November 14, 2022

FIDO Authentication: All You Need To Know

Shane Bird

When we think of our mobile devices, we see a lifeline or “our lives” in our pockets, and with good reason. The world wide web was initially introduced in 1989, to serve universities and scientists with an information-sharing tool, but the introduction of the internet has since spiralled outward and being “online” has drastically affected our day-to-day and stimulated innovation for online living. Nowadays, we rise to the tune of an app, check in with friends and families through social media, and manage our finances, our careers and our schedules – so many facets that are intertwined with our existence can be accessed at the touch of a button. So, it’s no wonder then that we feel a sense of connection and a deep-rooted need to protect this device and the access it grants to our online lives.

This is something that developers are all too aware of, and need to dedicate resources to, to ensure that every website or mobile application that launches to market offers a secure and safe interactive environment. This translates to security protocols. And not just any standard of security; security that will withstand any form of cybercrime and ensure that users find the platform they are using trustworthy. Unfortunately, passwords simply aren’t enough anymore, so what is?

Here’s all you need to know about FIDO Authentication; the new gold standard in multi-factor authentication.

What is FIDO?

Fido Authentication is an open-source library of protocols and standards that assist web and app developers with creating safe and secure platforms that do not require password logins. The types of FIDO used are security keys, facial recognition, fingerprint and voice activation. FIDO Alliance, an NPO that was founded in 2012, discovered that approximately 80% of data breaches occur because of password logins. Armed with this, and other research, the FIDO Alliance group decided to address the insecurities surrounding password use and established a series of protocols to implement instead of password authentication when requiring login information from internet users.

What are FIDO Protocols?

Approximately 200 companies make up the membership group of FIDO Alliance, and together this group determined a set of standardised protocols for passwordless protection. These protocols offer several security improvements, including user authentication using digital signatures, hardware that generates and stores cryptographic keys, and biometrics. In this way, FIDO protocols preserve internet users’ privacy and offer increased security over traditional password methods.  

There are three protocols, namely:

Universal 2nd Factor (U2F)

This simple protocol is a two-factor authentication model that combines a second-factor authentication scheme with a password. It works by enabling internet users to access online services with a single security key that does not require drivers or client software.

Universal Authentication Framework (UAF)

This passwordless protocol is only applicable to mobile applications and works by registering a user’s device to online services through a local authentication mechanism. These mechanisms can be biometric or PINs (numerical, alphanumeric and patterns are examples of PINs.) UAFs can also be a two-step process, much like U2Fs.

FIDO2 or WebAuthn

U2F and UAF were the first protocols drafted by FIDO Alliance, and the group soon realised the necessity of a third protocol, one that would combine the two original models. Commonly referred to as FIDO2.0, this protocol incorporates JavaScript to offer accessibility for web applications.

How does FIDO work?

FIDO protocols make use of standard public key cryptography techniques for stronger, more secure authentication services. There are two phases to initiating these protocols, namely Registration and Authentication. Registration is the first phase and involves a user activating a security key per website using an authenticator. Authentication is then the process of validating that user each time they want access to said site. We’ve simplified the processes below:

Steps for Registration:

This process only happens once per website

1. User identification occurs through a unique username on the website in question.

2. The FIDO server then sends a challenge to the user.

3. This challenge validates the user, and the authenticator then generates a pair of corresponding cryptographic keys; one public and one private.

4. The public key is shared with the website along with digitally signed metadata and any other relevant content. The private key never leaves the user’s device.

Steps for Authentication:

This process happens each time the user returns to the website

1. User identification occurs through a unique username on the website in question.

2. The FIDO server then sends a challenge to the user.

3. This challenge validates the user, and the authenticator then digitally signs the challenge and accompanying metadata.

4. This response is shared with the website.

5. The website verifies this digital signature against the public key supplied during Registration and authenticates the user.

Why should you use FIDO?

While there are many authentication options on the market, FIDO Authentication is considered the first strong authentication technology that addresses several problems that extend beyond security to ease of use and affordability. FIDO also contemplates what may be deemed “commonplace” when using the internet. The protocols take into account elements of internet use like JavaScript in browsers, USB ports and usage, Bluetooth Low Energy (BLE) and Near Field Communications (NFC) on mobile applications, to mention a few. FIDO also understands that most users make use of their smartphones for internet access and that these encryption-capable devices are likely to be their authenticators, so purchasing specific authenticator technologies is not necessary. Another advantage of FIDO is that it is compatible with other authentication technologies for a transition period, provided the web application is programmed to route the user through the correct authentication process.

Not only is FIDO an affordable solution that is easy to use and integrates well with our daily-use devices, but it is also backed by the well-known platform manufacturers of Microsoft Windows and Google Android, and the browser creators of Mozilla Firefox, Google Chrome, and Microsoft Edge.

FIDO Alliance has worked to protect users’ privacy and to prioritise shared secret authentication. While the world continues to shift further toward digitalisation, the priority of our security and privacy becomes more prevalent. Each protocol drafted works to offer security solutions for a range of risks, devices and technologies to mitigate cybercrimes and provide developers with the solutions needed to build out the best possible websites and mobile applications that users can trust.

Have any other questions about FIDO Authentication, or want to learn how these protocols can be incorporated into your product design? Chat to our development team, here.

Want agency updates?
Join our newsletter