The inability of many online services to keep their users’ passwords secure from cybercriminals, combined with…
the inherent weaknesses of passwords as a means of authentication, are forcing governments and the IT industry to establish a viable, long-term replacement. The U.S. Commission on Enhancing National Cybersecurity hopes to see “no major breaches by 2021 in which identity — especially the use of passwords — is the primary vector of attack.” This is an ambitious goal as 63% of all successful data breaches can be tracked back to inadequate passwords according to Verizon’s 2016 Data Breach Investigations Report, and it will require the development and broad adoption of identity authentication technologies. Until recently, the IT industry has struggled to bring about such technologies, but new developments such as the FIDO authentication standard have started to change that.
Usability and deployability are the reasons passwords have lasted so long, but requiring users to remember longer, more complex passwords isn’t practical given that the average Briton in 2012 had over 25 online accounts, with 25-34-year olds having over 40, according to research done by Experian plc, the U.K. credit reference agency. Although strong authentication products have been around for years, concerns over cost, lack of interoperability, vendor lock-in, and inconvenience to users have prevented them from becoming widely deployed. Ideas such as using image recognition — where users recognize pictures rather than enter passwords — only offer minor security benefits over passwords, while those offering significant security benefits like iris recognition have usually been too costly to deploy or problematical to use.
To address the lack of interoperability among strong authentication technologies, leading companies such as PayPal, Lenovo and Nok Nok Labs formed the Fast IDentity Online (FIDO) Alliance in July 2012 with the aim of defining a set of open standards and specifications for how multifactor authentication should work that balance security with usability, privacy and interoperability. Work done by Google, Yubico and NXP on an open standard for a strong second-factor device was incorporated into the FIDO Alliance in 2013 and version 1.0 of the FIDO standard was published at the end of 2014. So what is FIDO, how does it work, and can it remove our reliance on passwords?
FIDO is a device-centric model but is not designed for any specific type of authentication technology. It separates the authentication server from the specific authentication model. This means the authentication method or provider can be changed without impacting the application. It provides two ways to authenticate users: Passwordless UX, which uses the Universal Authentication Framework (UAF) protocol and Second Factor UX, which uses the Universal 2nd Factor (U2F) protocol (UX stands for “user experience“). In future versions, FIDO expects the two standards to further evolve and harmonize.
With Passwordless UX, users register their device with an online service by selecting a local authentication mechanism. This can be a biometric such as swiping a finger, taking a selfie or speaking into a microphone. Once registered, users repeat the process whenever they need to authenticate to the service, so no password is necessary. A service can also require multiple authentication mechanisms such as a biometric (for example, a fingerprint or voice scan) and knowledge (for example, a password or PIN). The presence of high quality cameras, microphones, and fingerprint readers in many of today’s devices means it’s now easier than ever to implement biometric authentication that establishes trust between two parties.
Second Factor UX involves using a password or PIN in conjunction with a FIDO-compliant hardware device to support two-factor authentication: knowledge of the PIN or password being the first factor, and ownership of the device being the second factor. The user is prompted to insert and touch their personal U2F device during login. The user’s FIDO-enabled device creates a new key pair, and the public key is shared with the online service and associated with the user’s account. The service can then authenticate the user by requesting that the registered device sign a challenge with the private key. Removable USB tokens are proving popular but other options include Trusted Platform Modules, embedded Secure Elements, smart cards, Bluetooth Low Energy, and Near Field Communication (NFC) chips. A hacker would need to steal both a user’s credentials and their U2F device to compromise an account or application log-in.
FIDO UAF authentication credentials are never shared with an online service provider, only the public keys paired to the user’s device. This removes the threat of a breach of a user’s accounts or personal data if a service provider is compromised. Likewise, biometric measurements used in FIDO authentication never leave the user’s device. There is also no information emitted by the device that can be used by different online services to collaborate and track a user across the Internet, even though the same device can be used to log in to any number of services.
FIDO is fast becoming the global de facto standard for authentication. The FIDO Alliance now has more than 250 members from across the world, including technology companies, device manufacturers, major banks and health firms, all major payment card networks, several governments and dozens of security and biometrics vendors. President Barack Obama’s Commission on Enhancing National Cybersecurity report specifically noted the role the FIDO Alliance will play in achieving its goal. The U.K. government’s new National Cyber Security Strategy also intends to invest in FIDO authentication.
Google Chrome was the first Web browser to implement support for Second Factor UX, but by early 2017 all the major browsers will provide support. For users, this means instead of typing in a six-digit passcode received via SMS to login to an online service, users can simply insert a FIDO-compliant USB key into their computer and tap it when asked to do so by the browser. Google analyzed its two-year deployment of U2F Security Keys and reported support costs had dropped. The keys replaced one-time passwords (OTP) as a means of authenticating its employees, which Google estimated has saved thousands of hours per year. There were also zero authentication failures, compared to a 3% failure rate for OTP-based authentications.
FIDO brings substantial gains to users and businesses, which explains its rapid adoption where other initiatives have failed to displace the password. As more users discover the advantages of being free from passwords and the added security FIDO authentication provides, online services left relying on passwords may well begin to lose out. If FIDO reduces the number of abandoned online and mobile shopping carts due to account login difficulties, retailers will easily recoup any costs involved in updating their sites to be FIDO compliant. PayPal, Alibaba, and Alipay all offer secure payments based on FIDO authentication and major cloud services such as Dropbox, GitHub, Dashlane, and Salesforce.com all now support U2F.
The forthcoming FIDO 2.0 features native platform support as well as device-to-device authentication using FIDO’s public key cryptography, which should benefit many IoT devices. The Client-to-Authenticator Protocol (CTAP) should also be released in 2017. This will enable browsers and operating systems to talk to external authenticators like USB key fobs, NFC- and Bluetooth-enabled devices and remove the requirement for users to re-register on every device they use. There is also work on a standard for mobile wallet providers and payment application developers to support Consumer Device Cardholder Verification Methods (CDCVM) so on-device FIDO Certified authenticators such as fingerprint or selfie biometrics can be used to verify a user’s presence when making an in-store or in-app mobile payment.
Over the years, cybercriminals have made huge profits due to the ineffectiveness of password-based authentication, but FIDO authentication makes credential theft far more difficult and expensive, without compromising convenience for security. Hopefully it will help end the role of the password as the primary authentication factor.