What is the Fido Alliance? And Why Should I Care?
How many accounts do you have that require a password to access? Email addresses, social media sites, streaming video services, banks, ecommerce websites… the list goes on, and you may not even remember how many password-accessible accounts you have – hardly surprising, since the average user has upwards of 90 online accounts. If you’re like many users, you’ve recycled at least some of those passwords; as many as 51 percent of the passwords out there are used across multiple services. Repeated use of the same passwords may make it easier to remember how to log into those 90 accounts, but it also makes you more vulnerable to a data breach; more that 80 percent of such breaches are ultimately traceable back to password problems – either the user’s password was compromised, or it was too easy to guess.
The flip-side of this problem is just as much of an issue, both for customers and ecommerce merchants. If a user can’t remember their password required at checkout, they abandon their purchase about one-third of the time. Resetting forgotten passwords costs companies an average of $70 in helpdesk labor. Clearly, passwords as a security measure are a poor solution in today’s technological world. This is the problem that the FIDO Alliance seeks to solve.
- Alibaba Group
- American Express
- Bank of America
- BC Card
- Egis Technology
- Nok Nok Labs
- NTT DoCoMo
- NXP Semiconductors
- Oberthur Technologies
- Samsung Electronics
What is FIDO?
The FIDO (Fast Identity Online) Alliance is an open association in the technology industry that seeks to develop and encourage the use of alternate authentication methods that do not have the same pitfalls as passwords. FIDO Authentication takes a different approach to the question of establishing user identity to create an authentication process that is both more secure and more convenient for the consumer than password access. Instead of authenticating user identity by relying on a piece of information (a password) which can be forgotten by the legitimate user or stolen by fraudsters, FIDO relies on hardware or biometric data to confirm identity. The electronic signatures of these forms of authentication are never made available to potential identity thieves.
How Does FIDO Work?
When a user registers with an online service, a pair of electronic cryptography keys is generated, one public and the other private. The public key is registered with the online service, while the private key remains securely on the user’s device. In order to access the user’s account, the user’s device must prove that it possesses the private key. This is accomplished by unlocking the key on the user’s own device with a simple and secure action like providing a fingerprint, voice pattern, or second-factor device. The biometric or other identifying data only serves to unlock the private key already stored on the user’s device, and is never transmitted elsewhere. Once unlocked, the private key responds to the challenge issued by the public key on the website and the user’s identity is authenticated.
With FIDO Authentication, users who have accounts with multiple services cannot have their activity or identity tracked or linked through FIDO, even if all those services use this authentication method. Customers can use the same devices they already have to access their accounts on any number of services, with a simpler and more convenient user experience than current password-based authentication methods offer. Service providers are spared the expense of developing their own individual strong authentication system by utilizing FIDO, while saving money on customer support and password resets and providing their customer base with a convenient and secure account experience.
Password-based authentication has held on in the face of more secure alternatives because previous methods were not user-friendly. FIDO Authentication replaces these with a simple, convenient, and effective solution.