October 5, 2015 By David Strom 2 min read

The Fast Identity Online (FIDO) Alliance was founded in the summer of 2012 by several vendors, including PayPal and Lenovo, with the goal of bringing a series of technical specifications to the strong authentication market. These specifications go under the names Universal Authentication Framework (UAF) and Universal Second Factor (U2F). The former isn’t necessarily stronger auth, but rather specifications for a software stack that can support better methods.

Up until now, using strong auth methods was a very fragmented area, with numerous methods employed by vendors in different spaces, such as software-as-a-service (SaaS) applications, directory-based tools for on-premises apps and federated identities. The big win is having a piece of modular plugin software that can handle local auth so that apps can leverage what is available on each user’s device.

What FIDO Standards Do

The FIDO standards attempt to solve this fragmentation by giving you the ability to use any authentication method supported by your local device. This unifies the different providers and enables secure access to many applications. What FIDO proposes is to use something that you already have in your possession, such as your fingerprint or phone, and digitize these assets in such a way that the information isn’t shared with any of the providers or application vendors.

This has a side benefit: Each player doesn’t have to keep track of the actual auth mechanics. This is one of the issues with single sign-on (SSO) federation: Typically, the SSO stores this information centrally. Think of it like how Google and Apple Wallets have made payments easier but keep your credit card accounts private. For example, this means if a retailer is breached, all the login credentials divulged won’t do anyone any good since the criminals won’t have — and, more importantly, wouldn’t be able to obtain — the additional auth information.

Before FIDO, when we wanted to log into multiple apps, we might have had to use many kinds of authentication mechanisms, such as one-time password tokens, smartphone apps and text message confirmations. That was a lot of effort just to benefit from the stronger authentication, and it often involved some custom programming, too. With FIDO, we still can use these multiple mechanisms. But if they’re FIDO-ready, apps can use authentication methods supported by the local device rather than having to code their own authentication routines to support the multiple methods themselves. That is a big step forward.

How FIDO Authentication Helps

Since FIDO was founded, the organization has grown by leaps and bounds. There are now more than 100 members, among them major businesses such as Bank of America, Netflix, MasterCard and Microsoft, along with numerous security vendors. Samsung has built its latest Galaxy phones with fingerprint sensors that support FIDO protocols, as well. The group has published a series of draft standards that have also started being implemented by the security vendors, including the ability to use the Yubico USB touch-sensitive keys to authenticate to both Google Docs and Dropbox accounts. Interested individuals can find further explanations on how to set this up.

FIDO doesn’t solve every authentication issue. For example, you will have to use something other than the FIDO protocols to verify the identity of the person attached to that fingerprint and ensure he or she has been granted access to the given application. There are currently other vendors working on that solution. Despite the drawbacks, it represents a good start towards a more standardized approach to identity management.

More from Identity & Access

Another category? Why we need ITDR

5 min read - Technologists are understandably suffering from category fatigue. This fatigue can be more pronounced within security than in any other sub-sector of IT. Do the use cases and risks of today warrant identity threat detection and response (ITDR)? To address this question, we work backwards from the vulnerabilities, threats, misconfigurations and attacks that IDTR specializes in providing visibility into. As identity threat detection and response (ITDR) technology evolves, one of the most common queries we get is: “Why do we need…

Access control is going mobile — Is this the way forward?

2 min read - Last year, the highest volume of cyberattacks (30%) started in the same way: a cyber criminal using valid credentials to gain access. Even more concerning, the X-Force Threat Intelligence Index 2024 found that this method of attack increased by 71% from 2022. Researchers also discovered a 266% increase in infostealers to obtain credentials to use in an attack. Family members of privileged users are also sometimes victims.“These shifts suggest that threat actors have revalued credentials as a reliable and preferred…

Passwords, passkeys and familiarity bias

5 min read - As passkey (passwordless authentication) adoption proceeds, misconceptions abound. There appears to be a widespread impression that passkeys may be more convenient and less secure than passwords. The reality is that they are both more secure and more convenient — possibly a first in cybersecurity.Most of us could be forgiven for not realizing passwordless authentication is more secure than passwords. Thinking back to the first couple of use cases I was exposed to — a phone operating system (OS) and a…

Topic updates

Get email updates and stay ahead of the latest threats to the security landscape, thought leadership and research.
Subscribe today