Tom explores the Fast Identity Online Alliance and how passwords may one day be a thing of the past.
Featuring Tom Merritt.
Please SUBSCRIBE HERE.
A special thanks to all our supporters–without you, none of this would be possible.
Thanks to Kevin MacLeod of Incompetech.com for the theme music.
Thanks to Garrett Weinzierl for the logo!
Thanks to our mods, Kylde, Jack_Shid, KAPT_Kipper, and scottierowland on the subreddit
Send us email to email@example.com
Episode Script (Updated 19 May 2022)
Passwords are awful.
Passwords are too often weak.
Passwords are necessary to protect your data.
Wow. What a horrible situation.
If only someone had a fix?
Let’s help you know a little more about the FIDO Alliance
FIDO stands for Fast Identity Online. Yes it should be FIO. No, nobody thought it would actually be better to call it FIO when you could use the D in Identity and call it FIDO.
The FIDO alliance was started in February 2013 with the mission to develop authentication standards to reduce the world’s reliance on passwords, especially having to remember multiple usernames and passwords. It has more than 260 companies as members.
The goal is to have a way that you can easily prove it’s you while making it extremely hard for someone else to pretend they’re you. And not have to use passwords at all.
FIDO wants to make that a reality.
FIDO supports fingerprint and Iris scanners, voice and facial recognition, Trusted Platform Modules in your chipset, USB security tokens like those from Yubikey, NFC, smart cards, embedded Secure Elements and more.
But as you may have caught on to, the idea is a device-centered approach using public-key cryptography. We’ll go into Public Key Cryptography in a separate episode.
An open standard called Universal Second Factor– or U2F– was FIDO’s first attempt. It streamlines two factor authentication. The something you have in this case is a device, either USB or NFC. USB is represented most often by YubiKey or other brands of little keychain things you stick into the USB port. NFC usually shows up on smart phones or smart cards.
U2F used the Human Interface Device protocol or HID. Basically that means it shows up to the computer like a keyboard. That means you don’t need to install a driver to make it work.
The device registers a user by handing over the public key. To authenticate the device uses the private key matched with the public key the server holds.
The keys on your device can be unlocked by biometric release like Facial or voice ID or thumbprint or iris scan or even just pressing a button.
It’s still paired with a password but it eases some of the pressure on that password to be strong enough not to be cracked. And U2F is much more secure than SMS as a second factor given that in some cases SMS can be intercepted by malicious actors.
But U2F is already old. In fact it’s being replaced by new standards, WebAuthn and CTAP. U2F has now been renamed CTAP1 as it provided the basis for the newer CTAP.
These new standards are part of a joint project between the FIDO Alliance and the World Wide Web Consortium or W3C called FIDO 2.
FIDO 2 has the two parts I mentioned.
The W3C Web Authentication standard also called WebAuthn
And the FIDO Client Authenticator Protocol called CTAP.
FIDO2 uses an authenticator whose functions are agnostic to how the key is managed. In other words, you can put it on all kinds of devices or even just in software making use of a processor’s trusted platform module. Obviously you can still use USB and NFC devices but also Bluetooth Low Energy. It’s backwards compatible with U2F as well.
And FIDO 2 is single multi factor meaning it doesn’t require a password the way U2F did though it can still be used as a second factor.
In practice there are three parts.
The website which is considered a Relying Party.
The browser which is the Client.
And the authenticator. All three need to be WebAuthn compliant for the system to work.
Let’s talk about how this might work when you want to log into a website.
Let’s assume you have a USB key as your FIDO2 authenticator and you have to enter a PIN. The key is something you have, and the PIN is something you know. Two factors.
The rest is public key cryptography. The site delivers the public key, the USB key uses the private key to sign it and authenticate.
A software authenticator could be used on a phone so you don’t have to plug in a key and biometrics could be used instead of a PIN. So FACE ID or thumbprint rather than 1234.
FIDO provides an open standard that any company can implement and that almost all browsers support. It can do passwordless authentication such as using your fingerprint with the trusted platform module on your phone for single multi factor login. It can do good old fashioned second factor where you put in a password and plug a key into a USB port and it can handle multi factor authentication where you might need the USB key, your fingerprint and a PIN.
So yes, passwords are still an option. But they’re not necessary. We’ll get to why they’re still even involved a little later.
There are a few other advantages to FIDO 2. Passwords are not stored on the website’s server only the public key and registration for the device you used. So you can’t have an attacker get your password. And a new key is created for every source. No duplication. So all those phishing attacks that trick you into giving your password don’t work anywhere. A database breach won’t result in the attacker getting any useful info. And you won’t be caught using the same password on multiple sites.
Also fake sites can’t trick you into giving them your login ot a fake site, since the FIDO key won’t give any useful info unless the proper site is asking for it.
So what can I use this on?
Almost all the clients. WebAuthn is supported by Chrome, Firefox, Edge, Safari and Opera.
It also works with Apple’s FaceID and Touch ID on Safari.
All Android devices version 7 and higher are FIDO 2 certified.
And it’s not platform-specific either.
Apple, Google and Microsoft all are committed to cross-platform token support. You can soon, if you can’t already, use your phone as the password-less login device across Windows, macOS iOS and Android as well as Chrome, Edge and Safari. The quintessential example would be using an iPhone to authenticate a login through Chrome on Windows.
Here’s how that works.
Let’s say you register your phone as the device you want to use to log in. Then, when you’re logging in, say on your laptop, it will ask if you want to use that phone to log in. If you say yes a notification will show up on your phone. Then you simply unlock your phone whether that’s with a PIN, a swipe pattern, a fingerprint or Facial recognition. No password strictly necessary. Another part of this is that passkeys can be securely stored in the cloud in case you lose your phone, though this increases the surface area for an attack, it’s similar to a cloud-based password manager, and it’s optional.
There won’t be a need to have a password as a failsafe. A backup method could use email to send you a login link. That way your email is the other weak point not a crackable password. Some sites already do this.
Of course you’ll need to keep your phone secure with a strong passcode. However a breach would require physical access to the phone, another hurdle for would-be attackers. And it means you can’t be phished as easily, since a fake site trying to trick you into logging in will not be able to send the notification to your phone.
So what’s holding it up?
What we’re waiting on is websites.
Only Microsoft with Windows Hello, lets you replace using passwords.
Google a founding member of FIDO uses it.
So does Dropbox. But both still use it alongside passwords.
It’s a little bit of a chicken and egg.
Dropbox’s director of security, Rajan Kapoor told The Verge “there are a number of issues around usability and adoption that need to be resolved before we’ll see passwords replaced.”
Adoption is becoming less of an issue as all Android phones and therefore almost all phones can be used for it. You don’t need to make people buy USB keys if they can use their phone. The last piece here would be for Apple to make all of iOS FIDO 2 compliant, not just Safari.
But usability seems to be the big hangup. What happens if you lose your phone which is also your authentication device. Biometrics should protect you from people using it to get into your accounts, but without it you can’t get in either.
Any recovery mechanism a company implements becomes a vector for malicious actors to attack. Sure it’d be nice to just call up Dropbox and say “hey it’s me, let me back into my account” but how do you prove it’s you? The most secure way would be your device — that you lost– so any other method is less secure and the least secure method of getting into an account is how secure that account actually is.
I already hear several of you saying “I’ll register two devices” and yes for you that’s great but not exactly the most user friendly method for the majority of people. And if you don’t make it user friendly you don’t get adoption which is the other barrier to implementation.
In the end it’s a war of attrition. Because a lot of people use passwords, companies still support passwords. Because it’s costly to change, companies are slow to adopt FIDO. But slowly they will and eventually someday passwords will be a quaint early 21st century curiosity.
I hope this gives you hope that passwords will one day fade away
In other words I hope now you know a little more about the FIDO Alliance