November 18, 2019

A Primer On FIDO

Over at dummies.com you can find a primer on everything from “Cybersecurity for Dummies” to “Data Science Strategies For Dummies” to “Backyard Homesteading All-in-One For Dummies”. But if you are IT Security specialist looking for a primer on FIDO, you won’t find one there. So here is a brief blog on the basics of FIDO and why you should be looking at this as a serious strategy for your passwordless authentication solution.

What Is FIDO

The FIDO (“Fast IDentity Online”) Alliance is a non-profit organization formed to address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. FIDO’s Certified program provides assurance of product compliance to roll out FIDO Authentication. The FIDO Alliance is now a consortium of more than 250 company members, including Aetna, Amazon, American Express, Bank of America, Facebook, Google, Intel, Mastercard, Microsoft, PayPal, Samsung, and Visa.

FIDO provides a passwordless user experience. In order for the passwordless FIDO experience to work, support for the Universal Authentication Framework (UAF) protocol is required. In this experience, the user registers their device to the online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic, entering a PIN, etc. The UAF protocol allows the service to select which mechanisms are presented to the user.

The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.

Why Implement FIDO Today?

The core ideas driving FIDO are (1) ease of use, (2) privacy and security, and (3) standardization. For implementing authentication beyond a password (and perhaps an OTP) , companies have traditionally been faced with an entire stack of proprietary clients and protocols. FIDO changes this by standardizing the client and protocol layers. This ignites a thriving ecosystem of client authentication methods such as biometrics, PINs and second factors that can be used with a variety of online services in an interoperable manner. Development and deployment of FIDO Authentication solutions bring myriad benefits to IT vendors, enterprises, service providers and the industry at large, including:

  • Stronger account/transaction security: This results in lower loss rates and fewer problems to mitigate and will bring the possibility of improved customer loyalty and less churn. Improved authentication will also reduce risk and enable new business models and revenue streams.
  • Improved user experience: The FIDO solution enables businesses to improve convenience for both customers and employees. As users no longer need to remember complex passwords, user provisioning is therefore simplified, and the cost associated with remote password resets will be drastically reduced.
  • Improved return of investment in authentication: The costs associated with the deployment and support of new solutions will be significantly reduced in comparison to current proprietary approaches which connect a single device type to a single application. System management functionality will be provided by the FIDO infrastructure, rather than having to be built by each application developer.
  • Reduced risk of fraud: Users of all FIDO-enabled websites and cloud or mobile applications will enjoy a reduced risk of identity fraud, with the convenience of having less reliance upon passwords. Trust in online systems will grow again as a result of consistent user experiences and higher security.

Once you decided to implement a FIDO solution, the next step is to choose the best vendor.

Acceptto Is FIDO2 Certified

Acceptto is the industry's first solution providing technology to develop an innovative, patented BiobehavioralTM authentication platform that continuously monitors and manages access to cyber resources. The Acceptto solution supports both FIDO UAF 1.0 servers and FIDO 2.0 servers, easily integrates with your iOS app and the Acceptto FIDO server to add secure FIDO authentication via the device’s sensors (ex: TouchID, FaceID) or pin code. It provides stronger security, a simpler, easy to use and a frictionless experience of passwordless authentication for legitimate users.

Acceptto’s eGuardian engine continuously creates, and monitors user behavior profiles based on the user interaction with the It’sMe authenticator. Every time an activity occurs, actionable intelligence is gathered and used to optimize the user profile. eGuardian is capable of autonomously and continually learning new policies and adapting existing ones. While policies can still be manually defined and contribute to the computation, our Biobehavioral AIML approach automatically finds the optimal policy for each transaction. eGuardian leverages a mixture of AI & ML, expert systems and SMEs to classify, detect, and model behavior, and assign real-time risk scores to continuously validate your identity prior to, during and post-authentication.

Download the Acceptto FIDO whitepaper today and then check out what Acceptto can do to ensure your employees, partners and customers can authenticate without passwords and still ensure security and privacy registering for a free demo today.

Download Whitepaper

multifactor authentication continuous behavioral authentication FIDO2