FIDO (Fast Identity Online) authentication is a set of open standards for passwordless authentication for websites, applications and online services. FIDO authentication replaces traditional passwords with cryptographic keys called “passkeys,” which are more secure.
Passkeys are stored on a user’s device, such as a smartphone. They enable the user to log in to a website or application through the same methods they use to unlock their device, such as facial recognition, fingerprint scanning or entering a PIN.
The IBM X-Force Threat Intelligence Index reports that credential theft is the most common impact faced by victims of breaches. Threat actors use phishing attacks and information stealing malware to harvest these credentials, which they can sell on the dark web or use to expand their reach in a network. Nearly a third of cyberattacks involve the hijacking of valid user accounts.
FIDO authentication helps minimize the cybersecurity threats posed by credential theft and account hijacking. Passkeys cannot be stolen as easily as passwords. To break into a passkey-secured account, an attacker must gain access to the user’s device and successfully enter their PIN or bypass biometric security.
Stay up to date on the most important—and intriguing—industry trends on AI, automation, data and beyond with the Think newsletter. See the IBM Privacy Statement.
The FIDO Alliance is a consortium of government agencies, businesses and tech companies including IBM, Apple, Amazon, Microsoft, PayPal and many others. The group develops and maintains FIDO authentication standards with the goal of reducing reliance on passwords.
The FIDO Alliance released the first FIDO protocol, FIDO 1.0, in 2014. The latest protocol, FIDO2, was developed in cooperation with the World Wide Web Consortium and released in 2018.
Today, millions of people use FIDO authentication to log in to websites and applications. The FIDO2 protocol is supported by leading web browsers, single sign-on (SSO) systems, identity and access management (IAM) solutions, web servers and operating systems including iOS, MacOS, Android and Windows.
FIDO authentication uses public key cryptography (PKC) to generate a unique cryptographic key pair associated with a user’s account. This key pair, called a “passkey,” consists of a public key that stays with the service provider and a private key that resides on the user’s device.
When the user logs in to their account, the service provider sends a challenge—typically a random string of characters—to the user’s device. The device prompts the user to authenticate themselves through a PIN or biometric authentication.
If the user successfully authenticates, the device uses the private key to sign the challenge and send it back to the service provider. The service provider uses the public key to confirm that the correct private key was applied and, if verified, grants the user access to their account.
A passkey stored on one device can be used to log in to a service on another device. For example, if a user sets up a passkey for their email account on their mobile device, they can still log in to that account on a laptop. The user would complete the authentication challenge on the registered mobile device.
FIDO also supports the use of security keys, also called “hardware tokens,” as an authentication method. FIDO security keys are small, dedicated physical devices that can create key pairs and sign challenges. They connect to other devices through Bluetooth, near-field communication (NFC) protocols or a USB port. A FIDO security key can take the place of biometric data or a PIN in the authentication process: possession of the key authenticates the user.
Because the private key is stored on—and does not leave—the user’s device, the possibility of a security breach is minimized. Hackers cannot steal it by breaking into a database or intercepting communications. The public key that resides with the service provider contains no sensitive information and is of little use to hackers.
To set up FIDO authentication on an email account, a user might follow these steps:
FIDO supports two types of passkeys: synced passkeys and device-bound passkeys.
Synced passkeys can be used across multiple devices, making them more convenient. Credential managers such as Apple passwords, Windows Hello and Google Password Manager can store synced passkeys and make them available to users on any device.
For example, a user might register for a passkey on a smartphone to access a banking application. That same passkey is available through the credential manager when the user logs in to the banking application with their laptop or tablet device.
This type of passkey is bound to a single device, offering the highest level of security.
Device-bound passkeys are typically accessed with a physical security key connected to one particular device. The passkey cannot leave the device, so it is less vulnerable to unauthorized access.
Device-bound passkeys are often used to access highly sensitive information such as financial data, corporate intellectual property or confidential government materials.
FIDO protocols have evolved and improved since the introduction of FIDO 1.0 in 2014. Functionality from the protocols introduced in FIDO 1.0 is incorporated into the newer protocols of FIDO2 authentication.
FIDO UAF was among the first protocols developed by the FIDO Alliance. It provides the capability to log in to a service without using a password. With UAF, a user can authenticate directly from a device by using biometric data such as facial recognition or a PIN.
U2F was developed to provide two-factor authentication (2FA) for systems that rely on usernames and passwords. 2FA methods require a second factor for users to confirm their identities. U2F uses a physical security key as the second factor.
After the release of FIDO2, U2F was renamed “CTAP1.”
FIDO2 introduced two new protocols that expand the reach and capabilities of the earlier protocols.
WebAuthn improves on the capabilities of UAF by providing a web application programming interface (web API) that makes passwordless authentication available to relying parties. “Relying parties” is the term for websites and web apps that use FIDO authentication.
In addition to the API, WebAuthn also provides FIDO standards that define how interactions should flow between the web application, the web browser and an authenticator such as a security key.
CTAP2 defines how a FIDO client such as a web browser or operating system communicates with an authenticator. An authenticator is the component that verifies a user’s identity.
In U2F (or CTAP1), the authenticator was always a security key. CTAP2 adds support for alternative authenticators that reside on a user’s device, such as voice and facial recognition, fingerprints or a PIN.
Stolen passwords are one of the most common cyberattack vectors. FIDO offers a passwordless authentication solution that mitigates this threat.
Hackers cannot steal passkeys through the usual means. For example, passkeys are phishing-resistant, because users do not share their private keys directly with services. User authentication takes place primarily on the user’s device. Even if an online service suffers a data breach, the passkey remains inaccessible.
FIDO also removes the need for one-time passcodes (OTPs), which hackers can intercept or spoof. The FIDO passkey remains protected on the user’s device without exposure to external systems.
FIDO supports multifactor authentication (MFA), which requires that users present two or more factors to verify their identities. For example, to access an account protected by a device-bound passkey, a user needs two factors: their device and biometric data or a PIN, which together unlock the passkey and sign a challenge.
FIDO standards can help some organizations comply with data privacy and protection regulations such as the General Data Protection Regulation (GDPR), Payment Card Industry Data Security Standard (PCI DSS) and the California Consumer Privacy Act (CCPA).
Specifically, FIDO makes it harder for unauthorized users to hijack valid accounts, which in turn means it is less likely that unauthorized users will access sensitive data.
FIDO is an open standard that is compatible with nearly every major web browser, platform, server, application and device. It provides a strong authentication mechanism that many organizations and online services can implement.
Many consider FIDO to be more intuitive than other authentication solutions. Users do not have to remember passwords, regularly change passwords or deal with reset and recovery processes. FIDO can also work across multiple desktop and mobile devices without requiring users to register each device separately.
FIDO passkeys provide a faster, easier and more secure method for user sign-in. For e-commerce websites and large global service providers, FIDO can improve the customer experience and reduce the need for account recovery due to lost or forgotten credentials.
Enterprises use FIDO authentication to grant employees, suppliers, contractors and other stakeholders rapid access to corporate resources. Compared to password authentication, FIDO passkeys can offer superior security and ease of use.
FIDO is often used to authenticate shoppers in e-commerce environments, such as confirming payments through mobile apps. It can also be used to verify a cardholder’s identity before allowing a transaction to proceed.
FIDO does not process payments, but it helps ensure that people are authorized to carry out transactions, which can reduce fraud.
Some government agencies now use FIDO authentication for activities such as processing tax returns and verifying applications for public benefits. For example, the login.gov service that provides citizens with a single point of access for various US federal agencies uses FIDO2 authentication.