What is FIDO Authentication?

Fast Identity Online (FIDO) is a set of open authorization standards that enables passwordless authentication using public key cryptography and common devices. The cryptographic keys are commonly referred to as “passkeys.” FIDO authentication is simpler to use and far more secure than passwords and conventional multi-factor authentication. 

Formed in 2013, the FIDO Alliance is a group of leading technology and financial companies whose goal is to transform security and replace the traditional use of passwords with a far more user-friendly and secure method of authentication.

The FIDO Alliance consists of over 250 members that include Google, Amazon, Microsoft, Paypal, MasterCard and VISA. HYPR has been a member of the FIDO Alliance since 2015. 

FIDO delivers strong authentication by using asymmetric cryptography that incorporates a public and private key pair. The private key is unique to the user and stays on the user’s device while the corresponding public key is stored on the FIDO server.

To authenticate, the service sends a challenge to the user’s device. The user validates their identity using a secure on-device method (e.g. biometrics), which authorizes the private key to sign the challenge.

Registration / Enrollment

FIDO authenticators or passkeys can be registered on websites, SSO/IDP or devices (e.g. desktop login), or any combination of the above. 

A generic passwordless registration flow for registration on a FIDO-supported website would be:

1. The user selects from various FIDO authentication mechanisms supported by the application (e.g., security key, platform authenticator, smartphone FIDO authenticator app). 
   
   
2. The user activates the authenticator with the corresponding authentication action (e.g, scan face or fingerprint, touch a YubiKey, enter a PIN).  
   
   
3. The FIDO authenticator generates a public-private key pair unique to the user and application. Device-bound passkeys are also unique to the device. 
   
   
4. The public key is stored on the server and the private key securely on the authenticating device (device-bound passkeys) or secure credential manager (synced-passkeys).

Note: The exact steps needed to register or enroll a FIDO authenticator or passkey depend on the passwordless solution and the use case.

Using a FIDO Authenticator / Passkey to Login

Once the user has set up FIDO authentication, the application, website or device requires the user to sign in with their registered FIDO authenticator. The service sends a cryptographic challenge and the user verifies their identity using the method set up during registration.

Upon successful verification, the private key signs the challenge. The authenticating server verifies that the signature matches the stored public key, granting the user access to the system. 

FIDO authentication benefits both companies and users on multiple fronts.

Enhanced Security and Privacy

First, the private keys used for FIDO authentication are stored on the user’s device, and never shared, so they cannot be stolen through methods like phishing or man-in-the-middle (MitM) attacks.

Even if a server is breached, there is no sensitive information to steal.  In addition, any biometric data and personal identifiers never leave the user’s device, ensuring data privacy and security. 

Phishing Resistant

A second benefit is that FIDO authentication is inherently phishing resistant. It not only eliminates the transmission of credentials that attackers could intercept or misuse, it is tied to the specific domain of the service.

Even if an attacker attempts to intercept or spoof the process, authentication cannot be completed on a malicious site. FIDO authentication essentially removes the human element and binds authentication credentials directly to the intended service, drastically reducing the effectiveness of phishing attacks.

Eliminates Password Reset Costs

Another benefit is a savings in cost. Password resets drain your IT teams’ time and resources — 29% of helpdesk costs are related to passwords, costing companies millions a year. During these resets, work is disrupted until the password is reset.

FIDO’s passwordless authentication reduces these IT costs, while delivering increased protection against credential-based attacks that can cost companies millions in recovery and downtime.

User Friendly

It also offers a superior user experience. FIDO authentication is available to users from a wide range of devices, including a user’s mobile devices, security keys and platform authenticators.

At the same time, it also offers multi-factor authentication in a single step for authentication to eliminate friction, the need to remember long passwords and mistypes.

Scalable and Interoperable

As an open-source standard, FIDO authentication is available to any business to implement as they choose. It also integrates with all platforms, operating systems, identity providers (IdPs) or single sign-on (SSO) services.  

In addition, it is designed to be backwards compatible (e.g. FIDO2 works with U2F systems), support different authenticators and allows the combination of different authentication methods for compatibility and security across systems.

Enables Regulatory Compliance

Finally, the strong authentication FIDO authentication delivers, combined with its resistance to phishing, elimination of passwords and use of public key cryptography, enable it to meet and exceed various industry standards for data protection and user privacy.

These both include many cybersecurity and data privacy standards such as NIST 800-63B, PCI-DSS, PSD2, HIPAA and GDPR.

FIDO authentication is a standards-based approach to passwordless security that leverages cryptographic protocols for strong authentication without the need to store sensitive data. 

Here is a brief overview of the different protocols:

FIDO vs. FIDO2

FIDO2 is the most recent version of the FIDO protocols, enabling true passwordless authentication that seamlessly integrates with both web applications and platforms using WebAuthn and CTAP protocols.

FIDO2 was developed in collaboration with other industry bodies to create a more comprehensive, interoperable and scalable authentication standard. This has led to much wider acceptance and broader adoption than was possible under the original FIDO protocols.

What Is Web Authentication (WebAuthn)?

A joint project of the World Wide Web Consortium (W3C) and the FIDO Alliance, Web Authentication, or WebAuthn, is an open standard that enables browsers and applications to perform FIDO authentication and enable passkeys through its API. Users authenticate through browsers directly using either biometrics, PINs or hardware keys.

What Is CTAP (Client-to-Authenticator Protocols)

CTAP, or Client to Authenticator Protocols, are protocols that establish how a web application communicates with a compliant authentication device. For example, it can help smartphones communicate with FIDO-supported web browsers to deliver users a passwordless experience. 

CTAP consists of two different variations, each with different features and applications.

CTAP1

CTAP1 focuses on 2FA (two-factor authentication), enabling a FIDO security key to be used as a strong second factor for authentication on FIDO2 browsers and operating systems over USB, NFC or Bluetooth Low Energy (BLE). It is generally used alongside a password.

CTAP2

CTAP2 delivers fully passwordless authentication and enables FIDO external authenticators to interface with FIDO2 web browsers and operating systems via USB, NFC or BLE. It is becoming the standard as the industry shifts to passwordless authentication.

What Is the Universal Authentication Framework (UAF)?

FIDO UAF, or Universal Authentication Framework, is an open standard that supports passwordless authentication to an online service using device-level biometrics or PINs.

It also allows combining multiple authentication mechanisms such as fingerprint + PIN. UAF was the first protocol developed by FIDO and laid the groundwork for more advanced authentication systems such as FIDO2. 

Large-scale deployments of FIDO authentication help companies save time and resources while at the same time implement a more secure, frictionless authentication method for different sets of users and employees. 

Top Five U.S. Financial Institution Saves Millions in Help Desk Costs 

A top five U.S. financial institution had multiple legacy authentication systems, including several different SSOs. In an attempt to increase security, the company increased from 12 to 16-letter passwords, meaning these long strings had to be entered by users multiple times a day. The password and authentication fatigue employees already were suffering became even worse, especially for users with shared workstations, which require frequent logins. Employees were also increasingly frustrated from 45-minute long waits for help desk resets, and the company had to pay approximately $100 each for each help desk call.  

By implementing FIDO authentication through HYPR, the financial institution successfully removed the friction associated with long passwords, driving rapid adoption with a remarkable 700% month-over-month growth. It also enhanced security for remote access by enabling employees to log in securely with their unique credentials and permission levels. At the same time, the solution saved millions in help desk costs every month.

American Manufacturing Corporation Eliminated Authentication Security Risks

A leading U.S. manufacturing corporation faced significant employee authentication challenges with two different sets of employees: both those in the office and those on the field. The rules of the game changed during the pandemic shutdown as office employees became fully remote for the foreseeable future. However, these employees could only authenticate and onboard new services with a local login executed while being in the office.  

While office employees at least had access to local login if they arrived in person, those operating on the field without access to email or a phone posed a bigger authentication challenge.  

With FIDO authentication powered by HYPR, the company was able to replace password-based login on laptops and workstations with passwordless authentication and onboard new office employees without requiring their physical presence in a local office. The company now provided new office employees with magic links to remotely VPN into their network, enabling managers to eliminate long IT help desk wait times. In addition, it enabled authentication for field workers without a corporate email or a mobile device through the use of YubiKeys.

Businesses can facilitate smooth passkey adoption in their organization by following a number of best practices. 

These include:

• Mapping out use cases for different sets of users. For example, in-office, remote and hybrid employees, the systems and devices they use and the number of logins they need at a given time period. 
• Identifying any technical challenges of integration presented by legacy systems.  New updates and configurations required for compatibility should be discussed with stakeholders before the integration.
• Executing strategic planning. Timelines, roll-out stages and communication plans should be established in advance. A pilot group should be tested to identify potential issues to ensure the integration goes more smoothly with the rest of the groups. 
• Facilitating effective communication and user support. This includes user-friendly documentation for new users, along with ensuring users understand the benefits of passwordless authentication. Training for user support should focus on the speed, security and improved user experience of the new login flows and troubleshooting issues such as lost devices. 

FIDO authentication helps organizations meet a wide range of cybersecurity standards and regulations, including: 

• PCI DSS (Payment Card Industry Data Security Standard). FIDO’s strong authentication increases the security of payment systems, making unauthorized access to payment data more challenging. It also meets the regulation’s requirements for multi-factor authentication (MFA) and secure remote access. 
• HIPAA (Health Insurance Portability and Accountability Act). FIDO’s strong, passwordless authentication complies with guarding the privacy of protected health information (PHI).
• GDPR (General Data Protection Regulation). Since it does not store personally identifiable information (PII), it meets requirements for its principles of data minimization and privacy by design. 
• CCPA (California Consumer Privacy Act). Replacing shared secrets with cryptographic public-private keys strengthens the security of consumer data. 
• PSD2 (Payment Services Directive 2). FIDO complies with strong authentication requirements that include two-factor or passwordless authentication to secure online transactions in the payments industry. 
• FFIEC (Federal Financial Institutions Examination Council). FIDO supports identity verification and strong access controls strongly recommended to secure authentication for banking systems.
• NIST SP 900-63B (Digital Identity Guidelines). FIDO’s public key cryptography and hardware-based authenticators meet the NIST requirements AAL3 authentication. 
• CISA phishing-resistant MFA guidelines. By limiting credentials to specific domains, FIDO meets CISA’s requirements for phishing-resistant multi-factor authentication.

Involved with the FIDO Alliance since its earliest days, HYPR sits on the organization’s board and is the leading provider of FIDO Certified authentication.

HYPR’s passwordless MFA solution, HYPR Authenticate, extends the functionality of FIDO authentication into a comprehensive authentication solution for both workforce and customers. This includes:

• Customized enrollment across mobile and web. HYPR seamlessly integrates into customer-facing applications to enable a passwordless authentication flow across mobile and web experiences.
• Integration with existing identity systems and infrastructure. HYPR supports all major Identity and Access Management (IAM) systems, Identity Providers (IdP) and device platforms, including Windows, MacOS and Linux. 
• Offering a range of authentication options. Reduce user friction and meet all your use cases by providing authentication options such as fingerprint, facial biometric authentication, decentralized PIN, hardware security keys (e.g. YubiKeys) and smart cards.
• Securing access online and off. Easily integrate FIDO authentication into your customer applications with HYPR’s mobile and web SDKs. Make sure your employees can securely access their devices, even without network connectivity, through a unique offline mode.
• Simplifying device pairing. Empower users with self-service to quickly pair and manage trusted devices. 
• Centralized management and control. Provision and manage FIDO authentication across millions of users through HYPR’s Control Center. Manage all FIDO authenticators, create authentication policies, and monitor real-time user and system analytics in a single console.

Demo of HYPR FIDO Authentication