FIDO Alliance Standards for Authentication

Simpler, Stronger, Privacy-Protecting Authentication – Already Built Into Billions of Mobile Devices

Digital identification is critical to empowering individuals in developing countries by enabling them to participate in a wide array of benefits and services.  However, the authentication layer of digital identity has historically presented three key challenges:

1. Security: A reliance on passwords as the primary method of authentication has led to an epidemic of data breaches across the globe.  Passwords are easily compromised – over 80% of data breaches in a recent study were the result of exploiting weak or stolen passwords.  Likewise, other forms of additional authentication such as One Time Passwords (OTP) are increasingly being compromised, as they are based on a shared secrets approach, meaning the user has to share their “secret” with the online application in order to authenticate. This means remote adversaries can launch massive attacks at scale against an entire user base in one of two ways: by phishing attacks that trick users into giving away their secrets or, by purchasing credentials stolen in a previous data breach and credential stuffing at other websites because so many users have the same password for multiple accounts.  
2. Privacy: Advanced technologies like biometrics can offer more security, but if implemented in a way that requires service providers or governments to collect and store this sensitive data, it puts peoples’ privacy and security at risk.  Not only is there the obvious over-sharing of personally identifiable information, but a remote biometric system with a central database is vulnerable to biometric spoof attacks from any device on the Internet, i.e. it is still vulnerable to remote, scalable attacks.  Beyond biometrics, other popular identity schemes rely on quietly installing trackers or building profiles of a device (often referred to as device fingerprinting) so they can recognize the user’s device in the future.
3. Ease of use: Many authentication technologies improve security at the expense of user experience – which dissuades people from using them in favor of less secure, password-based authentication.  

FIDO standards address all three of these challenges – without proprietary technologies.  It leverages a combination of on-device match of biometrics that then unlocks a private cryptographic key, generated and stored on the device, which is used in concert with a public key to authenticate the user.  

Because FIDO standards are embraced by dozens of major device manufactures – and embedded in at both the operating system and browser level by Google and Microsoft (with Apple platform support in beta testing as this proposal is being written) – they can be used on the phones, tablets and computers that most people carry with them today.  For emerging markets where these types of devices are often shared by families or even entire villages, an ideal fit would be FIDO Security Keys which are inexpensive personal devices that would store the user’s credentials safely even if they are sharing devices for accessing online resources.  

FIDO standards use a combination of on-device matching of user verification challenges and asymmetric public-key cryptography to address the security, privacy and ease of use challenges facing digital identity systems.  

1. Security: FIDO credentials are private keys minted directly on the user’s device, only used to sign challenges, never shared online.  This defeats all known forms of phishing and replay attacks.  
2. Privacy: User verification data is always matched on-device which prevents over-sharing of biometrics with online applications.  
3. Ease of use: Users need only “look at this camera” or “touch this button” to securely login using FIDO-enabled devices.

FIDO Alliance has prioritized privacy from the beginning, and has architected a number of privacy-protecting features into the standards.  These include:

• Biometrics are only stored and matched locally – and can never leave the device
• No third party in the protocol
• No linkability between services or accounts – there is no way for one party to use FIDO to track how a device is being used to log in to other accounts, as a separate key pair is generated for each account
• Private keys stay only on the device that generated them
• No server-side shared secrets 

For more information refer to the FIDO Alliance Privacy Principles

Authentication is just one element of a broader digital identity system.  FIDO is ideally suited to serve as the authentication layer. When FIDO keys are bound to proof of identity, they can be used as a full digital identity credential.  Here are simple design guidelines for how FIDO can be incorporated in typical digital identity systems.

• In password-based systems, FIDO is a simple replacement for the match-on-server password scheme.  This is also true for password + one-time-passcode 2FA solutions.
• In match-on-server biometric systems, FIDO can be used as the account authentication credential established after a one-time identity verification check using a government biometric database.
• In eID card systems, FIDO can be used as a derived credential after a one-time eID verification event.

In all three cases, the overall system design benefits from the mobile-first FIDO credential that is phishing resistant and easy to use, taking advantage of existing device capabilities coming to market across all popular operating systems and web browsers in 2019.

FIDO was specifically designed to address the flaws with earlier, first generation authentication technologies that improved security at the expense of user experience. FIDO enables “single gesture” authentication that allows someone to log in with multiple factors with nothing more required of the user than a simple on-device biometric match.  The rest of the security is “baked in” to the solution and works behind the scenes. Specifically, FIDO is coming to platforms from Microsoft, Google and Apple in 2019 allowing the user to login to websites and apps the same way they lock their devices, i.e. match-on-device biometrics, PINs, etc.

FIDO Alliance runs a certification program that ensures both conformance to the FIDO specifications as well as interoperability across product implementations – e.g., any FIDO Certified server can interoperate with any FIDO Certified authenticator based on the same specification.  This enables interoperability of FIDO authentication across devices of different manufactures, as well as different browsers and operating systems. FIDO standards have been recognized by the ITU (X.1277 and X. 1278), the World Wide Web Consortium (W3C) (Web Authentication Standard), as well as numerous governments.  Over 500 products have been FIDO Certified since mid-2015.

FIDO has support fo offline environments as well as online.  An offline example might be taking public transportation after tapping a NFC reader on a turnstile.  In online use cases, the FIDO protocol takes very little bandwidth, requiring only a simple message exchange to establish an authenticated session.

As for those with low literacy – the advantage FIDO offers is ease to use that is resistant to phishing that inexperienced users are especially vulnerable to.  FIDO enables “single gesture” authentication which means the user need only “look at your phone” or “touch this button” to be strongly authenticated.

FIDO standards are mature and gaining rapid adoption in many verticals, including government, financial services and health care.  We expect the adoption curve to continue to increase, given recent action in ITU and the W3C to finalize the standards, as well as announcement from major technology players at the chip, hardware and software level to embed support for FIDO authentication in their products.  Increasingly, service providers will choose to take advantage of these built-in capabilities for the benefits to user experience, customer choice, best-of-breed security and the cost savings on the client side of their architectures. 

The FIDO Alliance is a non-profit, 501(c)6 organization incorporated in the State of California.  The members of FIDO Alliance are either for-profit corporations, government agencies, or universities.  In addition FIDO Alliance has several liaison partners who are typically non-profit trade associations, often standards-setting organizations.  Here are several online resources that document the various organizations we have been working with:

• FIDO Certified product showcase
• FIDO Alliance members (corporations, governments, etc.)
• FIDO Alliance Liaison Organization Partners
• A partial listing of commercial deployments using FIDO

FIDO Alliance has already attracted well over 200 organizations from across the globe, including members from both industry and government.  Our members include both banks and FinTech firms, as well as major payment card networks, health providers, mobile network operators, hardware manufacturers, software vendors and government agencies. Collectively, the FIDO Alliance represents the largest consortium in the world focused on authentication – with a specific focus on ensuring that authentication solutions preserve and enhance privacy, rather than threaten or degrade it.

FIDO Alliance is a non-profit organization funded by annual dues paid by the member organizations as well as certification fees paid by vendors of FIDO implementations – FIDO standards are freely available to download and use.  Support for FIDO standards is increasingly embedded in many Commercial Off The Shelf (COTS) products.  FIDO standards are strongly supported in the marketplace as well by many vendors – there are more than 500 FIDO Certified products in the marketplace.  

FIDO Alliance has taken a keen interest in the work of the World Bank, specifically the ID4D and FIGI initiatives.  The Mission of FIDO Alliance is to help reduce the world’s dependency on passwords. It is important to us that the next generation of government investment in digital identity systems around the world isn’t wasted on highly vulnerable password-based systems already being supplanted by next generation FIDO solutions in developed markets.

If a device is lost or stolen, applications will need to have an account recovery process in place to re-register the user after they get a new device.  FIDO Alliance has a study group in place exploring ways for applications to improve their remote identity proofing practices over what is commonly used today.  If remote identity proofing isn't improved, then attackers can bypass strong FIDO authentication simply by defeating weak account recovery flows.