In today’s digital world most of our activities are conducted via online services. In some instances, these services are the foundations of people’s livelihoods and are of immense importance. For others, they represent a more casual venture into the online sphere yet still represent an element of reliance.
It is estimated that around 4.4 billion individuals access the internet on a regular basis; therefore users’ online security is of the utmost important. This includes whether they are connecting via a laptop and require robust protection by relevant programmes, or if they are accessing via a mobile device and require strong levels of mobile application protection and security. This is an important consideration for both enterprises and end users, as instances of fraud can have devastating impacts for both parties.
When the Internet’s initial reach started to increase, simple passwords were enough to stave off malicious attacks by fraudsters and hackers looking to gain access to an individual’s device. However, in today’s multi-device world, implementing more robust safety protocols is now more important than ever.
This has led to the emergence of Fast Identity Online (FIDO).
The FIDO Alliance was established in February 2013 and is an open industry association, and its core aim is to reduce dependence on traditional passwords. To achieve this, new technical specifications were developed and put forward.
These specifications ensure enhanced and reliable authentication for users of online services without depending on traditional passwords, which can be prone to data breaches. FIDO Authentication enables faster and more secure methods of authentication and is defined by two key protocols:
- Universal Authentication Framework (UAF)
- Universal 2nd Factor (U2F) protocol.
UAF provides password-less authentication for users and they are able to register their device onto the online service to complete authentication on their local devices. This feature allows for a combination of authentication factors to provide higher levels of security.
U2F helps augment traditional password-based authentication systems with a local authentication device like a USB key or NFC module helping to achieve this.
FIDO Authentication uses asymmetric cryptography techniques. This cryptographic system utilises two keys. As a result, this reduces concerns regarding the security of cloud-based authentication methods and is considered to be more robust.
How Does FIDO Authentication Work?
FIDO uses public-key cryptography; registrations with any online service create two keys. It uses sensitive user data like fingerprints, facial recognition information, etc., and this resides locally on the device. The device transmits a shared key to the service; using the service requires both of these keys in tandem.
Now we will explore this process and technique in further detail to gain greater insight.
When registering, the user selects a local authentication method and the FIDO authenticator is then unlocked by using a fingerprint, an external, facial recognition, or other means that the device is capable of.
Once this process has been completed, a unique public private key is generated and the public key is sent to the online service. Most importantly, through this process the private key never leaves the device, thus providing increased levels of security.
During login, the online service ‘challenges’ the user to login using a previously registered device. The user then unlocks the FIDO authenticator using the method used during registration. Authentication is verified by the device using the account identifier provided by the online service. Finally, the online service receives the signed challenge and the user is logged into the service after cross verification with the stored public key.
The FIDO protocols incorporate security at the centre of its operations and procedures. Therefore, users’ privacy is at the core of the technology and no information is shared across services that allows them to track users- movement. In addition to this, biometric data, if utilised, never leaves the users- device, providing robust levels of security.
