards to protect personal information. Strong, multi-factor authentication is crucial to that end, because it reduces the risk of weak or stolen passwords, which are a key vulnerability that drive the vast majority of breaches. However, many forms of MFA are still exposed to phishing and malware. By contrast, FIDO makes use of public key cryptography, which enables cutting-edge ‘high assurance authentication’, which has the most effective safeguards.
User rights management:
the law gives individuals the right to change, delete, view, and move their data, and, in many cases, requires firms to demonstrate that they have obtained users’ explicit consent to collect their data. This can only be done securely if the identity of the requestor has been authenticated effectively. FIDO-enabled authentication provides the most accurate, effective means of achieving that.
a key requirement of the GDPR is that companies design new products with privacy in mind. In addition, certain information, such as biometrics, is considered particularly sensitive. FIDO has adopted a privacy-by-design approach, which is reflected in the requirement that biometrics never leave the user’s device.
How FIDO Supports PSD2 Compliance
Strong Customer Authentication:
the PSD2 requires that users be authenticated using a mix of at least two elements that relate to possession (something you own), inherence (something you are) and/or knowledge (‘something you know’). FIDO authentication is inherently a 2-factor authentication method that is explicitly PSD2 compliant.
in order to comply with the PSD2, companies must mitigate the risk that any of the elements used for authentication are accessed by unauthorized parties. FIDO ensures that the elements reside in the authenticating device – even if the device is stolen, that information cannot be read, copied or transferred, and the user cannot authenticate unless they have the necessary inherent features (e.g. biometrics) or knowledge.
the PSD2 mandates that payment services must have a secure mechanism that allows users to review and confirm the transaction. FIDO supports this through a mechanism by which the details of the transaction and a confirmation request are sent to the user, who in turn authorizes payment – e.g. by scanning a fingerprint.