Seven years ago a handful of companies including Lenovo and PayPal formed an association to develop open authentication standards to accelerate the use of biometric factors so users don’t have to remember passwords.
This week Apple became the latest big-name vendor — and perhaps the last of the biggest vendors — to join the FIDO (Fast IDentity Online”) Alliance.
Other giant manufacturers and service providers including Amazon, Visa, Google, IBM, Microsoft, Intel, Samsung and a number of banks are already members, enabling them to craft solutions for people to log into devices, web pages and applications with fingerprints, facial recognition, voice and security keys.
Apple has its own fingerprint and face scan technology, but by endorsing FIDO its standards security experts hope the move to passwordless authentication will accelerate.
“With Apple joining it puts us on a direct path to realizing a passwordless world,” Gartner analyst David Mahdi said in an interview.
“If you were on the fence [as an application developer] of adopting these protocols or becoming a member of FIDO, now there’s way to much critical mass for you to say no,” he added. “Apple would be the final push to say this is a legit protocol we can now agree on.”
FIDO is like Bluetooth for authentication, said Mahdi, referring to the ease of connecting devices through the ubiquitous short-range wireless standard. Software developers can use a common set of application programming interfaces (APIs) for authentication regardless of the device it connects to.
It’s badly needed. FIDO argues weak, re-used and stolen passwords are the root cause of over 80 per cent of data breaches. Users have too many passwords to remember, and not enough use password managers. Besides the cost of a breach, the alliance estimates it costs an organization an average US$70 average in help desk labour costs for each single password reset. In addition, it says, one-third of online purchases are abandoned due to forgotten passwords.
FIDO protocols, now on version 2, use public-key cryptography. FIDO2 is supported by Google Chrome, Mozilla Firefox and Microsoft Edge browsers. FIDO support for Apple’s Safari browser is in preview. Android versions 7 and up support FIDO2, as does Windows Hello, Microsoft’s biometric technology for Windows 10. WebAuthn, the web API portion of FIDO2, became an official web standard last year of the World Wide Web Consortium (W3C).
Meanwhile last summer the alliance began work on finding a way to add identify verification for Internet of Things devices.
Briefly, here’s how FIDO works: During registration with an online service, the user’s client device creates a new public key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button. If biometrics are used the data never leaves the device.
In its latest annual report the alliance said much progress was made in 2019:
Companies joining the alliance as sponsor members in 2019 included AdNovum Informatik AG, FIME SAS, the government of Thailand, IBM, IDNow GmbH, Imagination Technologies, Intuit, Jumio Corp., the Mitre Corp., Phoenix Technologies Ltd., Ping Identity, and Secure Identity.
(This story has been updated with comments from Gartner’s David Mahdi.)
Cybersecurity Conversations with your Board – A Survival Guide
A SURVIVAL GUIDE BY CLAUDIO SILVESTRI, VICE-PRESIDENT AND CIO, NAV CANADA