illustration of laptop

The Path to Passwordless Authentication: PKI vs. FIDO

The Case for Going Passwordless

Passwords are a familiar punching bag — annoying for users to remember, expensive for IT teams to manage and dishearteningly simple for criminals to hack. According to Forrester, large organizations spend up to $1 million per year just to handle password resets. Gartner estimates that 40% of all helpdesk calls are related to passwords.

Meanwhile, researchers at Digital Shadows recently reported that more than 24 billion log-in credentials were breached in 2022

No wonder major tech providers like Apple, Google and Microsoft are expanding their support for passwordless authentication. Of course, until these solutions are widely adopted, organizations are still putting their employees and customers at risk.

There are several different ways to implement passwordless authentication, from emailed authentication links to SMS codes. Historically, one of the most secure methods has been the use of PKI digital certificates, and more recently FIDO (Fast Identity Online) security keys has emerged as a widely supported authentication method. How can organizations navigate these choices to protect their networks and services?

In this article, we’ll review how FIDO and PKI keep users safe — and why organizations might choose one technology over the other.

How PKI and FIDO Power Passwordless Authentication

Both PKI and FIDO use asymmetric cryptography where the user keeps a private key secure and uses it to generate a cryptogram that is verified with an associated public key. So how does passwordless authentication work? 

PKI (Public Key Infrastructure):

  • Utilizes digital certificates for public key distribution
  • Certificates, signed by trusted authorities (CAs), ensure authenticity
  • Establishes secure, background authentication through cryptographic connections
  • Native support by operating systems, browsers, and applications streamlines integration

FIDO (Fast Identity Online):

  • Generates distinct key pairs for each website (Relying Party)
  • Websites retain public keys, reducing risks of cross-site attacks
  • Private keys remain securely stored on individual devices
  • Recent developments allow storage of FIDO keys on Android and iOS devices, known as passkeys, enhancing accessibility
  • Incorporates biometric authentication for heightened security and user simplicity

In PKI, digital certificates are the backbone for distributing public keys, signed by trusted certificate authorities (CAs) to ensure their authenticity. This system enables users to communicate securely by encrypting data with a recipient's public key, which can only be decrypted using the recipient's corresponding private key. PKI seamlessly validates user identities in the background when accessing sensitive information on a network, thanks to extensive native support from IT ecosystem players.

On the other hand, FIDO authentication operates differently. Instead of relying on certificates, FIDO generates unique key pairs for each website, with the website storing the public keys. This approach, known as "scoped" keys, minimizes the impact of attacks on one site affecting others. FIDO keys, securely stored on individual devices, were traditionally housed in dedicated hardware tokens but can now also be stored in Android and iOS devices, referred to as passkeys. These passkeys further diminish the reliance on passwords and can be reinforced with biometric authentication like fingerprints or face scans for a user-friendly experience.

What Do PKI and FIDO Have in Common?

Since PKI and FIDO both rely on asymmetric key cryptography — widely regarded as one of the most secure and reliable forms of encryption — both provide the same level of security. Both eliminate the need for passwords and offer a seamless experience for end users. When the cryptographic keys are generated and stored in separate hardware devices like smart cards and security keys, both PKI and FIDO are suitable for achieving the highest Authenticator Assurance Level 3 (AAL3) defined by the NIST SP 800-63 Digital Identity Guidelines, and Authentication Level of Assurance 4 (LoA4) defined in the ISO/IEC 29115 standard that enables eIDAS identity assurance HIGH.

What’s the Difference Between PKI and FIDO?

There are several differences between PKI and FIDO that go beyond how public keys are distributed.

FIDO is an open standard that enjoys growing support from major tech manufacturers. It’s easy for IT teams to implement, and it benefits from almost universal client built-in support. Organizations can choose how and where FIDO keys are deployed — they can be integrated as passkeys in users’ mobile phones, as security keys and smart cards, or as integrated platform authenticators when available. Furthermore, although FIDO was designed initially for authentication in the open Web where it benefits from broad deployment, it is also available in major platforms for native app authentication.

PKI is also an open standard, and it has been the backbone of network security since the late 1970s. It requires more careful planning, deployment and management, but it also offers capabilities beyond authentication and can be used for data encryption and digital signatures.

FIDO maintains individual authentication keys for each service/user pair. The use of asymmetric cryptography protects them from server breaches, and the use of scoped keys means that privacy is protected by preventing linking users across services. But it also means there’s no unique, centralized place for IT teams to view or manage accounts.

PKI, on the other hand, is centrally managed by design, and the best-in-class solutions offer robust, on-demand audit and reporting mechanisms. IT teams can oversee the entire certificate lifecycle management process from issuing to revoking the certificate via a centralized management console.

PKI relies on the hierarchical trust model where trust is established through a trusted third party — a certificate authority (CA) to register and issue digital certificates, and on organizations to broker that trust between users and systems. However, PKI certificates are system agnostic and there are multiple implementations available to support them, meaning the user experience and capabilities can vary significantly across applications.

By contrast, FIDO authentication is decentralized, establishing trust individually between systems and their users. FIDO keys can therefore only be used within the security domain where they were originally registered, but the user experience is highly consistent because of the close collaboration between ecosystem players.

PKI vs. FIDO: What’s Best for Your Needs?

The choice between PKI and FIDO often comes down to each organization’s specific needs — and what infrastructure is already in place.

Consider using PKI for passwordless authentication if you:

  • Already use PKI certificates for data encryption, digital signatures or server authentication
  • Need stricter identity management protocols or would like to use federation to accept identities external to your own security domain
  • Need a process for centrally managing and auditing digital certificates

Take a deep dive into PKI for passwordless authentication >>

Consider using FIDO for passwordless authentication if you:

  • Are looking for a faster implementation timeline
  • Want to streamline integration with web and mobile apps
  • Are investing in a modern authentication backend that enables management of FIDO keys for multiple applications in a centralized administration console

Take a deep dive into FIDO for passwordless authentication >>

Ultimately, you may not have to choose. The FIDO Alliance has investigated how to incorporate both PKI and FIDO authenticators into an expanded authentication ecosystem with the goal of “enabling greater number of users and applications to be protected using asymmetric encryption.”

Learn how HID can facilitate your path to passwordless authentication >>

This blog is part 1 of HID’s ‘Path to Passwordless’ series. Further explore FIDO authentication in part 2, or PKI authentication in part 3.

Adrian Castillo is passionate about secure identity credentials that enable trusted transactions in physical and virtual environments. Since joining HID in 2008, he has developed credential solutions for end-users, client applications and back-end services. Most of all, he likes to understand the complete chain of components that are involved in the chain of trust.