The FIDO (“Fast IDentity Online”) Alliance is an industry
association formed in 2012 to reduce the world’s reliance on
passwords. Traditional password-based authentication is vulnerable
to attack, inconvenient, risks privacy, and is often difficult to
scale. The Alliance overcomes these challenges by developing
standards that enable authentication that is scalable and
interoperable across devices, websites, and platforms.
LoginID - a committed FIDO Alliance member
LoginID joined the FIDO Alliance in 2019. We are committed to FIDO
standards because they present the best way for developers and
enterprises to give their customers simple, secure, and
passwordless authentication globally. FIDO empowers end-users with
control over their personal data - this in turn drives the success
of enterprises by improving conversion, trust, and user
experience. We are FIDO2 and UAF-certified, in line with FIDO’s
FIDO2 – the Latest FIDO Specifications
Traditional password-based authentication is vulnerable to attack,
inconvenient, risks privacy, and is often difficult to scale.
FIDO2 addresses these weaknesses through standards that ensure:
Security: the risks of phishing, password theft and replay
attacks are eliminated because login credentials are
cryptographic, unique across websites, never stored on a
server, and do not leave the user’s device.
Privacy: user behaviour cannot be tracked across sites and
biometric data does not leave the user’s device.
Convenience & choice: consumers use whichever device they
prefer, authenticating through their device’s built-in
fingerprint readers or cameras, or with easy-to-use security
deploy FIDO authentication that is supported by billions of
devices across browsers and platforms.
WebAuthn - A Secure Global Standard for Web Authentication
In 2019, the World Wide Web Consortium (W3C) and the FIDO Alliance
developed the web standard for web authentication (WebAuthn).
WebAuthn, a core component of the FIDO2 specifications, makes
passwords and phishing a thing of the past by authenticating
through ‘something a user is’. The standard is supported across
all major browsers and platforms, providing companies with an
unrivaled opportunity to optimize security while adapting to
consumer preferences - LoginID enables its customers to leverage
FIDO - the Security Benefits
FIDO facilitates a digital signature scheme that uses identity
credentials that are hardware-based and protected against both
phishing and man-in-the-middle attacks. Credentials are: protected
by strong cryptography, unique across websites, never stored on a
server, and do not leave the user’s device.
Single Security Policy Across All Platforms
The FIDO protocol consists of a series of interoperable technical
standards that facilitate secure and user-friendly authentication
using biometrics, second-factor, and multi-factor methods. As a
certified FIDO2/UAF platform, LoginID applies a rule-based
approach to allow our clients to configure for various use cases
using a single security policy.
Government Validation and Involvement
FIDO standards have been developed with the active participation
of government agencies around the world, including, in the U.S.,
the National Institute of Standards and Technology (NIST), a FIDO
Alliance member since 2015. NIST’s expertise has been crucial for
ensuring that FIDO authentication standards achieve best-in-class
security. As a result, FIDO enables companies to attain the
highest level of authentication assurance set out in NIST’s
official ‘Digital Identity Guidelines’, and to obtain the peace of
mind that comes with that official validation.
FIDO - the Compliance Benefits
Privacy and security are among the core ideas that underpin FIDO’s
mission to end the reliance on passwords. This means that there is
a natural synergy between FIDO standards and regulatory rules that
are intended to protect privacy and ensure security.
Two of the most far-reaching pieces of legislation in this area
have come from the EU: the General Data Protection Regulation
(GDPR) and the Revised Payment Services Directive (PSD2). The GDPR
is a law that protects data of any individual that resides in the
EU, irrespective of the location of the service provider, while
the PSD2 governs electronic payments into and out of the EU.
The incorporation of FIDO-based authentication facilitates
companies’ compliance with these laws in a number of ways.
How FIDO Supports GDPR Compliance
Data protection safeguards: the GDPR requires firms to put in
place safeguards to protect personal information. Strong,
multi-factor authentication is crucial to that end, because it
reduces the risk of weak or stolen passwords, which are a key
vulnerability that drive the vast majority of breaches.
However, many forms of MFA are still exposed to phishing and
malware. By contrast, FIDO makes use of public key
cryptography, which enables cutting-edge ‘high assurance
authentication’, which has the most effective safeguards.
User rights management: the law gives individuals the right to
change, delete, view, and move their data, and, in many cases,
requires firms to demonstrate that they have obtained users’
explicit consent to collect their data. This can only be done
securely if the identity of the requestor has been
authenticated effectively. FIDO-enabled authentication
provides the most accurate, effective means of achieving that.
Privacy-by-design: a key requirement of the GDPR is that
companies design new products with privacy in mind. In
addition, certain information, such as biometrics, is
considered particularly sensitive. FIDO has adopted a
privacy-by-design approach, which is reflected in the
requirement that biometrics never leave the user’s device.
How FIDO Supports PSD2 Compliance
Strong Customer Authentication: the PSD2 requires that users
be authenticated using a mix of at least two elements that
relate to possession (something you own), inherence (something
you are) and/or knowledge (‘something you know’). FIDO
authentication is inherently a 2-factor authentication method
that is explicitly PSD2 compliant.
Security: in order to comply with the PSD2, companies must
mitigate the risk that any of the elements used for
authentication are accessed by unauthorized parties. FIDO
ensures that the elements reside in the authenticating device
– even if the device is stolen, that information cannot be
read, copied or transferred, and the user cannot authenticate
unless they have the necessary inherent features (e.g.
biometrics) or knowledge.
Transaction Confirmation: the PSD2 mandates that payment
services must have a secure mechanism that allows users to
review and confirm the transaction. FIDO supports this through
a mechanism by which the details of the transaction and a
confirmation request are sent to the user, who in turn
authorizes payment – e.g. by scanning a fingerprint.
Ready to get started with our FIDO compliant platform?