FIDO Explained: How Fast Identity Online Authentication Works
Don’t let bad passwords become the Achilles’ Heel of your organization’s security posture.
Passwords are by far the most common way to prevent unauthorized access to sensitive systems and data.
It’s easy to understand why passwords have been the security status quo since the earliest days of computing. A good password is nearly impossible to break using conventional brute force attacks, where attackers attempt to guess a password by repeatedly checking millions of possible combinations in sequential order.
However, the definition of a “good password” is constantly changing. During the dot-com era, security professionals set the 8-character password as a viable standard for enterprise security.
In some industries this is still the case today, despite the fact that hackers can now successfully break even the most complex 8-character passwords in less than an hour. For comparison, an equally complex password with double the number of characters would take 92 billion years to crack.
The problem is that it’s not easy to create and remember such long, complicated passwords. Everyone understands how to make a perfect password using a random sequence of numbers, punctuation marks, and capital and undercase letters. Yet when prompted to create one for themselves, very few actually take time to create and memorize a good password. Instead, they choose one that’s simple, memorable – and easy to crack.
Despite this fact, the average employee is expected to create and remember hundreds of different passwords throughout their career. It’s easy to understand why people tend to reuse passwords, write them down, and generally undermine password effectiveness in their day-to-day operations.
Ultimately, this means passwords tend to fail in their role protecting sensitive data and accounts from unauthorized access. Security leaders constantly try to update and enforce good password policy, but they fail whenever that policy conflicts with employee productivity and ease of use.
FIDO Authentication Techniques Go Beyond Passwords
Passwords are not the only way people can authenticate themselves. Any unique characteristic that a person has can be used to validate their identity.
Passwords rely on information that only an authorized user is supposed to know. Other authentication methods rely on behaviors or qualities that only authorized users have.
Fast Identity Online is not one specific technology, but a collection of technical standards that push credential security beyond simple passwords. These protocols work together to provide robust credential security without disrupting the user experience or inhibiting productivity.
Many of these authentication processes rely on identifying who users are, instead of testing them on what they know. Examples of FIDO-enabled authentication processes include:
- Speaking into a microphone
- Touching a fingerprint scanner
- Looking into a camera
These authentication factors are much harder to break than even the best passwords. This is especially the case when using multi-factor authentication to validate users using more than one.
Unlike passwords, these factors can undergo periodic validation without interrupting the user experience. In some cases, there is no need to stop authorized users from doing whatever they’re doing when verifying their identities, and it’s possible to verify them multiple times during a single session.
FIDO Protocols Treat Privacy Seriously
Facial images, fingerprints, and voice recordings are examples of highly sensitive biometric data. One of the most important characteristics of the FIDO authentication protocol is how it treats this data to ensure security and user privacy.
Before sending any data for validation, FIDO-enabled devices establish an encrypted communications channel with the verifying server. The private key that secures this channel never leaves the user’s device, reducing the risk it gets intercepted by opportunistic hackers. Similarly, the biometric data itself is stored on the user’s device instead of the validating server.
Before people can start using FIDO authentication protocols, they must register and select the authentication method they feel most comfortable with. FIDO protocols do not generally favor one method over another, so users can simply choose not to provide biometric data they don’t want to share.
In most cases, the data itself comes from a paired mobile device. This way, anyone who uses facial recognition on their smartphone can easily extend that authentication factor to any FIDO-enabled application they have access to. The same goes for fingerprint scanning and vocal identification.
There are additional FIDO-compliant authentication methods that don’t require biometric data at all. For example, users who do not wish to be recorded or scanned can choose to enter a PIN code into their smartphone or press a specific button. This ensures the user is in possession of their mobile device and capable of unlocking it.
FIDO Addresses Password Policy Shortcomings
By challenging users to prove their identity based on biometric data or activity data, FIDO-enabled applications avoid forcing users to remember complicated passwords. When users no longer have to periodically set and change their passwords, they are better positioned to focus on their work without worrying about security policy.
The practical benefit of FIDO-enabled security is that it lifts security responsibility off employees’ shoulders. Instead of prompting them to create, remember, and periodically change a complex password, FIDO requires only that they have a compatible mobile device ready.
There are even FIDO-compliant solutions that don’t require users to validate with their personal smartphone. Universal Second Factor (U2F) devices are secure USB dongles that play the same role, validating user identities and transmitting authentication data to a secure server without disrupting the user experience.
When taken together, these technologies and policies provide strong authentication security without relying on passwords. They address many of the critical weaknesses that come from bad password policy.
Almost 70% of employees admit sharing their passwords with co-workers. FIDO-compliant authentication data cannot easily be shared the way passwords are. The authorized user must be physically present and aware of the session, and may periodically have to renew it. This has a profoundly positive impact on enterprise security compliance.
Implement Best-in-Class Authentication Policies Today
Enhancing your organization’s authentication policies is one of the easiest and most effective ways to improve operational security without disrupting the user experience. Implement a FIDO-compliant technology like OneMorePass and benefit from a flexible, secure authentication solution that puts the user experience first.