Definition

FIDO (Fast Identity Online)

Contributor(s): Matthew Haughn, David Strom

FIDO (Fast ID Online) is a set of technology-agnostic security specifications for strong authentication. FIDO is developed by the FIDO Alliance, a non-profit organization formed in 2012.  

FIDO specifications support multifactor authentication (MFA) and public key cryptography. A major benefit of FIDO-compliant authentication is the fact that users don't need to use complex passwords, deal with complex strong password rules and or go through recovery procedures when they forget a password. Unlike password databases, FIDO stores personally identifying information (PII) such as biometric authentication data locally on the user's device to protect it. FIDO's local storage of biometrics and other personal identification is intended to ease user concerns about personal data stored on an external server in the cloud. By abstracting the protocol implementation with application programming interfaces (APIs), FIDO also reduces the work required for developers to create secure logins for mobile clients running different operating systems (OSes) on different types of hardware.

FIDO supports the Universal Authentication Framework (UAF) protocol and the Universal Second Factor (U2F) protocol. With UAF, the client device creates a new key pair during registration with an online service and retains the private key; the public key is registered with the online service. During authentication, the client device proves possession of the private key to the service by signing a challenge, which involves a user–friendly action such as providing a fingerprint, entering a PIN or speaking into a microphone. With U2F,  authentication requires a strong second factor such as a Near Field Communication (NFC) tap or USB security token.

The history of the FIDO Alliance

In 2007, PayPal  was trying to increase security by introducing  MFA to its customers in the form of its one-time password (OTP) key fob: Secure Key. Although Secure Key was effective, adoption rates were low -- it was generally used only by few security-conscious individuals. The key fob complicated authentication, and most users just didn't feel the need to use it.

In talks exploring the idea of integrating fingerscanning technology into PayPal, Ramesh Kesanupalli (then CTO of Validity Sensors) spoke to Michael Barrett (then PayPal's CISO). It was Barrett’s opinion that an industry standard was needed that could support all authentication hardware. Kesanupalli set out from there to bring together industry peers with that end in mind. The FIDO Alliance was founded as the result of meetings between the group. The Alliance went public in February 2013 and since that time many companies become members, including Google, ARM, Bank of America, Master Card, Visa, Microsoft, Samsung, LG, Dell and RSA. Microsoft has announced the inclusion of FIDO for authentication in Windows 10.

 

 

 

 

This was last updated in March 2015

Next Steps

The proliferation of smartphones and other mobile devices continue to call for standards that support multifactor authentication. Methods such as biometrics are being incorporated into smartphones and PCs to prevent identity theft. Today a variety of products exist on the market ranging from the EMC RSA Authentication Manager, Symantec Verisign VIP, CA Strong Authentication, and Vasco Identikey Digipass.

Continue Reading About FIDO (Fast Identity Online)

Dig Deeper on Web Authentication and Access Control

PRO+

Content

Find more PRO+ content and other member only offers, here.

Join the conversation

6 comments

Send me notifications when other members comment.

By submitting you agree to receive email from TechTarget and its partners. If you reside outside of the United States, you consent to having your personal data transferred to and processed in the United States. Privacy

Please create a username to comment.

One challenge in implementing FIDO is that the users are not interested in security tokens till they can use them to access many sites. At the same website will not prefer FIDO until authentication is possible on significant proportion of the user s of that website. Another challenge in implementing FIDO is that website will not support it until most installed base are are FIDO enabled.
Cancel
What challenges have you run into when implementing FIDO?
Cancel
FIDO standards are still not adopted in large scale and hence the real benefit of FIDO has still not be experienced by end users. But days are not far that this Password less Authentication Standards will become the de facto standard for online authentication. It is just a matter of time. All online secure authentication provider company should fall in line to adopt this standard before it being too late.
Cancel
I haven't run into any significant deployment issues. The SurePassID platform supports the OATH protocol and existing authentication solutions making it an orderly and straight forward migration to FIDO.

Just like any project, preparation and pilot tests are important to understand the new FIDO technology and user experiences. You can mix and match authentication devices with user preferences or security hierarchy requirements so it is important to map out your user scenarios for everything from provisioning to authentication to de-provisioning, lost/stolen, cloud versus legacy networks and applications, etc.

Let me know if you are interested in piloting FIDO. We can setup a fully functional sandbox account in 5 minutes for you to start testing.

Hope this helps.
Kevin
Cancel
Hi Kevin- Will you please help me in getting a functional sandbox account to view how FIDO works or is there a document I can refer to?
Thanks!
isha
Cancel
Hi Isha - send your contact info to me at kevin.raineri@surepassid.com and I will call you to setup a sandbox account for you in less than 5 minutes.
Talk to you soon, 
Kevin
Cancel

-ADS BY GOOGLE

File Extensions and File Formats

Powered by:

SearchCloudSecurity

SearchNetworking

SearchCIO

SearchConsumerization

SearchEnterpriseDesktop

SearchCloudComputing

ComputerWeekly

Close