FIDO 101: A complete guide to Fast Identity Online (FIDO)

What is FIDO?

FIDO, short for Fast Identity Online, was created to provide a solution to the global password problem. Passwords are still being used as the primary login and authentication method by most websites, which is not good news; there are significant flaws with passwords including inconvenience for users, and vulnerabilities for organizations.

Passwords have been the root cause of over 80% of data breaches, costing organizations an average of $3.9 million, with $70 [ref] [ref] being the average cost of one password reset through a business’s help desk. Passwords affect businesses in additional ways; studies have shown that ⅓ of online purchases were abandoned because of forgotten passwords.

How does FIDO help?

The FIDO protocols, created by the FIDO Alliance, were designed to combat the problems caused by passwords. They were designed with privacy in mind; no information that can be used to track a user is provided. Biometric information provided by the user for the sake of authentication is not stored in the cloud — it never leaves the user’s device.

The effectiveness of standards such as FIDO requires widespread industry cooperation; luckily, it has already taken place. A range of stakeholders from operating systems to device manufacturers to chip makers and even browsers have aligned themselves around FIDO as a standard. While this sort of widespread implementation has not happened on a company level, there is very little stopping them from doing so; currently, over 4 billion global devices are FIDO capable.

FIDO platform/browser support — from the FIDO Alliance

Common browsers and operating systems already have FIDO built in, meaning no additional hardware or authenticator software needs to be downloaded by a user. [ref]

FIDO’s technology industry members, regulatory/standards support, and financial services adopters

Why should I use FIDO?

FIDO authentication has many benefits.

End user benefits

1. No more remembering passwords: A recent study revealed that the average user has 100 passwords for all their online accounts. [ref] Companies that implement FIDO authentication can remove the need for their users to create and remember yet another password.
2. Low friction, familiar experience: A typical FIDO authentication mechanism is the flow a user undergoes when unlocking their device. This could be anything from a Face Unlock or Fingerprint Scan on Android, a PIN on Windows Hello, or TouchID on a Macbook or iPhone, among other mechanisms.
3. More robust security: Remembering 100 different passwords is not easy, which causes users to often reuse passwords across websites. Studies have shown that as many as 50% of people use the same password for all their online accounts, and many people rotate between a few passwords for all their accounts [ref]. If a user’s password is compromised on one website, therefore, the impact can spread to all their other online accounts that share the same password.

Business Benefits

1. Higher usage & conversion rates: According to McKinsey, authentication flows with a focus on low friction can increase overall usage by up to 20%. [ref] In our experience, we have seen a 3–5x increase in FIDO user logins versus password logins.
2. Lower support costs: A password reset request to a company’s help desk can cost an average of $70. By eliminating passwords, this cost is also eradicated, which allows customer support representatives to redirect their efforts to providing more valuable support to customers.
3. Reduced fraud: FIDO authentication resistant to both, man-in-the-middle and phishing attacks, which are some of the main causes of account takeover fraud. Account takeover fraud is separate from breaches, of which 80% are caused by passwords. FIDO can, therefore, potentially eliminate all types of authentication related fraud.

How FIDO works

FIDO authentication typically follows the same process that a user follows to unlock their device. Typically this could be Face ID on an iPhone or a Mac, a fingerprint or facial scan on an Android device, or entering a PIN on Windows Hello devices. It is this behavior that gives FIDO an advantage; the experience is already very familiar to the user.

Looking at FIDO from a technical standpoint, the protocols use standard public key cryptography. When a user initially registers, their device generates a new public/private key pair. The private key is retained, and the public key is signed with an attestation certificate and registered with the FIDO-integrated online service. The attestation certificate is pre-built into the device at the time of manufacturing, and is specific to a device model (e.g. all iPhone 12 Max devices in the same manufacturing run will have the same attestation certificate).

Note: The FIDO credential registration process is often referred to as “attestation.”

Once a user is registered, they can then use the credential to login. When the client application requests a user authentication, the server creates a challenge; this challenge is then signed by the authenticator using the previously registered key pair.

Note: The FIDO authentication process is frequently referred to as “assertion.”

Image from the FIDO Alliance

FIDO Key Elements

• Highly Secure: Since the FIDO protocols are, both, man-in-the-middle attack and phishing attack resistant, they significantly reduce account takeover fraud risk. Every {website, authenticator} pairing creates unique credentials, one website’s compromise has no impact on another website, unlike a compromised reused password.
• Two-Factor Authentication (2FA): While authenticating with FIDO might seem like a single user action, it is a two-factor authentication method. The action of scanning their biometrics or entering a PIN is one factor (inherence or knowledge), and the device assertion is the second factor (possession).
• On-device biometrics: Biometrics might not always be required, but they are frequently involved in the FIDO protocols. What’s critical in the FIDO protocols is the fact that biometrics are not stored in the cloud or in a server; only the public key is stored. This is beneficial because server-side biometrics pose various risks, since users cannot change their biometrics in case of a compromise. The way that it’s setup, FIDO avoids many of the prevalent server-side biometric authentication issues; not only does it prevent biometric information from being compromised, it also ensures that the biometric information can only be used for its intended purpose — on-device verification and assertion.
• Domain-bound credentials: FIDO registered credentials are bound to a particular domain; for example, if you register your FIDO credentials on loginid.io, you cannot duplicate use of the same credential on another website such as loginid-example.io.

About LoginID

LoginID is a multifactor authentication solutions provider that offers frictionless authentication. Created with developers in mind, LoginID is FIDO-certified and adheres to PSD2 principles. With an implementation time of just one hour, LoginID’s multifactor authentication solution is a quick, simple to integrate, cost-effective, and regulatorily compliant tool to give your business peace of mind around security, allowing you to focus on growing your business.

Get started for free by checking out the demo here.

Learn more about LoginID’s solutions here.