Is FIDO secure enough to give us a passwordless internet?

Updated on: 06 June 2022

Susan Morrow
Contributor

FIDO is entering the world of consumer authentication. The big techs like Apple, Google, and Microsoft are backing FIDO, but will this bold move work out?

If you haven't had password fatigue, you are a rare beast. Passwords dog the uptake of services and annoy at best and severe security flaws at worst. A NordPass study found each of us has, on average, 70-80 passwords; that's a lot of passwords to remember. Using passwords as a login credential has given cybercriminals the freedom to phish and steal credentials to their heart's content. The evidence for this comes from the Verizon 2020 Data Breach Investigation Report, which found that 80% of data breaches involve lost, stolen, or weak passwords. Phishing makes it easy to steal passwords; even if a user follows robust password rules, one click on a malicious link, then an entry of login credentials into a spoof website, and you can say goodbye to a password.

This background of password usability headaches and security woes is what FIDO (Fast Identity Online) is attempting to fix. Previous work at FIDO to replace passwords with seamless authentication mechanisms focused on the enterprise end of the authentication spectrum. But now, FIDO has moved its sights on the consumer world: the big techs such as Amazon, Google, and Apple are backing FIDO. So, the question is, can FIDO balance the ever-present problem of the consumer need for usability AND online security?

Is passwordless a pipe dream?

Calls for a passwordless internet are nothing new. Technology mechanisms such as the ‘one-time-password’ (OTP) system S/Key, hark back to a pre-internet era and could be described as a nascent passwordless approach. Since then, the ubiquitous internet has changed the goalposts of authentication and security, but the password has persisted.

For well over a decade, the tech industry has known that something must give in the world of authentication: passwords are holding us back, especially in online consumer transactions; they are annoying, insecure, and a general headache for consumers and web developers alike. Diligent work by folks in the protocol space has led to the development of flexible and robust authorization and identity protocols such as OIDC and OAuth 2.0. Now, FIDO has pushed forward protocols and published APIs that support seamless and secure authentication mechanisms in the world of authentication for consumers.

A quick recap of who FIDO is and what they do

FIDO is a consortium of various big techs and smaller vendors who work in end-user authentication. FIDO was brought into the world in 2012 by PayPal, Lenovo, Nok Nok Labs, and several other companies. More recently, Google, Microsoft, and Apple have become active members of FIDO, pushing the dream of a passwordless internet.

FIDO’s focus is to replace passwords with something that is easy to use and secure. In other words, FIDO is on the hunt to find the golden chalice of online authentication, kicking the password into the long grass. FIDO uses standards to achieve this and has worked over the last decade to create a suite of such standards, along with supporting APIs that can be used to build passwordless systems.

In 2018, FIDO, along with the internet standards folks at W3C, published WebAuthn: WebAuthn is an API that web developers can use to add FIDO-based authentication support to web pages. This is an important step on the road to passwordless. Web developers are not typically authentication experts: they rely on experts like FIDO and W3C to give them the standards, libraries, and technologies to incorporate robust security into their user authentication mechanisms.

Further work from the FIDO alliance brought out FIDO2. This has added the Client to Authenticator Protocol (CTAP) to the FIDO suite of technologies; CTAP supports authenticators, such as mobile devices, to create a seamless interface with FIDO2-enabled browsers and Operating Systems.

FIDO has focused more on an enterprise need for authentication than the broader requirements of consumer authentication. However, in March 2022, FIDO published a paper that offers hope for a passwordless future for consumer authentication. The FIDO planets have aligned, and the move to consumer authentication now seems set. But can the complex world of consumer online transactions be secured and made usable?

The tech giants support FIDO, so what’s not to like?

In early May 2022, Apple, Google, and Microsoft announced that they would work together in a collective effort to make the web usable yet secure. The announcement stated the consortium would “expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.” A laudable stance from our big tech friends. But will this move lead to a secure (and usable) internet for all?

The move by Apple, Google, and Microsoft to support FIDO is important. These companies have a broad user demographic. They understand consumer authentication and its use (and misuse) by consumers and cybercriminals. This knowledge of user requirements and security issues will help in the ongoing developments of the FIDO standards and supporting technologies. Notably, the FIDO paper published in March recognizes that in the consumer space, the requirement to use a "special purpose authentication device (security keys)" has, to date, held back the use of FIDO in consumer-focused services. In other words, FIDO focused on security at the cost of usability.

In systems that service consumers, usability is as important as security. If something is overly secure, it tends to impact usability. If it's too hard to use, either a customer moves to a competitor with an easier-to-use service or finds a workaround that circumvents security. Customer-focused systems MUST balance security and usability.

FIDO proposes that two mechanisms will move the dial to adjust this security-usability balance to bring usability back into focus:

Turn the user’s existing smartphone into a roaming authenticator.
Provide better support for authenticator implementations (e.g., platform authenticators) that sync FIDO credentials between the user’s devices.

These two mechanisms give the consumer the usability and security they crave and support web developers and system designers. Surely this is a win-win for all?

FIDO is coming to a channel near you

FIDO updates for consumer support come down to the FIDO authenticator on a regular smartphone and support of sync between devices. FIDO encapsulates this vision as

“The user experience of sign-in becomes a simple verification of a user’s biometric or a device PIN – the same consistent and simple action that consumers take multiple times each day to unlock their devices.”

FIDO has made significant progress in covering the issues seen in consumer systems that are not typically an issue in an enterprise setting. These include a lost/unavailable device: People lose mobile devices or drop them down the toilet (I've done it twice myself). You do not want to be locked out of a critical account because your phone is unavailable. FIDO provides 'passkeys' that sync devices. However, if a device is inaccessible, you need access to another FIDO-enabled device. Of course, you need to have configured those additional synced devices; FIDO points out in their paper that:

“For these multi-device FIDO credentials, it is the OS platform’s responsibility to ensure that the credentials are available where the user needs them. Just like password managers do with passwords, the underlying OS platform will “sync” the cryptographic keys that belong to a FIDO credential from device to device. This means that the security and availability of a user’s synced credential depend on the security of the underlying OS platform’s (Google’s, Apple’s, Microsoft’s, etc.) authentication mechanism for their online accounts and on the security method for reinstating access when all (old) devices were lost.”

So, the onus is on the OS to ensure that FIDO is correctly configured. However, Google will add support for FIDO passwordless authentication in Android and Chrome, and Apple will add support to iOS, macOS, and Safari. This support from the OS vendors is crucial in using FIDO by system designers and developers.

The fact that FIDO recognizes the importance of multi-channel support for consumer authentication is a positive move. And, with the likes of Apple and Google now backing FIDO in their quest to support passwordless authentication, the onus on the OS should not be a barrier to security.

But, as always, in a multi-stakeholder system such as the consumer online transaction landscape, all stakeholders must buy in to make something as holistic as FIDO for consumers works. The RP (relying party/service provider) is a potential party pooper in the passwordless mix. Web and app developers have already built apps and services that use passwords. Their customers, who may be in the millions on some popular sites such as Airbnb, would have to be moved to the new passwordless system: this is no mean feat and could take many years.

I have been a critic of FIDO for consumers in the past. However, the pieces of FIDO for consumers puzzle are starting to come together. The security industry encourages good password practices with events such as World Password Day and security awareness training. Yet still, the most used password is 123456. The world cannot go on like this, handing the keys to the castle to cybercriminals in the form of passwords. FIDO finally looks like it could be a contender for a passwordless future.