What is FIDO?
Fast Identity Online, FIDO, is the world’s leading biometric authentication standard, enabling an extremely clever authentication method. FIDO is literally the future of authentication and ultimately the tech which will finally replace the problems of passwords.
mSIGNIA’s CEO has over 30 years of experience in identity, authentication, PKI, and privacy. This includes leadership at the Liberty Alliance project which ultimately brought about FIDO in 2013. mSIGNIA was a FIDO member when inventing our digital biometrics patent portfolio.
FIDO’s solution is simple genius, specifically
- FIDO re-defined authentication as two distinct authentication events - one local and one remote - creating industry standards for an easy, privacy-compliant digital authentication. FIDO uses biometrics at the local device and asymmetric key cryptography for remote authentication. This yields a simple, easy, quick, YES/NO authentication event.
- FIDO intelligently jettisoned the overhead of public key ‘infrastructure’ (the “I” in “PKI” which includes concepts like certificates, CAs, RAs, cert revocation, etc.) and concentrated on the value of asymmetric key cryptography.
FIDO has been fearless in standardizing the difficult capabilities which make global standards so valuable.
For example, FIDO’s specification includes an attestation of the risk quality of a local authentication: How accurate is the biometric sensor? How safe is the storage of the crypto keys? This quality statement provides an industry standard rating scale for the trustworthiness of a user authentication; such info can be passed to the reliant party (i.e., the authentication party) to assess risk.
Who is Using FIDO?
FIDO’s innovation has been widely recognized through the World Wide Web Consortium (W3C) which standardizes the world's internet protocol. FIDO is driving adoption through W3C's Web Authentication (WebAuthn) and Secure Payment Confirmation (SPC) standards efforts.
As a result, global industry ‘infrastructure’ players such as device manufacturers, OS owners, and browser providers have broadly adopted FIDO.
Nearly every OS and browser in use today, including those by Apple, Microsoft, and Google, deeply integrate FIDO in the browser and give it access to security hardware. This native support makes it more secure than methods loaded higher in the stack.
Such widescale adoption is resulting in strong support by government efforts and leaders of the payment industry, including EMVCo's 3-D Security.
FIDO over 3-D Secure Rails
The problem of digital authentication was originally thought to be a 1:1 relationship between a user and their online service provider.
FIDO followed this 1:1 relation when they created their authentication design.
Payments is not a 1:1 exchange, there are typically 8 elements to an online transaction: Consumer, their Device, Merchant, their Payment Service Provider, an Acquiring Bank, a Payment Network, the consumer's Issuing Bank, and the issuer's Risk Scoring Engine.
3-D Security was defined by the payments industry to move data between these 8 payment parties.
FIDO, EMVCo 3DS, and the W3C are all working together to make online payments easier and safer. 3-D Secure provides the framework for communication and data exchanges between the 8 payment parties. FIDO's amazing authentication methodology is easy for the consumer and includes an independent security rating which other payment parties can review. W3C ensures global adoption and scale.
FIDO and Privacy
FIDO has always been a strong advocate for user privacy; working with government policy makers to safeguard the privacy of citizens the world over.
When FIDO split authentication into local and remote authentications, it allowed personally identifiable information (PII) like biometrics to be captured at the local the device, never stored at the device, and never leave that device. The digital representation of the biometric unlocks the private key used for the remote authentication.
While this introduces friction in enrolling new devices, it keeps PII off the network and out of the cloud; it keeps people safe.
FIDO and PSD2 SCA
As governments work to enact digital regulations, such efforts must mandate their citizen's safety and privacy while at the same time promoting commerce (think taxes).
With FIDO being the emerging de facto method for multi-factor authentication (MFA) which is also designed for privacy, it is no wonder that government efforts often reference FIDO explicitly.
The European Union's (EU) Revised Payment Services Directive (PSD2) mandates Strong Consumer Authentication (SCA) to ensure the EU's citizens can safely conduct online transactions. While there were nearly a dozen authentication methods mentioned by SCA bulletins, FIDO is quickly emerging as the best, most popular method for compliance.