What is FIDO (Fast Identity Online) authentication?

Passkeys are stored on a user’s device, such as a smartphone. They enable the user to log in to a website or application through the same methods they use to unlock their device, such as facial recognition, fingerprint scanning or entering a PIN.

The IBM X-Force Threat Intelligence Index reports that credential theft is the most common impact faced by victims of breaches. Threat actors use phishing attacks and infostealing malware to harvest these credentials, which they can sell on the dark web or use to expand their reach in a network. Nearly a third of cyberattacks involve the hijacking of valid user accounts.

FIDO authentication helps minimize the cybersecurity threats posed by credential theft and account hijacking. Passkeys cannot be stolen as easily as passwords. To break into a passkey-secured account, an attacker must gain access to the user’s device and successfully enter their PIN or bypass biometric security.

The FIDO Alliance is a consortium of government agencies, businesses and tech companies including IBM, Apple, Amazon, Microsoft, PayPal and many others. The group develops and maintains FIDO authentication standards with the goal of reducing reliance on passwords.

The FIDO Alliance released the first FIDO protocol, FIDO 1.0, in 2014. The latest protocol, FIDO2, was developed in cooperation with the World Wide Web Consortium and released in 2018.

Today, millions of people use FIDO authentication to log in to websites and applications. The FIDO2 protocol is supported by leading web browsers, single sign-on (SSO) systems, identity and access management (IAM) solutions, web servers and operating systems including iOS, MacOS, Android and Windows.

FIDO authentication uses public key cryptography (PKC) to generate a unique cryptographic key pair associated with a user’s account. This key pair, called a “passkey,” consists of a public key that stays with the service provider and a private key that resides on the user’s device.

When the user logs in to their account, the service provider sends a challenge—typically a random string of characters—to the user’s device. The device prompts the user to authenticate themselves through a PIN or biometric authentication.

If the user successfully authenticates, the device uses the private key to sign the challenge and send it back to the service provider. The service provider uses the public key to verify that the right private key was used and—if so—grants the user access to their account.

A passkey stored on one device can be used to log in to a service on another device. For example, if a user sets up a passkey for their email account on their mobile device, they can still log in to that account on a laptop. The user would complete the authentication challenge on the registered mobile device.

FIDO also supports the use of security keys, also called “hardware tokens,” as an authentication method. FIDO security keys are small, dedicated physical devices that can create key pairs and sign challenges. They connect to other devices through Bluetooth, near-field communication (NFC) protocols or a USB port. A FIDO security key can take the place of biometric data or a PIN in the authentication process: possession of the key authenticates the user.

Because the private key is stored on—and never leaves—the user’s device, the possibility of a security breach is minimized. Hackers cannot steal it by breaking into a database or intercepting communications. The public key that resides with the service provider contains no sensitive information and is of little use to hackers.

To set up FIDO authentication on an email account, a user might follow these steps:

1. In the account settings, the user selects “passkey” as an authentication method.
   
   
2. The user selects the device on which they want to create the passkey. Most systems default to creating a passkey on the device currently in use, but users often have the option of selecting a different device they own.
     
3. The selected device asks the user to authenticate through biometrics or a PIN.
   
   
4. The user’s device creates a cryptographic key pair. The public key is sent to the email provider, and the private key is stored on the device.
   
   
5. The next time the user logs in, the email provider sends a challenge to the user’s device.
   
   
6. The user answers the challenge by authenticating with biometrics or a PIN.
   
   
7. The device returns the signed challenge to the email provider, which uses the public key to verify it.
   
   
8. The user is granted access to the email account.

FIDO supports two types of passkeys: synced passkeys and device-bound passkeys.

Synced passkeys can be used across multiple devices, making them more convenient. Credential managers such as Apple Passwords, Windows Hello and Google Password Manager can store synced passkeys and make them available to users on any device.

For example, a user might register for a passkey on a smartphone to access a banking application. That same passkey is available through the credential manager when the user logs in to the banking application with their laptop or tablet device.

This type of passkey is bound to a single device, offering the highest level of security.

Device-bound passkeys are typically accessed with a physical security key connected to one particular device. The passkey cannot leave the device, so it is less vulnerable to unauthorized access.

Device-bound passkeys are often used to access highly sensitive information such as financial data, corporate intellectual property or confidential government materials.

FIDO protocols have evolved and improved since the introduction of FIDO 1.0 in 2014. Functionality from the protocols introduced in FIDO 1.0 is incorporated into the newer protocols of FIDO2 authentication.

FIDO UAF was among the first protocols developed by the FIDO Alliance. It provides the capability to log in to a service without using a password. With UAF, a user can authenticate directly from a device by using biometric data such as facial recognition, or a PIN.

U2F was developed to provide two-factor authentication (2FA) for systems that rely on usernames and passwords. 2FA methods require a second factor for users to confirm their identities. U2F uses a physical security key as the second factor.

After the release of FIDO2, U2F was renamed “CTAP1.”

FIDO2 introduced two new protocols that expand the reach and capabilities of the earlier protocols.

WebAuthn improves on the capabilities of UAF by providing a web application programming interface (web API) that makes passwordless authentication available to relying parties. “Relying parties” is the term for websites and web apps that use FIDO authentication.

In addition to the API, WebAuthn also provides FIDO standards that define how interactions should flow between the web application, the web browser and an authenticator such as a security key.

CTAP2 defines how a FIDO client such as a web browser or operating system communicates with an authenticator. An authenticator is the component that verifies a user’s identity.

In U2F (or CTAP1), the authenticator was always a security key. CTAP2 adds support for additional authenticators that reside on a user’s device, such as voice and facial recognition, fingerprints or a PIN.

FIDO passkeys provide a faster, easier and more secure method for user sign-in. For ecommerce websites and large global service providers, FIDO can improve the customer experience and reduce the need for account recovery due to lost or forgotten credentials.

Enterprises use FIDO authentication to grant employees, suppliers, contractors and other stakeholders rapid access to corporate resources. Compared to password authentication, FIDO passkeys can offer superior security and ease of use.

FIDO is often used to authenticate shoppers in ecommerce environments, such as confirming payments through mobile apps. It can also be used to verify a cardholder’s identity before allowing a transaction to proceed.

FIDO does not process payments, but it helps ensure that people are authorized to carry out transactions, which can reduce fraud.

Some government agencies now use FIDO authentication for activities such as processing tax returns and verifying applications for public benefits. For example, the login.gov service that provides citizens with a single point of access for a variety of US federal agencies uses FIDO2 authentication.