Seven years ago a handful of companies including Lenovo and PayPal formed an association to develop open authentication standards to accelerate the use of biometric factors so users don’t have to remember passwords.
This week Apple became the latest big-name vendor — and perhaps the last of the biggest vendors — to join the FIDO (Fast IDentity Online”) Alliance.
Other giant manufacturers and service providers including Amazon, Visa, Google, IBM, Microsoft, Intel, Samsung and a number of banks are already members, enabling them to craft solutions for people to log into devices, web pages and applications with fingerprints, facial recognition, voice and security keys.
Apple has its own fingerprint and face scan technology, but by endorsing FIDO its standards security experts hope the move to passwordless authentication will accelerate.
“With Apple joining it puts us on a direct path to realizing a passwordless world,” Gartner analyst David Mahdi said in an interview.
“If you were on the fence [as an application developer] of adopting these protocols or becoming a member of FIDO, now there’s way to much critical mass for you to say no,” he added. “Apple would be the final push to say this is a legit protocol we can now agree on.”
FIDO is like Bluetooth for authentication, said Mahdi, referring to the ease of connecting devices through the ubiquitous short-range wireless standard. Software developers can use a common set of application programming interfaces (APIs) for authentication regardless of the device it connects to.
It’s badly needed. FIDO argues weak, re-used and stolen passwords are the root cause of over 80 per cent of data breaches. Users have too many passwords to remember, and not enough use password managers. Besides the cost of a breach, the alliance estimates it costs an organization an average US$70 average in help desk labour costs for each single password reset. In addition, it says, one-third of online purchases are abandoned due to forgotten passwords.
FIDO protocols, now on version 2, use public-key cryptography. FIDO2 is supported by Google Chrome, Mozilla Firefox and Microsoft Edge browsers. FIDO support for Apple’s Safari browser is in preview. Android versions 7 and up support FIDO2, as does Windows Hello, Microsoft’s biometric technology for Windows 10. WebAuthn, the web API portion of FIDO2, became an official web standard last year of the World Wide Web Consortium (W3C).
Meanwhile last summer the alliance began work on finding a way to add identify verification for Internet of Things devices.
Briefly, here’s how FIDO works: During registration with an online service, the user’s client device creates a new public key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button. If biometrics are used the data never leaves the device.
In an email George Avetisov, CEO of mulitfactor authentication provider HYPR and an alliance board member explained why Apple will be a valuable member of FIDO. “Apple can more directly influence the standard while also gaining knowledge share from other members, such as Microsoft, Intel, HYPR, and Google. The company rarely joins a standards body just to say they did it. There is definitely a strong reasoning here and they will likely drive the standard in a positive direction while also popularizing it.
“I often think that enterprises look to Microsoft and consumers look to Apple. We’ve already seen FIDO standards bring enterprise adoption through passwordless MFA for the workforce. Now with Apple joining we may see a stronger emphasis on the consumer-facing use cases for multi-factor authentication.”
Apple was a critical final piece to the FIDO puzzle, said 451 Research analyst Garrett Bekker, since Apple’s absence had left a glaring hole in the FIDO value proposition. Now that Apple is on board, I think it will remove a lot of the remaining question marks regarding FIDO’s future from enterprise customers.
In its latest annual report the alliance said much progress was made in 2019:
- Intuit rolled out FIDO passwordless authentication across its mobile apps;
- Microsoft added FIDO-based passwordless sign-in for Azure Active Directory (Azure AD);
- TheU.S. General Services Administration (GSA) enabled FIDO Authentication for login.gov, its single sign-on website for the U.S. public and federal employees to interface and transact with federal agencies online;
- The National Health Service (NHS) in the United Kingdom released open-source code for developers to add FIDO biometric security for app login;
- Google gave Android phones the ability to be used as a physical security key and also added built-in Chromebook support.
- LINE Pay became the first mobile payment app to support FIDO2,
Companies joining the alliance as sponsor members in 2019 included AdNovum Informatik AG, FIME SAS, the government of Thailand, IBM, IDNow GmbH, Imagination Technologies, Intuit, Jumio Corp., the Mitre Corp., Phoenix Technologies Ltd., Ping Identity, and Secure Identity.
(This story has been updated with comments from Gartner’s David Mahdi, and from George Avetisov.)