Forgot Password? FIDO and the Future of Authentication

StarW4rs. 123456. batman. 12dec1984.<your postcode>. XydZ#$A7.

We can probably all agree that managing passwords isn’t our favorite way of spending time online. The good news is, a more secure and convenient way of handling authentication is already here.

Computer passwords have actually been around for decades, since MIT’s 1961 Compatible Time-Sharing System, credited as the first system to utilize passwords to enable multi-user shared computing. Since then, passwords have gained a central role in our lives. More recently, the explosion in the number of Internet services that rely on online authentication has also revealed the inherent problems of passwords, which include the following:

● Password fatigue, caused by the ever increasing number of online accounts each Internet user holds;
● Password reuse across different online services, a side effect of password fatigue, and a leading cause of escalated data security breaches;
● Password theft, phishing, guessing, etc.

To our benefit, the FIDO standard, backed by some of the largest and most influential companies in the world, has emerged as an alternative to the traditional password-based solution. FIDO stands for Fast IDentity Online. It is an open protocol designed to improve online user authentication and authorization, addressing both security and convenience for the end user. FIDO achieves this by making it easier for service providers to integrate additional security factors in the online authentication process. Currently, the majority of Internet services rely only on security models based on something you know, such as passwords, security questions and pin codes.

With FIDO, new security factors can be easily added, based on:
● something you have, such as your smartphone or a security key;
● something you are, provided by biometrics such as fingerprints, voice, iris and face recognition

Biometrics-based authentication is not new in computer systems, but the ubiquitous computing power brought by smartphones combined with advances in pattern recognition technology, have made it practical and convenient for all online users. Modern smart phones even have hardware-protected storage and processing areas, such as the TEE (Trusted Execution Environment), which safeguard the user’s privacy: the biometric information is never sent to the Internet, it never leaves the phone.

By using the phone’s embedded security mechanisms and the strength of public-key cryptography, FIDO enables biometrics authentication without ever sharing private biometric data across the wire, not even with the online account providers. FIDO specifies two user experiences: UAF (Universal Authentication Framework) and U2F (Universal Second Factor).

With UAF, users can enjoy the convenience of password-less authentication, a major enhancement in user experience. It makes authentication easier and more natural, similar to our experiences in the offline world. Suppose my sister wishes to pay me a surprise visit. As she reaches my house, she rings the doorbell and shouts: “It’s me, can I come in?” Obviously I won’t bother her with requesting a password. Just looking at her face on the intercom or even hearing her voice will suffice. Internet users want that same level of convenience when returning to their frequently visited online services.

Now let’s look at FIDO’s second experience, U2F. With U2F, service providers can implement second factor authentication to request additional authorization steps when increased security is required, such as in highly sensitive financial transactions. Most online banking services already support second factor authentication, which is usually implemented by sending users a one-time password generator or USB security key.

The advantage of U2F is that it standardizes the second factor flow as an open protocol, reducing the need for proprietary implementations. Service providers gain from increased user adoption. The end user also wins, by using a single device for authenticating into multiple services, as long as the device and services implement the standard. Surely this is a much better way of implementing second factor, rather than forcing users to pile up multiple devices for different services.

For all the reasons above, FIDO is delivering the combination of security and convenience that Internet users and service providers have longed for. By making passwords obsolete, or by increasing online security and privacy, it’s transforming our industry in a significant way.

And with more and more leading companies joining the FIDO Alliance, including Rakuten, FIDO is here to stay.

Show More
Back to top button