FIDO2 101: Fast Identity Online — A Crash Course
Try the FIDO2 Passwordless Authentication Platform by LoginID for Free or reach out to firstname.lastname@example.org for more information.
What is FIDO2?
An abbreviation for Fast Identity Online, FIDO2 was designed as a solution to the global password problem. Currently, passwords are still the primary method for logging into apps or websites. Passwords, however, are weak, and are ineffective when it comes to fraud prevention.
Apart from their vulnerability, passwords are very inconvenient for users. In fact, over 80% of data breaches are directly linked to passwords, amounting to an average loss of $3.9 million.
Not only insecure, passwords can prove to be costly to businesses, with the average price of contacting the help desk to reset a password sitting at $70.
In addition to security and cost, passwords have a negative impact on conversion rates, with online merchants seeing a cart abandonment rate of around 30%.
The FIDO2 protocols were created by the FIDO Alliance with privacy as the main addressable concern. FIDO2 protocols ensure that third parties can never use any PII data to follow users across services. Any biometric information used within the FIDO2 protocol securely remain on the user’s device — not stored on any server.
The FIDO2 standard is particularly effective due to broad adoption and cooperation across industries.
FIDO2 standards have been implemented by internet browsers, device manufacturers (such as Apple and Android), all the way down to chip makers (such as Intel). There are over 5 billion devices that support FIDO2 globally, with implementations continually growing.
FIDO2 is currently compatible with all the most popular web browsers and operating systems, making it easy for end users to authenticate themselves without having to download additional apps or purchase additional hardware.
End User Benefits
- No Passwords: Most users have to remember around 100 passwords for all their online accounts. FIDO2 passwordless authentication allows apps and websites to cut passwords out altogether.
- Familiar and Convenient Experience: By using a device’s native biometric authentication mechanism, FIDO2 incorporates a very familiar user experience, i.e. the same actions a user would make to unlock a device, or make a payment (a face scan, a biometric scan, Face ID or TouchID).
- Fraud Prevention and Improved Security: Going back to the fact that most users have to remember around 100 passwords, this is next to impossible, which leads to users recycling passwords. 50% of all online users utilize the same password across all their online accounts, and many only use a few passwords. This means that a compromised password on one account can lead to a breach of all other accounts that use the same password.
- Improved Usage and Conversion: A recent survey by McKinsey found that a passwordless authentication flow that prioritizes convenience can result in a 20% increase in overall usage. Users authenticating themsleves with FIDO2 show 3 — 5x higher activity than users who login in with a traditional password.
- Lower Support Costs: A password reset request costs a company’s help desk around $70 to resolve. Implementing FIDO2 passwordless authentication eliminates this cost, freeing up company resources to address more critical issues.
- Enhanced Fraud Prevention: FIDO2 passwordless authentication is a powerful fraud prevention tool that eliminates both man-in-the-middle and phishing attacks. Apart from fraud caused by data breaches (mostly due to compromised passwords), account takeover fraud is also increasing in significant financial impact on companies. Implementing FIDO2 empowers companies to potentially eliminate all kinds of authentication related fraud.
How Does FIDO2 Work?
Think about the very familiar way you unlock your device; with an iPhone you might use Face ID to unlock your device, with an Android device you might use the fingerprint scanner, and on a Windows Hello device, you might use a non-biometric PIN. FIDO2 passwordless authentication works in the same way, with a process that is already very familiar to consumers.
FIDO2 uses what is called the customary public key cryptography methodology. How this works is, a public/private key pair is generated by the end user’s device upon registration. The private key remains securely on the end user’s device and never leaves. As an example, iPhones would use the secure enclave to store private keys.
The public key is what gets registered with the particular online service that the end user is trying to register for. It is signed with an attestation certificate which is unique to the end user’s device and model, and is built into the end user’s device upon manufacturing. Attestation is often the term used to denote a FIDO2 credential registration.
Once a device is registered, the FIDO2 credentials are used to log the user in. First, the end user’s application pushes an authentication request to the user. The server then issues a challenge which is signed by the authenticator using the unique public/private key pair. Assertion is often the term used to denote a FIDO2 authentication event.
FIDO2 Keys to Success
- Strong Fraud Prevention Measures: FIDO2 protocols provide a powerful fraud prevention tool, specifically against man-in-the-middle and phishing attacks. FIDO2 nearly eliminates account takeover risks as well. FIDO2 passwordless authentication creates unique credentials for every site, which means a compromise on one account or website will not have a cascading effect on other accounts or websites.
- Multi-factor Authentication: While FIDO2 passwordless authentication may seem to be a simple single authentication action, it is, in fact, a combination of two authentication factors. One authentication factor is the action initiated by the user, i.e. scanning their face, scanning their fingerprint, or entering their PIN. The other authentication factor is the authentication request, or the assertion.
- Device Bound Biometrics: Despite biometrics not being a FIDO2 passwordless authentication protocol requirement, using them is common practice. What makes registering your biometrics with FIDO2 safe is the fact that no biometric data is ever stored on a server. The only thing stored on the server is the public key, which does not contain any sensitive data. FIDO2 addresses a number of problems related to server-side biometric authentication while ensuring that any biometric usage is limited to device verification and assertion.
- Unique Domain Credentials: When the end user registers with a particular domain, FIDO2 passwordless authentication ensures that the particular credential that is registered is bound to that domain, and that domain alone. This means that a FIDO credential registered loginid cannot be used on loginid-example.
LoginID offers a FIDO2-certified passwordless authentication solution that can be easily integrated, with just a few lines of code, into any website or app. Created with developers and enterprises in mind, LoginID adheres to PSD2 regulations and can enhance your site’s fraud prevention methods with strong customer authentication.
Integrate FIDO2-certified passwordless authentication into your site. Click here for documentation on LoginID’s SDKs and APIs.