Identity and access management (IAM) is undergoing a significant paradigm shift in response to constantly evolving threat actors and regulatory demands around user and data safety. The world is transitioning away from traditional IAM methodologies that rely on shared secrets and centralized passwords. Even the more recent “upgrade,” multi-factor authentication in the form of SMS and one-time passwords (OTPs), is being phased out.
In its place, authentication systems are being hardened with passwordless security built on biometrics, decentralized authentication and public key infrastructure (PKI). A true sea change, however, requires a foundation of free, open, rigorous standards. Open standards are easier to understand and audit, offer flexibility and interoperability, and avoid the lock-in of proprietary models.
Fast Identity Online (FIDO) authentication standards have been named the “gold standard” for secure passwordless authentication for good reason. Here we look at what FIDO authentication is and its benefits for your organization.
What is FIDO Authentication?
FIDO is a set of open authentication standards developed by the FIDO Alliance. The Alliance comprises leading technology firms such as Apple, Google, Microsoft and HYPR, financial organizations such as Bank of America, Mastercard and Visa, and regulatory bodies such as NIST. Its stated mission is to build authentication standards that help reduce the world’s reliance on passwords.
FIDO authentication protocols use public key cryptography to strengthen authentication and attestation. Public key cryptography is more secure than passwords, SMS or OTPs and makes authentication easier for customers and service providers. Here’s how it works with FIDO:
- A user registers their device with the authentication system as an accepted FIDO authenticator, creating a public-private key pair.
- The private key is securely stored on the device, and never shared, while the public key gets registered with the service.
- When requesting authentication, the service challenges the device to prove that it has the private key.
- The private key is unlocked locally by a secure action, such as a biometric gesture (fingerprint, facial or voice recognition), inserting a security key or entering a local PIN.
- The user’s device signs the challenge, and the authentication provider verifies it with its public key and, if successful, logs the user into the service.
By leveraging different authentication factors simultaneously, such as possession (device) and inherence (biometrics), one of the core benefits of FIDO authentication’s login process is that it satisfies multi-factor authentication requirements without using passwords and without inconveniencing the user.
There are numerous other benefits of FIDO authentication’s application in authentication processes, so let’s look at the most important ones.
Nine Benefits of FIDO Authentication
- Passwordless Authentication: Password attacksremain the biggest risk to digital security.Stolen credentials are the root cause of 80% of web attacks and 50% of data breaches. They’re also the launching pad for other attacks, such as ransomware and invoice redirect fraud. The use of a passwordless MFA solution significantly hardens defenses and reduces vulnerability to phishing and social engineering attacks on users.
- No Shared Secrets Anywhere: The problem with shared secrets is that once more than one party knows them, anyone can. This applies to passwords and other common MFA deployments, such as SMS, OTPs and secret questions. One of the benefits of FIDO authentication and public key cryptography is that the vital secret, the user’s private key, always stays on their device. As a result, there are no server-side shared secrets to steal to elevate a successful breach. Deployment of FIDO protocols can even eliminate shared secrets from desktop authentication.
- Securing User Privacy: Among the benefits of FIDO authentication’s public key cryptography is that the public and private key pairs used for authentication don’t provide any personal information and don’t create any links between different servers or accounts the user may have. Additionally, any biometric data used to unlock the private key never leaves the user’s device and can’t be stolen from servers or through man-in-the-middle attacks.
- Regulatory Compliance: Insecure authentication risks non-compliance with security and privacy regulations, leading to fines, loss of public confidence and increased costs of doing business. FIDO-based authentication meets or exceeds cybersecurity standards set by governmental and industry bodies, such as NIST 800-63B and PSD2. Moreover, its endorsem*nt by the likes of CISA and OMB gives it a strong standing in terms of accepted best practices for meeting other regulatory requirements like HIPAA or PCI-DSS.
- Interoperability: FIDO protocols are developed and managed by a large group of the world’s major cybersecurity stakeholders including tech organizations, financial institutions and regulatory bodies. All specifications are freely available to audit, adopt and implement. In addition, FIDO authentication being an open-source standard means it can work seamlessly across all platforms without being tied to a specific OS, identity provider (IdP) or single sign-on (SSO) service. This allows users to integrate all their working devices and applications with the same secure authentication.
- User Convenience: The usability benefits of FIDO authentication are not limited to the developer side but also extend to vastly improved convenience for users. The FIDO authentication process makes secure, multi-factor authentication possible in a single gesture. The range of devices and methods available, such as a user’s smartphone, security keys and platform authenticators, create a flexible system that can meet the needs of both individual users and the organization.
- Scalability: A major challenge to the widespread adoption of more secure authentication processes is the cost and difficulty of deploying assets such as hardware security keys or plug-in biometric readers. Another benefit of FIDO authentication is how it allows users to fulfill the required factors of authentication using off-the-shelf devices or those they already have. In addition, cross-platform compatibility built into FIDO’s standards makes a FIDO-based authentication solution immediately deployable and scalable within an organization’s ecosystem.
- Reduced Costs: Not only do passwords introduce significant organizational risk, but they are also a major direct cost. A research report from Verizon suggests that employees contact a help desk with password issues 6-10 times per year, and each reset costs $40-50.Moreover, there’s a productivity cost until employees get back into the systems they need to do their work. The benefits of FIDO authentication include eliminating these costs, as well as the business disruption and incident response costs associated with credential-based attacks.
- FIDO Certification Process: A critical element of the security and reliability of FIDO authentication is its certification process. Upon completing compliance testing and receiving certification, vendors can guarantee compatibility and adherence to security standards. Providers can be certified for different solution components, such as servers, authenticators or biometric verifiers, at different security certification levels. The openness and clarity of the FIDO standards have helped it gain widespread acceptance among major tech producers, service providers and the developer community.
Realizing the Benefits of FIDO Authentication through HYPR
As a board-level member of the FIDO Alliance, HYPR is committed to improving authentication security across the world. Our Passwordless MFA solution delivers a seamless MFA login flow from desktop to cloud and integrates with all major SSO providers. It is also the only solution that is FIDO Certified on all components, and its multi-device flexibility eases the user experience by allowing secure login on their terms.
Download our passwordless evaluation guide to learn more about what to look for in a passwordless solution, or schedule a demo to see how HYPR works for yourself.
