October 09, 2023

Anonybit Team

What Is FIDO & How Does It Work?

Blog What is FIDO

FIDO is revolutionizing the way we approach cybersecurity and authentication, making it easier and more secure to access online accounts without the use of passwords. This cutting-edge protocol eliminates the need for traditional passwords, providing a more seamless login experience. With FIDO, you can say goodbye to the hassle of remembering complex passwords and welcome a new era of secure online identity verification. Get ready to explore the future of cybersecurity and passwordless security with FIDO!

What Is The FIDO (Fast Identity Online) Alliance?

instant recognition with Fast Identity Online

In 2007, PayPal was trying to increase security by introducing MFA to its customers in the form of its one-time password (OTP) key fob: Secure Key. Although Secure Key was effective, adoption rates were low — it was generally used only by few security-conscious individuals. The key fob complicated authentication, and most users just didn’t feel the need to use it.

In talks exploring the idea of integrating finger-scanning technology into PayPal, Ramesh Kesanupalli (then CTO of Validity Sensors) spoke to Michael Barrett (then PayPal’s CISO). It was Barrett’s opinion that an industry standard was needed that could support all authentication hardware. Kesanupalli set out from there to bring together industry peers with that end in mind.

The FIDO Alliance was founded as a result and went public in February 2013. Since that time, many companies have become members, including:

  • Google
  • Microsoft
  • Apple
  • ARM
  • Bank of America
  • Mastercard, Visa
  • Samsung
  • Dell
  • RSA
  • several government organizations.

Today, FIDO authentication is guided by three mandates: ease of use, standardization and privacy/security.

Related Reading

What Is Fast Identity Online (FIDO)?

cryptography on laptop - Fast Identity Online

FIDO authentication has emerged as a powerful solution to the increasing threat of data breaches through cybercriminal activities. By leveraging public key cryptography techniques, FIDO protocols ensure secure user authentication by connecting an encrypted key from a trusted device to a dedicated server, reduces the chances of sensitive data being exposed during data transmission. Authenticating on the trusted device is typically done via the device owner’s biometric to release the cryptographic key.

Enhanced Security and Privacy with FIDO Authentication

One of the main  benefits of FIDO authentication is that the private key and biometric data, if used, never leave the user’s device. This ensures that even if a cybercriminal intercepts communication, they won’t be able to access the user’s private keys or their biometrics.

The use of biometric data, such as fingerprints or facial recognition, is meant to provide a robust layer of security to authentication processes. This user-centric security approach is a potent means of protecting individuals from the dangers of data breaches and safeguarding their privacy in an increasingly digital world.

Anonybit: Revolutionizing Identity Management with a Decentralized Approach

At Anonybit, we are at the forefront of the fight against data breaches and account takeover fraud with our cutting-edge decentralized biometrics features. Our integrated identity management solution enables companies to leverage FIDO passwordless authentication while ensuring the security of their biometric data even for account recovery or the authentication is done via an unknown device. By implementing Anonybit’s decentralized biometrics technology, businesses can enjoy a host of authentication features such as: 

  • Passwordless login
  • Wire verification
  • Step-up authentication
  • Help desk authentication

Our mission at Anonybit is to empower organizations to combat the rising threats of data breaches, account takeovers, and synthetic identity fraud. Our security solutions cover various aspects of the user lifecycle, including:

  • Strong multi factor authentication 
  • Secure storage of biometrics and personally identifiable information (PII) data
  • Support for 1:N matching for lookups and deduplication

By introducing Anonybit’s integrated identity management platform, organizations can eliminate the tradeoffs between privacy and security, effectively preventing data breaches and account takeover fraud, while elevating the user experience across the enterprise. Take the first step towards a secure and seamless identity management strategy by scheduling a free demo of Anonybit’s integrated identity management platform today.

Core Principles Of FIDO Authentication

person learning basics of Fast Identity Online

When it comes to user privacy and security, FIDO protocols elevate current weak authentication processes. FIDO makes sure your biometric data remains private by not sharing it with online services or storing it in a centralized repository on a remote server. Instead, the biometric measurements are transformed into cryptographic representations on the trusted device, and these are used to verify a user’s identity.

FIDO Authentication employs local authentication, where the authentication process happens on the device itself, rather than on a remote server. This approach substantially reduces the risk of remote attacks and unauthorized access to data but can compromise security by masking the true identity of the person behind the device

Universality Across Devices and Platforms

The FIDO Alliance’s aim is to have passwordless uthentication be widespread, offering users the same level of security on any device they use. This universality is meant to extend to different operating systems and browsers, ensuring that applications and services can support FIDO authentication irrespective of the platform used. This can be a challenge as noted in our previous blogs on the topic. 

Reduction of Reliance on Passwords

Passwords have been the traditional means of online security, but they are also a significant vulnerability. They can be easily guessed, stolen, or forgotten, and managing a unique password for each online account is inconvenient, and as a result most people tend to reuse passwords. FIDO aims to address these issues by replacing passwords with more secure and user-friendly alternatives like biometrics and cryptographic passkeys. By doing so, FIDO not only enhances security but also improves the user experience when it comes to authentication.

Related Reading

What Types of FIDO Protocols Are Available?

coding screen - Fast Identity Online

The FIDO UAF protocol allows online service providers to offer their users passwordless sign-on experiences. Multi-factor sign-on experiences are also available if additional security is required. To use UAF, users must have a personal device, such as a computer or smartphone, that they register with an online service. During the registration process, users are asked to choose the method they want to use to authenticate with that service in the future.

How UAF Works

When a user attempts to access an online service for the first time, they are prompted to register. During the registration process, the user selects the authentication method that they want to use to sign on. Only methods that match the service’s acceptance policy are available.

The user’s device, which could be a personal computer or a mobile device, creates a new key pair unique to the device, online service, and user account. The user’s device retains the private key and sends the public key to the online service associated with the user’s account, which completes the registration process. After registering, the user can quickly access the application using the authentication method that they selected.

Universal Second Factor (U2F)

The FIDO U2F protocol complements traditional password-based security, rather than replacing it altogether. With U2F, users must provide two pieces of evidence to verify their identities: 

  • Something that they know, like their username and password
  • Something that they have, like a registered fob or USB device

These security devices are known as U2F authentication tokens or security keys and can use USB, NFC (near-field communication), or Bluetooth technology to complete authentication processes.

How U2F Works

When a user attempts to access an online service for the first time, they are prompted to register and provide a username and password. Each time a user attempts to subsequently access an online service through their browser, the user enters the username and password that’s recognized by that online service.

The service sends a challenge to the registered security device. The security device activates, acknowledges that it received the challenge, signs the challenge in a way that proves it has possession of the private key, and sends the signed challenge to the online service. The user gains access to the online service.

What Is FIDO2 & How Does FIDO2 Authentication Work?

how does it work - Fast Identity Online

FIDO2, the latest specifications from the FIDO Alliance, was developed in collaboration with the World Wide Web Consortium (W3C). FIDO2 includes two open standards: 

  • FIDO Client To Authenticator protocol (CTAP)
  • W3C standard WebAuthn

These work together to provide passwordless login options, or two-factor and multi-factor login for enhanced security. Authentication processes may incorporate built-in authenticators such as biometrics or PINs, or roaming authenticators like fobs or USB devices.

WebAuthn

WebAuthn defines a standard web API integrated into platforms and browsers to facilitate FIDO authentication. It manages the creation and control of public key credentials and communicates with both CTAP1 and CTAP2 authenticators.

CTAP1 & CTAP2

CTAP1 enables users to have a second-factor login experience, by plugging security devices into their computers or placing their devices in proximity to an NFC reader to access an online service. CTAP2 allows the authenticator to function as both the primary and secondary factor in authentication, enabling passwordless login or 2FA and MFA where more protection is demanded.

How Does FIDO2 Authentication Work?

When a user attempts to access an online service for the first time, they’re prompted to register and provide a username and password. During registration, a new key pair is generated that has one private key and one public key. The private key is stored on the device and associated with the id and domain of the online service, while the public key is stored in the online service’s key database on a server.

Each time the user attempts to subsequently access an online service, the online service, or relying party (RP), uses APIs to verify user credentials with the authenticator.

1. Challenge

The RP sends a challenge to the FIDO client, asking it to sign the data with the private key.

2. Consent

The user consents using the selected authentication method.

3. Key Retrieval

The client obtains the private key from the authenticator.

4. Authentication

The client signs the challenge to prove the possession of the private key, granting access to the online service.

Is FIDO Right For You?

The protocol you use will likely depend on the level of security required from a FIDO security key and the type of experience you want your users to have. For example, if you work in the financial or healthcare industries and handle sensitive information, you might want to use U2F or FIDO2 because they require users to authenticate using two pieces of information. It will also likely depend on the number of users you have, the ways in which they are deployed, and the compatibility with your existing infrastructure. In considering a FIDO implementation, the account recovery process is an important element to plan carefully, to avoid the fallback of passwords and knowledge questions which would compromise the security of the entire system.

5 Best Practices For Fast Identity Online (FIDO) Implementation

person teaching about best practices of Fast Identity Online

1. Offer Multiple Authentication Methods

Offering multiple authentication methods is key to a successful FIDO implementation. The FIDO standards support various authentication mechanisms, such as biometrics, PINs, and security keys.

By providing users with multiple options, you can cater to diverse preferences, enhancing their experience and increasing adoption of the authentication system. For example, while some users might prefer biometric authentication due to its convenience, others might feel more comfortable with security keys or PINs.

2. Maintain a Backup Authentication Mechanism

While FIDO authentication provides robust security, it is not infallible. Users might lose their security keys, forget their PINs, or encounter issues with their biometric devices. In such cases, having a backup authentication mechanism is crucial. This ensures uninterrupted access to services for users and maintains the security of systems.

A streamlined backup authentication mechanism is the Anonybit Decentralized Cloud, which can store the user’s biometric and the passkey in a secure way, ensuring that attackers cannot impersonate the trusted user in the account recovery process. 

3. Test Across Different Platforms and Devices

FIDO authentication is designed to work seamlessly across various platforms and devices. Testing your FIDO implementation across different platforms is still essential. This ensures that users can easily use the authentication system, regardless of their device or platform.

Sharing Passkeys across different platforms and devices presents some risks. Passkeys can be stored in the Anonybit Decentralized Data Vault to ensure a secure and positive experience.

4. Implement Rate Limiting

Rate limiting is a security measure that limits the number of authentication attempts a user can make within a specific timeframe. This measure helps prevent brute force attacks, where attackers try to gain access by making numerous authentication attempts in quick succession.

Implementing rate limiting in your FIDO authentication system is a best practice that enhances security. Strike a balance—the limit should be stringent enough to deter attacks but not so restrictive that it hampers user experience. Consider implementing a progressive rate limiting system, where the limit decreases after each failed attempt.

5. Stay Updated with FIDO Alliance Recommendations

The FIDO Alliance is a consortium of leading tech companies that developed the FIDO standards. They continuously update these standards based on the latest research and developments in the cybersecurity field. It is crucial to stay updated with their recommendations to maintain the effectiveness of FIDO Authentication.

Regularly visit the FIDO Alliance website, subscribe to their newsletters, and participate in their events and forums. This not only keeps you updated with their latest recommendations but also provides opportunities to learn from and network with other professionals in the field.

Related Reading

Book A Free Demo To Learn More About Our Integrated Identity Management Platform

At Anonybit, we are FIDO compliant. We help companies prevent data breaches and account takeover fraud with our decentralized biometrics technology. With our decentralized biometrics framework, companies can enable passwordless login , wire verification, step-up authentication, and help desk authentication and more. 

Comprehensive Security Solutions for Companies

We are on a mission to protect companies from data breaches, account takeover and synthetic identity on the rise, privacy regulations, digital transformation. To achieve this goal, we offer security solutions such as:

  • Secure storage of biometrics and PII data
  • Support for the entire user lifecycle
  • 1:1 authentication and 1:N matching for lookups and deduplication

Balancing Privacy and Security with Anonybit’s Integrated Platform

Anonybit eliminates the tradeoffs between privacy and security. Prevent data breaches,  reduce account takeovers, and enhance the user experience across the enterprise using Anonybit. Book a free demo today to learn more about our integrated identity management platform.

Be the first to know the latest news, product updates, and more from Anonybit