Will corporate support for Fast ID Online [FIDO] mean mass adoption? If so, what does that mean for security and identity?
Passwords are an integral part of our cybersecurity culture. They are easy for people to use, comparatively easy to implement for app and web developers and generally understood. But their widespread use is also their Achilles heel. Passwords, even complex ones, are at the mercy of cybercriminals who find ways to exploit passwords for fraud, data theft and other cyberattacks. The password is where the cybersecurity buck stops with usability out balancing security.
In May, the FIDO (Fast Identity Online) Initiative , alongside some big-name techs, announced a potential solution that could finally let the world say bye-bye to the password. But in the battle of security vs. usability, can FIDO balance the scales and change how people log in?
A short history of Fast Identity Online (FIDO)
FIDO experimented with moving the dial from mandated passwords to passwordless login. However, implementation constraints, such as the requirement for a hardware key, made FIDO unsuitable for mass consumer adoption. As a result, FIDO was stuck in an enterprise authentication loop. Then a FIDO paper published in March 2022 on the goals of passwordless authentication for consumers recognized that the requirement for a hardware key was a no-go for consumers, stating the need for a “special-purpose authentication device (security keys)” created barriers to use of FIDO in consumer services.
However, FIDO had thought ahead… the WebAuthn API provides support for Chrome, Firefox and Edge browsers. This support is essential to FIDO’s dreams of making passwordless applications universal in consumer use, not just enterprises.
Big tech strikes again
FIDO has, to date, never really cracked the consumer market with its passwordless ideals. However, W3C released WebAuthn as a standard in 2016 and it became a candidate for taking us all to the promised land of passwordless.
WebAuthn provides web developers with FIDO-based authentication support. This support is essential because it helps Web developers, who are not usually authentication experts, to support passwordless login. This help comes in the form of standards, libraries and protocols to integrate robust authentication options into websites, apps and services. However, even with this support, passwordless did not come to pass, at least as far as consumer markets go, and customer-facing services did not jump on the FIDO bandwagon.
This was not because the protocols and APIs developed by FIDO and W3C were poorly written. It was because consumer authentication has specific considerations that enterprise authentication does (or did) not. Before continuing, it is worth saying that the needs for consumer authentication vs. enterprise authentication models are fuzzier now because of the expanded networks of cloud infrastructures and remote working. Therefore, any movement by FIDO and W3C that facilitates consumer use of passwordless sign-in will also benefit enterprise authentication systems.
FIDO hit the ten years mark as Google, Microsoft and Apple announced that they would fully embrace the dream of a passwordless internet. The announcement focused on the collaboration between the three tech giants and W3C and FIDO to build a usable yet secure internet experience. Taken from the announcement:
“[T]he consortium will) expand support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.”
This statement is a significant leap forward in usability. The consumer uptake of secure authentication options has always been an uphill struggle. Second-factor authentication (2FA) hesitancy has long been a hurdle for consumer-facing systems to jump.For example, Google had to force users to use two factors through auto-enrollment. According to Google, password managers also have low uptake, with only 24% of users using a password manager. In addition, where 2FA is offered, users don’t turn it on. Twitter is a prime example, with only 2.3% of users using a second factor to access their accounts.
From this perspective, a passwordless option that users accept offers everyone a win in the authentication stakes. But is FIDO’s consumer market push secure and usable?
What are the implications of FIDO for security and digital identity?
The announcement by Google et al. of their plans to support FIDO is a crucial part of the passwordless puzzle. These companies know the requirements for usable but secure consumer authentication. They understand how vital underlying security mechanisms are in preventing exploitation by cybercriminals. They also understand how human behavior impacts the uptake and use of highly secure authentication options. In consumer services, highly secure systems impact usability and vice versa. Highly secure authentication may even result in loss of market share, with customers giving up on the service and moving to a competitor. The balance of security and usability is not just a nice thing to have but a must-have in consumer-facing system design.
Now that the tech giants are supporting FIDO, will this move the dial of security usability? There are two critical aspects of FIDO’s ability to support the complexities of consumer authentication:
- Roaming authentication using existing smartphones
- Syncing of FIDO credentials between devices
To achieve this, the implementation overhead of FIDO lies in the hands of the OS (operating system). As FIDO points out:
“For these multi-device FIDO credentials, it is the OS platform’s responsibility to ensure that the credentials are available where the user needs them. Just like password managers do with passwords, the underlying OS platform will ‘sync’ the cryptographic keys that belong to a FIDO credential from device to device. This means that the security and availability of a user’s synced credential depend on the security of the underlying OS platform’s (Google’s, Apple’s, Microsoft’s, etc.) authentication mechanism for their online accounts and on the security method for reinstating access when all (old) devices were lost.”
The support of FIDO by the consumer tech giants is likely to create the environment that will make FIDO standardized across browsers and various operating systems. This is like pressing the big green “Go” button because FIDO is the best bet for a passwordless future where phishing would have to reinvent itself or die.
However, nothing is ever 100% secure; rather, security is about reducing risk. For example, a passwordless sign-in could remove specific threats, such as phishing, that are overwhelming IT and IS departments: each FIDO credential is unique for a given website, so a phisher would have a barrier to cross to create a spoof version of a website. However, I’d be amazed if phishers are not already working out ways around this.
As for digital identity, most people would welcome not having to remember large numbers of passwords. Importantly, FIDO, if implemented correctly, would require little setup by users. In addition, FIDO should allow a seamless authentication experience, something customers have wanted, and vendors have strived to achieve.
But, like everything in software development and system design, the devil is in the details. The big techs are offering to remove the hurdles for FIDO implementation, taking the strain off developers; this should open the floodgates to websites offering passwordless consumer support. Only time will tell how secure FIDO is for consumers, and only time will tell if consumers opt for a passwordless future.
- FIDO Alliance
- W3C WebAuthn standard
- Twitter Transparency Report
- How FIDO Addresses a Full Range of Use Cases
- Google Security Infographic
- Apple, Google, and Microsoft commit to expanded support for FIDO standard to accelerate availability of passwordless sign‑ins, Apple Newsroom
- Worst passwords of the decade: A historical analysis, Infosec