A tablet surrounded by lock graphics shows how HID makes passwordless authentication possible.

6 Reasons Why FIDO Is Critical for Passwordless Authentication

The Fastest Path to Passwordless 

Passwords are annoying — and insecure. According to Microsoft, hackers launch an average of 50 million password attacks every day, or 579 per second. Meanwhile, Verizon research suggests that compromised credentials were responsible for more than 80% of last year’s security incidents.

The rise of passwordless authentication represents a major step toward combatting this risk, strengthening trust with resistant security. And with the rise of FIDO (Fast Identity Online) authentication standards, it’s never been easier to go passwordless.

In the decade since the formation of the FIDO Alliance — an open industry association whose mission is to reduce “the world’s overreliance on passwords” — those standards have come to power the most widely available passwordless authentication solutions for both consumers and enterprises. 

In this article, we’ll review how passwordless authentication works, explore six reasons why FIDO is key to passwordless authentication and explain what makes it so effective in both consumer and workforce applications. 

How FIDO Powers Passwordless Authentication

FIDO shifts authentication from something you know — which, if it is simple enough to remember, is also easy to guess or steal — to cryptographic devices that you have. These devices can be further protected through biometric verification, which relies on what you are. 

FIDO leverages asymmetric public key cryptography, which starts with a pair of mathematically related keys. These keys are said to be “scoped,” as each FIDO key pair is unique to an individual website or service/user pair. One key is private and is stored on a user’s individual device. The other key is public and is kept by the website or service. 

When users want to authenticate, they use their private key to generate a cryptogram that can be verified with the corresponding public key. 

Until recently, private FIDO keys were typically stored on dedicated hardware tokens known as keys — like HID’s Crescendo® keys and cards, for example — which users plug into a computer or phone in order to authenticate themselves. Because security keys can be embedded into a cryptographic module for exclusive use on a specific device, they provide high levels of security. 

Since the end of 2022 — thanks to increased support from providers like AppleGoogle and Microsoft — FIDO keys can also be stored on Android and iOS devices. That means users can authenticate themselves using devices they already have on hand, or on nearby desktop computers. This new type of FIDO key is known as a passkey. Devices containing FIDO keys can offer additional protection via device-specific biometrics like fingerprints or face scans. 

Image
How FIDO Works LOCAL ONLINE AUTHENTICATOR The user authenticates “locally” to their device by various means The device authenticates the user online using public key cryptography

Advantages and Disadvantages of FIDO

At the enterprise level, FIDO is one of the most accessible technologies for going passwordless, greatly reducing the risk of social engineering attacks. 

6 Advantages of FIDO Include: 

  1. Security — FIDO authentication systems are phishing resistant. They also stand up to attacks on the corporate network, because private FIDO keys are stored not on servers but on individual user devices. Organizations can further strengthen security by leveraging inbuilt device biometrics. 
  2. Convenience — Because they can be placed on a wide range of devices and tokens, FIDO keys offer a high level of trust without compromising ease-of-use. Authentication is seamless and fast from a user perspective, with no passwords to remember. 
  3. Speed — FIDO solutions leverage inbuilt device capabilities, and well-known enterprise systems like Office 365 and Google Workspace support FIDO out-of-the-box without any additional development effort. The effort required to integrate FIDO into other web applications is minimal, as APIs are available for every major browser and platform, and authentication backends like the HID Authentication Service offer native FIDO support. 
  4. Resistance to compromise — Unlike passwords, private FIDO keys are very difficult to steal. However, in the unlikely event that one does get compromised, it still doesn’t mean that multiple services are put at risk.
  5. Trust — FIDO puts users in control of their own personally identifiable information (PII), elevating trust and enhancing convenience 
  6. Certification — Security teams can select among several options to implement FIDO, from built-in capabilities in mobile phones to hardware that is compliant with FIPS or other schemas. They can therefore tailor different types of FIDO authenticators to specific organizational use cases.

FIDO is an open standard, and it’s supported by most major tech manufacturers. That’s great for interoperability, but because FIDO is a newer standard focused on authentication, there may be cases where it’s less appropriate than other passwordless mechanisms like PKI. Some limitations of FIDO to consider include:

  • Management — FIDO maintains individual authentication keys for each service/user pair. While the use of asymmetric cryptography makes it much more secure than legacy OTP systems like OATH using symmetric cryptography, organizations will still need to invest in a back-end interface that provides a single administrative console for managing keys across multiple applications. 
  • Recovery — If people lose their FIDO tokens or devices, they’ll also lose access to their accounts. Because of this, each organization will have to decide how long to accept the digital keys it issues and set processes for recovering access in the event of loss or theft. Maintaining multiple keys is a good idea, and synchronizing passkeys to a specific platform or application in the phone is another emerging solution to this problem. 
  • Scope — FIDO authentication is decentralized, establishing trust individually between systems and their users. FIDO keys can therefore only be used within the security domain where they were originally registered. 

Implementing Passwordless With FIDO 

The first step in any FIDO deployment is to think through solution design. Where will you use FIDO? Will the protocol power your service’s primary log-in or provide secondary multi-factor authentication (MFA)? Will you rely on dedicated hardware tokens or individual user devices? 

To build a passwordless authentication system, you’ll need: 

  1. A website or app server (called a “relying party” or “RP” in FIDO parlance) that creates and manages public/private key pairs and where the developer implements calls to the FIDO server API 
  2. A FIDO server (which can be built separately or combined with the RP server) that stores users’ public key credentials and account information 
  3. A front-end RP app that calls the platform FIDO API to perform registration and authentication requests 
  4. A FIDO2 compatible authenticator that is integrated into a device or hardware token capable of generating and using FIDO keys and possibly protecting them by biometric user verification 

Deciding where to store private FIDO keys — whether on individual devices or dedicated hardware tokens — often depends on the use case. For most consumer applications, hardware tokens are impractical, and storing keys in user devices represents the best blend of security and convenience. Workforce authentication teams, on the other hand, may prefer to strengthen security with the use of dedicated tokens, which offer an extra layer of cryptographic protection and are less prone to hacking and compromise. 

For web-based authentication, the FIDO Alliance offers standardized APIs that organizations can rely on — as well as protocols that facilitate communication between user devices and servers. 

The Future Is Passwordless

Microsoft founder Bill Gates predicted the end of passwords back in 2004, explaining that they “just don’t meet the challenge for anything you really want to secure.” 

Two decades later, FIDO is powering passwordless solutions that are safe, convenient and easy to implement. So we can all stop gawking at top-ten lists of common passwords and start getting serious about security. 

This blog is part 2 of HID’s "Path to Passwordless"series. Explore the differences between PKI and FIDO authentication in part 1, or take a deep dive into PKI authentication in part 3.

Or discover how HID can support you on your passwordless journey.