Strengthening Identity Verification and Authentication With FIDO

Most online services use password-based authentication. Passwords and SMS-based one-time-passcodes (OTPs) are the two most popular methods of digital authentication. Compromised passwords, however, are responsible for 80% of data breaches.

Forgotten passwords not only increase operational overheads but also lead to cart abandonment, resulting in lost revenue. Although OTPs solve some of these problems, they are highly vulnerable to the rising number of man-in-the-middle attacks and SIM swaps

Passwords, in particular, pose a dual challenge of security and friction and need to be phased out.

A frictionless and phishing-resistant multi-factor authentication (MFA) is a must to overcome the challenges posed by passwords and OTPs. The FIDO (short for Fast Identity Online) Alliance, an industry consortium of over 250 leading companies promoting open standards for identity verification and authentication, addresses these challenges and has become the industry standard for passwordless authentication. FIDO protocols address the critical aspects of digital identity lifecycle management such as identity verification for account onboarding, account recovery, and user and device authentication.

Attacks on servers that store user credentials or malware-induced phishing attacks that impersonate local devices and steal credentials are responsible for most identity breaches. FIDO provides device-level local authentication by leveraging methods such as PIN, biometrics, or external hardware tokens, all interacting with the client device over a common, standardized interface. The authenticating device, i.e., authenticator, connects to the online server using a standardized, challenge-response-based cryptographic protocol based on a pair of public-key and private-key. Effectively, the user interaction via any of these authentication methods unlocks a private key dedicated to the online service in question—the online service stores only public keys.

The FIDO protocols consist of the following three sets of public-key cryptography-based specifications:

Universal Authentication Framework (UAF): The UAF protocol enables online service providers to offer their customers a variety of passwordless sign-on options—PIN, biometrics, and external hardware devices. The registration process on the online service prompts users to select an authentication method, and the authenticator creates a new key pair simultaneously. The private key is securely retained in the authenticator, whereas the public key is passed on to the online service and bound to the user’s account.

FIDO2: FIDO and W3C have jointly built FIDO2, a set of two open standards. W3C’s WebAuthn standard provides a standard API compatible with popular browsers and platforms, such as Android, to create and manage public keys. Typically used in a sign-on scenario, the online service sends a challenge to the sign-on client (a browser or app) using WebAuthn API, requesting it to sign the data with the private key. Subsequently, FIDO’s Client to Authenticator Protocol (CTAP) works between the authenticator and the client to enable either passwordless or MFA.

Universal Second Factor (U2F): This protocol complements traditional password-based security with a second factor based on external authenticator devices such as fobs and pluggable USB devices. Browsers and authenticator devices that conform to the protocol can automatically connect and communicate, thereby establishing a second-factor authentication.

FIDO simplifies authentication for consumers and protects against identity theft & identity takeover while ensuring compliance to regulations such as PSD2. 

This article is a synopsis of a blog published by Prove.

Accelerate your onboarding

Contact us to learn how leading companies are using Prove Pre-fill to modernize the account creation process by shaving off clicks and keystrokes that kill conversion.