A Brief History of FIDO
Daon’s Conor White offers insight into FIDO’s past, its technological contributions and collaborations with Daon, and the future of secure authentication with Identity Continuity.
August 17, 2023
In 2012, it was already accepted that passwords were not a safe enough factor to authenticate a customer’s identity or device for secure account access. The Internet Crime Complaint Center, a partnership of the Federal Bureau of Investigation (FBI) and National White Collar Crime Center (NW3C), reported that unverified losses had increased 8.3% over 2011 to reach an adjusted dollar loss of $525 million across nearly 290,000 complaints. In the UK, there were 16,355 cases of online banking fraud. It was clearly time for a better solution for authenticating customers and protecting their accounts.
The FIDO (Fast IDentity Online) Allliance, a global open industry association devoted to solving this challenge, was founded in July 2012 to reduce “the world’s over-reliance on passwords” by promoting the development of, use of, and compliance with standards for authentication and device attestation.
In 2012, Daon had already been in business for more than a decade, working to improve identity authentication. Conor White, Daon’s President of New Industries, recalls, “We’ve always been a proponent of biometrics standards, open standards, and global interoperability. Daon was part of several bodies that were feeding into ISO standards and other standards even before FIDO was formed.”
White continues, “We recognized from the very first moment that passwords are a broken system. We saw the fraud trends that were emerging from the rapid digitization of our everyday interactions. Daon was founded to solve the problem of making sure that the human being is at the center of a transaction when they are supposed to be – and not somebody else, like a bad actor, masquerading as that person through weak systems such as passwords.”
It was natural that Daon became an alliance member early on, bringing this expertise to the FIDO Alliance’s efforts to develop the new identity and authentication standards. Daon joined as a board member to help provide leadership and insights at all levels in the organization.
Introducing new standards
In the quest to develop new standards, the core ideas driving the FIDO Alliance’s efforts are ease of use, privacy and security, and standardization. The organization’s objective is to enable online services and websites to leverage the native security features of end-user computing devices for strong user authentication.
The first deployment of FIDO authentication was in early 2014 and enabled Samsung Galaxy S5 users to login and make online, mobile, and in-store payments wherever PayPal was accepted – with the swipe of a finger. This groundwork led to the December 2014 simultaneous release of the FIDO Universal Authentication Framework (UAF) and the FIDO Universal 2nd Factor (U2F).
Universal Authentication Factor (UAF)
UAF allows online services to offer passwordless and multi-factor security. This framework lets users register a laptop, mobile phone, or other device to a website or online service and select an authentication factor, which is both available on the device and accepted by the online service. These authentication factors can include biometrics, like a fingerprint scanned through the fingerprint sensor on a mobile phone, a facial scan confirmed by a selfie taken with the device, or a voice print based on words spoken into a mic. The UAF framework also supports entering a PIN for authentication and the ability to combine factors for multi-factor security. When users return to the site or access their account, they authenticate using the factor(s) they established at registration.
Universal 2nd Factor (U2F)
U2F allows online services to add a strong second factor that uses a physical key for user login, enhancing the security of the existing password infrastructure for online services. When a user enters their username and password, the online service prompts them to present a second factor device.
The user establishes this second factor during registration and presents it during authentication by, for example, pressing a button on a USB device or tapping to use a near-field communication (NFC)-enabled device. Support for the FIDO U2F device is built into many web browsers and the device can be used with online services that support this protocol.
FIDO2 or WebAuthn
FIDO2 represents the continued development of FIDO specifications. FIDO2 enables the use of common devices to authenticate online services using unique cryptographic login credentials for every site. The FIDO 2.0 Web APIs were submitted to the World Wide Web Consortium (W3C), an international community where member organizations, staff, and the public work together to develop web standards. In 2016, the W3C launched a new web authentication standards effort based on these APIs. In addition to this effort, which has evolved into today’s WebAuthn protocol, the FIDO2 project includes the Alliance’s Client to Authenticator Protocol (CTAP), which enables an external authenticator, such as a security key or mobile phone, to work with browsers that support WebAuthn and to provide authentication for desktop applications and web services.
Support for the WebAuthn protocol has grown rapidly. It has been integrated into leading web browsers and supported by many vendors, including Daon. W3C announced in March 2019 that WebAuthn had become the official web standard for password-free login.
How these FIDO protocols work
UAF, U2F, and FIDO2 protocols use standard public-key cryptography techniques to strengthen authentication at registration (during identity proofing and verification) and when the user returns to access the website or their account (during future authentications). Additionally, these protocols are designed from the ground up to protect privacy. They don’t provide information that can be utilized to track users across online services, and authentication information never leaves the user’s device.
At registration, the user’s mobile phone, laptop, or other client device creates a new key pair. It retains the private key, storing it securely on the device (in a secure, hardware-backed keystore, for instance), and registers the public key with the online service. When the user returns, authentication is done by the client device responding to a challenge from the service to prove they possess the private key. The private key can only be used after it is unlocked on the device by a user performing a simple action like scanning their face, swiping a finger, or entering a PIN.
From a customer’s point of view, at registration, they are prompted to choose an available FIDO authenticator that’s accepted by the online service. They unlock their FIDO authenticator, and in a matter of seconds, their device has created the unique public/private key pair for their device, the online service, and the user’s account.
At login, for example, the user is challenged by the online service to authenticate with their registered device and to unlock their FIDO authenticator with the method they established at registration. In a process that’s transparent to the user and accomplished in seconds, the device sends the correct response back to the service, which verifies it with the stored public key and logs in the user.
Benefits of adopting FIDO protocols
Adopting FIDO protocols offers several advantages for businesses across the widest range of industries.
According to IT Governance, in June 2023 alone there were 79 security incidents that accounted for 14,353,133 compromised records. AAG reports that, “the use of stolen credentials is the most common cause of data breaches.” The Hacker News said, “Even after years of warnings, changing password requirements, and multiple forms of authentication, password stealing remains a top attack method used by cyber criminals.”
With FIDO protocols, there are no passwords to guess, hack, or steal. More importantly, authentication data can’t be phished. Even though the encrypted public key is stored by the online service or website, the user’s private key never leaves their device. FIDO protocols ensure that fake websites or apps can’t request access to the keys. So, even if the public key was stolen, it couldn’t be used to access the user’s account or their data without the private key. In addition, no authentication data or PII (personally identifiable information) is required to be stored server-side – so a breach of server data would not allow any attacks on end-users, as a private key can’t be generated from knowledge of a public key.
Concern among users about the privacy of their personal information has led to the rise of regulations such as the GDPR in the EU and CCPA in California. According to the United Nations Commission on Trade and Development (UNCTAD), 137 of 194 countries have put in place legislation to secure the protection of data and privacy.
The public and private key pairs used with FIDO authentication protocols don’t provide any personal information or create links between the user’s accounts. Authentication data, including biometric data such as fingerprints or facial scans used in the authentication process, stays on the user’s device.
This not only protects user privacy but provides an easy way for businesses to ensure they are complying with the regulatory environment(s) of wherever they do business.
According to White, “FIDO not only helps increase confidence and trust in the interaction – it also helps remove friction, which is very important. For many years, we as an industry, globally, have tried to fight fraudsters by putting in extra checks to deter them, but these checks create friction for the genuine user. So, to prevent that one percent of fraudulent attempts at hacking an account, we were inconveniencing the 99% of people who were trying to do it right.”
White’s point is yet another reason why FIDO protocols are a great way to preserve and promote good UX: they let users quickly access their account without friction and in a way that increases their trust in the organization. When it comes to attracting new customers, businesses with a good user experience have a competitive advantage over those who still rely on passwords that have to be remembered and can be forgotten or lost.
The latest project that the FIDO Alliance is working on is regarding the development of passkeys. Their vision is that passkeys can enable a browser to authenticate a user using a FIDO protocol across multiple devices without having to individually register each device to the account. It would also eliminate the need to individually login to websites and services that support the browser and the passkey protocol.
As the passkey protocol moves forward, one challenge is balancing the dramatic increase in user convenience it provides with the concerns of businesses who will be giving up some level of control over their data security. White states: “At Daon, with our 20-year history of global identity assurance deployments, we are ideally suited to help companies understand this dynamic and optimize their identity strategy to deal with it.”
Daon and FIDO
White continues, “Participating in the FIDO Alliance is a win-win. We’re deployed on every continent, with hundreds of millions of people in our systems, so we bring an understanding of global identity assurance to the Alliance. We also learn from participating in FIDO and can refine our products to ensure they comply with what our end users, who are part of the Alliance, want.”
Daon has been very active in the technical working groups that help write FIDO protocols, including UAF and FIDO2/WebAuthn, and has participated in the conformance testing that shows that multiple organizations can interoperate using the protocols. The company was also one of the earliest to get accreditation to the FIDO standards and continues to put products forward for certification as it makes changes, updates, and brings new solutions to market.
“We have customers who use our technology to onboard their consumers, to authenticate them in the contact center when they call in (within only 4-6 seconds), to authenticate them on the web, to authenticate them on a mobile app, and to authenticate them in person. Anytime, anywhere, at any level of risk, every single capability is made available to all those channels to provide a high level of assurance of an individual’s identity. The whole experience and the whole workflow are based on Daon’s Identity Continuity platform, of which FIDO is a core component,” concludes White.
With Daon’s platform, businesses get a single, central view of any customer across their entire identity journey, whether the customer calls a contact center, accesses their account from their mobile phone, or deals with an issue in person.
Click here to contact us for more information about Identity Continuity.