The FIDO (fast identity online) Alliance is an industry association that aims to reduce reliance on passwords for security, complementing or replacing them with strong authentication based on public-key cryptography. To achieve that goal, the FIDO Alliance has developed a series of technical specifications that websites and other service providers can use to move away from password-based security. In particular, the FIDO specs allow service providers to take advantage of biometric and other hardware-based security measures, either from specialised hardware security gadgets or the biometric features built into most new smartphones and some PCs.
Before we get into the individual FIDO specifications, we need discuss the principle that they're all based on: public key cryptography. In this form of cryptography, each communicating party uses two keys — very large numbers — to encrypt messages via an encryption algorithm. Each party shares a public key that's used to encode a message, which can only be decoded by a private key, which is kept secret. The two keys are related by some mathematical operation that would be difficult or impossible to reverse — for instance, the private key might be two very long prime numbers and the public key would be the number you get by multiplying those two primes together.
Public key cryptography is already the basis for most secured internet communication. The SSL/TLS standard is based on it and has been built into most web browsers for decades, and the larger set of technologies and specifications known as the public key infrastructure, or PKI, helps not only encrypt data but also ensure that communicating parties online are who they say they are. In almost every case today when you enter a password into a web browser, that password is being transmitted across the network in an encrypted form, thanks to PKI.
So why does the FIDO Alliance want to get rid of passwords? Well, even with strong encryption, any system that performs authentication by exchanging passwords between two different computers over the internet has vulnerabilities. Encryption isn't perfect, and isn't always implemented perfectly, so it's still sometimes possible to intercept passwords in transit. And a password system requires that a service provider keep a list of user passwords on its servers; such a list should itself be encrypted, but that doesn't always happen, and that makes a tempting target for hackers.
The various FIDO specifications all address these fundamental weaknesses by shifting authentication entirely to the devices that are local to the user. These local devices then tell the service provider, via communications protected by public key encryption, that the user has been authenticated, without actually transmitting any sensitive information about the user. The different FIDO specs take somewhat different roads to that destination, however. We'll start by looking at the first two specs the FIDO Alliance released, UAF and U2F, before digging into the newer FIDO2 spec currently seeking wider adoption.
The FIDO UAF standard — the initials stand for Universal Authentication Framework — is focused on authentication for users of digital devices like smartphones or tablets. To access a service using the UAF standard for security, the user would register their account via their device, which would then request that the user authenticate themselves using some security protocol the device natively supports. Once this authentication has occurred, cryptographic keys — but no other authentication data, like a password or biometrics — are exchanged between the device and the service provider. The user can subsequently sign in with the same authentication technique to access their account.
One important feature of UAF is that, even though service providers never see the specific authentication data used for login, they do know what type of authentication method has been used, and can choose what types they'll accept. For instance, while the UAF spec allows end users to authenticate using their mobile phone's PIN code, a service provider could decide they don't think that's a strong enough authentication method and require a thumbprint or face scan instead.
The initials in the FIDO U2F standard stand for Universal Second Factor, and so as you'd expect it focuses on providing second-factor authentication, also known as 2fa. For more on 2fa, you can read CSO's explainer on the subject, but the short version is that it complements, rather than replaces, traditional password-based security, challenging users to make use of a second technique (or factor) to authenticate once they've provided their password.
Specifically, U2F defines how to use a hardware device to make logins more secure; the private cryptographic key required for encrypted communication is stored on that device. While the standard supports a number of possible devices for this purpose, the most common implementation uses a dedicated hardware security key fob. The standard was initially created by Google, which it deployed to fight phishing internally before offering it to external customers, but was then granted to the FIDO Alliance to administer. The security fob can connect to the user's device via USB or NFC, so it can be used with PCs or smartphones.
Communicating via the browser, the fob exchanges cryptographic keys with a service provider to establish 2fa. Upon subsequent authentication attempts, the user must have their fob present, and the fob uses its key to make sure that the site that the user is connecting with really is what it claims to be. This helps prevent man-in-the-middle and phishing attacks.
As a 2fa implementation, U2F doesn't eliminate the need for passwords. However, the FIDO Alliance believes that the extra protection U2F provides makes it safer to use simpler passwords like four-digit PINs instead of the long, complex passwords that we're all urged to use but many find challenging to remember and manage.
Read more on the next page...