Whether we like it or not, passwords are something we have to live with in order to be able to access various online services. But the fact that people are still using passwords that are incredibly easy to crack – despite the continuous warnings of security experts – proves that sooner or later developers must come up with a solution that is not only secure but is also able to either complement or fully replace those pesky passwords.
Laptops and smart devices are already capable of replacing passwords and passcodes or serve as one of the steps in the two-factor authentication process, but it is the latter that is the very thing that FIDO, the next step in secure online authentication, is built on.
What Is FIDO?
FIDO (Fast IDentity Online) is an interoperable authentication standard intended to simplify the login process by eliminating the need for traditional passwords in favor of one-click logins. Long story short, when users register to or access a site that complies with the FIDO standards, all they need to do is identify themselves either using any of the known biometric authentication methods built into the device the login attempt is made from or rely on secondary devices to perform a simplified two-factor authentication for them.
Basically, sites using FIDO standards will be able to recognize you by either using biometric authentication or – after the username and password has been provided on the primary device – by simply pushing a button on the secondary authentication device. In even simpler terms, FIDO is like the auto-login feature in password managers, except this requires a device instead of a complex password.
The Technology Behind FIDO
Although the user only has to provide something simple like a fingerprint or a voice command, FIDO ensures that logins are as safe as possible.
When users register to a FIDO-compatible site and they choose their method of identification – be it fingerprint, voice, face, PIN code or what have you – FIDO creates two keys: a public and a private one unique to the local device, the online service and the user’s account.
While the public key is sent to the website to be associated with the user’s freshly created account, it doesn’t contain any sensitive data or use methods that are for the authentication as they remain on the device fully encrypted by the private key. In other words, it’s the device used for authentication that encrypts sensitive data, in a fashion similar to the way that desktop password managers do.
So any time a login attempt is made by using the matching identification method, FIDO confirms the possession of the private key, and then signs and sends a challenge to the online service, which in turn verifies said challenge to the stored public key and logs in the user.
FIDO in Everyday Life
Despite being around since 2012 and having been backed by Samsung, Google, Microsoft, PayPal, Bank of America and so on, FIDO is mostly unavailable for the general public. The reason behind that is pretty simple: FIDO standards are still not compatible with many devices and software.
However, the first step was finally made in 2017 when Lenovo and Intel, two of the companies behind the FIDO Alliance, released laptops that fully embrace FIDO standards. This means that users are able to log into any of the websites participating in the FIDO initiative by simply using biometric authentication or a secondary authenticator device connected to their Lenovo laptop.
Knowing how much the general public craves simplicity, especially when it comes to passwords and other types of credentials, it is only a matter of time before FIDO leads us to a truly password-free world.
Best Password Managers of 2019