What is FIDO? What is FIDO Alliance?

FIDO (Fast IDentity Online) is a certification for a set of authentication protocols and specifications, with the aim of ultimately eliminating the use of passwords across all platforms, including desktops, mobile devices, and any service requiring identity verification. FIDO authentication is the brainchild of FIDO Alliance.

What is FIDO Alliance?

FIDO Alliance is an open industry association, also known as consortium, formed by a group of leading companies, government agencies, and financial institutions in 2012. An explanation of its goals include changing the way users authenticate online. With a strong belief that passwords are a thing of the past, and them being one of weakest links in online security.

Passwords are costly to manage, easily compromised, and add frustrating friction for users, negatively impacting the experience.

FIDO's process of authentication has quickly gained traction, revolutionizing news and overview reports on the future of cybersecurity.

The success of FIDO authentication is driven by the collaboration of various industry leaders.

Who is part of the FIDO Alliance?

The Alliance members list includes major companies and organizations (more than 250!) of many kinds, some of them are:

• Tech Giants: Google, Apple, Microsoft, Amazon, and Facebook.
• Financial Institutions: PayPal, Mastercard, Visa, American Express.
• Hardware Manufacturers: Samsung, Intel, Lenovo, ARM.
• Service Providers: eBay, Salesforce, Bank of America.
• Government Entities: U.S. government agencies like the National Institute of Standards and Technology (NIST).
• Security Firms: Yubico, RSA, NortonLifeLock.

‍

All these collaborate to promote secure, passwordless authentication methods, ensuring the public understands the advantages of moving beyond traditional password use.

The Development of FIDO Authentication Standards

Over the years, FIDO Alliance has published three sets of specifications, all based on public key cryptography:

FIDO UAF (Universal Authentication Framework)

The first FIDO protocol allowed users to sign up and log in to services without passwords by using biometrics or a PIN on their personal device, such as a smartphone or laptop.

FIDO U2F (Universal 2nd Factor)

The second protocol released by FIDO Alliance, essentially enhances passwords, by requiring users to use a hardware security key in addition, for two factor authentication (2FA).

FIDO2

The newest standard from FIDO Alliance, considered to be a combination of the previous two, consists of two components:

• WebAuthn API - A W3C standard allowing web services to integrate passwordless authentication.

• CTAP (Client to Authenticator) - A protocol allowing devices like smartphones, security keys and wearables to act as an authenticator for logins.

Combining these two was a big step forward in the FIDO mission to eliminate passwords.

FIDO Alliance and Passkeys

As the technology evolved, and more companies adopted FIDO Authentication solutions, the concept of passkeys emerged.

Passkeys, also based on public and private key cryptography, represent a user’s private key securely stored on a device, enabling seamless logins across ecosystems.

FIDO passkeys are already integrated by major players like Apple, Google and more.

Dive deeper into passkeys here.

How Does FIDO Eliminate passwords?

FIDO authentication solves the password problem by enabling the user to sign up to a FIDO-enabled product or service by just using their biometric features, such as fingerprint and face recognition, making it super smooth for the user, while being ultra secure behind the scene.

How Does it Work?

FIDO protocols use a cryptography approach called asymmetric encryption.

When a user registers with a service, the protocol generates a unique set of keys, one public, stored on the service server, and one private, securely encrypted on the user’s device, the private key never leaves the device.

When a user logs in to a service, the service sends a request (called a challenge) to the device, requiring the user to use their unlock mechanism, and verify it using the stored private key.

FIDO Authentication Benefits

By eliminating passwords, many benefits are unveiled, both for companies and organizations, and for the user. These include improved security such as:

• Security - Password related attacks make up to 80% of online breaches, they can be stolen, hacked or even guessed. FIDO passwordless solutions are basically immune to password related vulnerabilities such as phishing.

• Management - Creating and managing complex passwords creates fatigue, making users “give up” and use repetitive, simple ones, making them even less safe. Also for businesses, managing passwords, resetting them and following standards can be costly and time consuming.

• Privacy - The sensitive data that gives true access to services is stored on the user’s device, making the user the owner of his credentials and basically his identity online.

• User-experience - A user that enjoys interacting with a service, through a seamless, secure login and authentication, will sign up earlier, sign in more often leading to more sales, more engagement and an overall exceptional user experience.

The Future of FIDO

The future of FIDO focuses on broad passwordless adoption. With Apple, Google, and Microsoft integrating the FIDO2 standard into their platforms, the path to eliminating passwords becomes even clearer. Passkeys represent a giant leap forward, providing users with a more secure and convenient way to authenticate across devices while owning their private keys.

FIDO’s approach of combining user experience and security, is set to revolutionize online security. Moving forward, we can only expect the FIDO Alliance to become more universal and continue to promote a future free of passwords, with minimal phishing risks, and authentication both effortless and as secure as possible.

As this transformation takes better shape, FIDO will keep leading the charge toward a more trusted and efficient digital world.

‍