What is FIDO? Exploring the passwordless future of online identification.

In the digital age, we need to log in to a variety of online services every day, from email to bank accounts, from social platforms to work systems. Traditional password verification methods are not only cumbersome and easily forgotten, but also carry serious security risks. According to the IBM X-Force Threat Intelligence Index report, nearly one third of cyber attacks involve hijacking valid user accounts. It is against this backdrop that the FIDO protocol has emerged, bringing us a safer and more convenient passwordless authentication experience.

Basic Concepts of FIDO

FIDO (Fast Identity Online) is an open authentication standard that was promoted and developed by the FIDO Alliance after its establishment in July 2012. The alliance aims to address the lack of interoperability between strong authentication technologies and reduce users' dependence on multiple usernames and passwords.

FIDO2 is a passwordless authentication open standard jointly developed by the FIDO Alliance and the World Wide Web Consortium (W3C), released in 2018, replacing the first FIDO 1.0 standard released in 2014. The core of FIDO2 consists of two protocols: Web Authentication (WebAuthn) and Client to Authenticator Protocol 2 (CTAP2). These protocols work together to enable users to log in to websites or applications without using traditional passwords.

How FIDO Works: The Magic of Public Key Cryptography

FIDO2 verification utilizes public key cryptography to generate a unique key pair known as a “Passkey,” which is associated with the user's account. This key pair consists of a public key stored with the service provider and a private key residing on the user's device.

When users want to log in to their account, the service provider sends a challenge (usually a string of random characters) to the user's device. The device prompts the user to verify their identity by entering a PIN code, using biometric verification (such as fingerprint or facial recognition), or using a security key.

If the user successfully passes the verification, the device will sign the challenge with the private key and send it back to the service provider. The service provider uses the public key to verify whether the matching private key was used and grants the user access to their account accordingly.

Since the private key is always stored on the user's device and never leaves it, the risk of security vulnerabilities is greatly reduced. Even if the service provider's server is compromised, hackers can only obtain the public key, which is almost useless to them.

Advantages of FIDO: Why It's Better than Passwords

Compared to traditional passwords, FIDO authentication has several significant advantages:

1. Enhanced Security: FIDO2 authenticators ensure that encrypted login credentials are unique to each website and are always stored on the user's device, never stored on the server. This method effectively prevents phishing attacks, password theft, credential stuffing, and replay attacks.
2. Convenient user experience: Users can authenticate their identity through simple built-in methods (such as fingerprint recognition or facial recognition), eliminating the hassle of remembering complex passwords. A study shows that FIDO verification offers a safer and more convenient alternative compared to traditional passwords and SMS two-factor authentication.
3. Privacy Protection: FIDO verification ensures that the cryptographic keys are site-specific, preventing cross-site tracking. When using biometrics, the biometric data does not leave the user's device, providing additional privacy protection.
4. Interoperability and Scalability: The FIDO2 standard has gained support from most user devices, web browsers, single sign-on systems, identity and access management solutions, web servers, and operating systems (including iOS, MacOS, Android, and Windows). Enabling FIDO2 password keys on websites is also very straightforward, requiring just a simple JavaScript API call.

Practical Application Cases of FIDO

FIDO verification has been widely used in various industries and scenarios:

• Financial Industry: Weikang Technology in Taiwan collaborates with 60% of financial institutions in the country, including Cooperative Bank and Mega Bank, to lead the introduction of financial FIDO services. Mega Bank and Mega Financial Insurance first implemented financial FIDO in June 2023, applying it to scenarios such as cloud counter financial transaction information updates, online securities account opening, and delivery account binding.
• Payment Services: BC Card, the largest payment processing company in South Korea, has adopted FIDO authentication in its mobile payment application paybooc, using fingerprint, facial, and voice biometric technologies for log in. As of May 2018, over 1.2 million users have registered on paybooc using biometric verification, conducting over 1 million transactions per month.
• Enterprise Security: HID has launched a new generation of FIDO verification product series and added the “Enterprise Passkey Management” (EPM) feature to assist enterprises in deploying and managing passkeys more efficiently. According to research by the FIDO Alliance, approximately 87% of enterprises have begun adopting passkey technology.

The Future Development of FIDO

With the continuous development of digital identity, the FIDO standards are also evolving. In June 2023, two specifications from the FIDO Alliance, FIDO UAF 1.2 and CTAP 2.1, were recognized as international standards by the International Telecommunication Union's Telecommunication Standardization Sector (ITU-T). This milestone establishes these standards as official standards of the ITU for global information and communication technology infrastructure.

David Turner, Senior Director of Standard Development at the FIDO Alliance, stated: “The FIDO Alliance is improving online authentication through open standards based on public key cryptography, making authentication stronger and easier to use than passwords or one-time tokens.”

Conclusion

The FIDO protocol represents a more secure and convenient method of authentication, providing us with an authentication experience that does not require the memorization of complex passwords through public key cryptography and modern biometric technologies. As cyber security threats become increasingly complex and digital life deepens, the popularity and application of the FIDO standard will become more widespread, serving as an important cornerstone for building a secure digital world.

Whether for individual users or enterprise organizations, understanding and adopting FIDO verification will help enhance online security while providing a smoother user experience. As technology continues to evolve and standards become increasingly refined, FIDO is expected to fundamentally change our perceptions and practices regarding online identity verification, truly realizing a passwordless future.