Trustworthy

Fido was a loyal soul – the name literally means faithful, loyal, trustworthy [1]. The mongrel found its way to the Lincoln household and quickly became a family member. Dirty paws, sleeping on the sofa – the dog was allowed to do everything (Figure 1). He even shared his master's fate: Only a few months after the fatal assassination of US President Abraham Lincoln, a drunk stabbed him [2].

Figure 1: Loyal to the death: Abraham Lincoln's dog Fido.

In 2012 a new player, the FIDO (Fast IDentity Online) Alliance [3] – not to be confused with Fidonet [4], a bulletin board system (BBS) from the 1980s and 1990s that older readers will remember as popular with hackers and geeks – came onto the market (see the "The FIDO Alliance" box).

FIDOsophy

According to the FIDO Alliance website, their goal is to combine transaction-secure, strong authentication with good usability while preventing fraud and providing the provider with the most efficient and uniform authentication mechanism possible.

The approach aims to combine biometrics and two-factor authentication, which is achieved when a user deposits a key on a server and then confirms subsequent requests through a local challenge-response mechanism by pressing a button or providing some other proof of physical presence (e.g., a fingerprint reader) to activate a service. According to the FIDO Alliance website, Google was one of the first companies to use authentication with tokens successfully.

Unlike traditional authentication methods, two-factor methods, such as those developed by Yubico [6], do without a central server. It was an urgent concern of Jakob Ehrensvärd, company CTO, to develop a decentralized authentication mechanism that does without shared secrets that communication partners need to safeguard. At the same time, however, he wanted it to be possible to use arbitrary services while ensuring the anonymity of the users (i.e., enabling any number of identities for any user).

In 2014, the FIDO Alliance simultaneously completed version 1.0 of the Universal Authentication Framework (UAF) and Universal 2nd Factor (U2F) protocols. In the years that followed, numerous client and server implementations appeared. At the same time, the Alliance gathered new members from the IT security, finance, software, and biometrics sectors. The first test and certification program appeared in 2015, followed by mobile implementations for iOS and Android, but also using contactless approaches with Bluetooth and near field communication. Microsoft started with Windows 10, and the Japanese provider NTT Docomo enabled its 65 million customers to log in without passwords.

FIDO2

In November 2015, Allianz submitted the design for FIDO2 to the World Wide Web Consortium (W3C). Just three months later, the W3C announced the establishment of a working group. Their goals were to promote standardization for strong authentication mechanisms of web browsers and websites based on the FIDO2 web APIs.

The goal of the Web Authentication Working Group is to create a client-side API for web applications and to make e-payments with biometrics and other secondary factors both more secure and simpler, because most smartphones already have fingerprint readers and similar modules on board.

This scheme ensures greater user satisfaction and protects the authenticity of the credit card holder better than ever before, say FIDO and EMVCo, whose six members (American Express, Discover, JCB, Mastercard, UnionPay, and Visa) oversee "… the requirements for global interoperability between chip-based payment applications and acceptance terminals to enable secure contact and contactless transactions and other emerging payment technologies" [7].

In late 2016, the FIDO Alliance became the largest ecosystem for authentication standards. More than 200 certified solutions are now available, and thanks to Facebook integration, more than three billion people have access to secure login procedures. In March 2018, the W3C finally presented version 2 as a W3C Candidate Recommendation [8].

In addition to the FIDO classics UAF and U2F, FIDO2 now includes the Client to Authenticator Protocol (CTAP) and the WebAuthn protocol as specifications for integration in browsers and web applications [9] (Figure 2).

Figure 2: On the client device, the CTAP library uses an authentication method, whereas the browser uses WebAuthn to ensure secure communication with a web application or platform. Ideally, the user simply chooses a previously set up authentication method.Image © https://fidoalliance.org

Operations

The entire operation needs to be simple and transparent for the user. Figure 3 shows the two variants, with a biometric feature on a smartphone (top) and USB tokens, smart cards, embedded secure elements, or trusted platform modules (bottom) as local device authentication. In the background, the new standard uses public key cryptography, which in combination with the local 2FA mechanisms also seems to arm the procedure well against any kind of phishing.

Figure 3: The FIDO alliance promises easy authentication in the future. Image © https://fidoalliance.org

In the simplest case, the client device registers with the server using a public key. From that point on, the local device authentication can activate the private key to carry out the desired authentication.

Usually the server will prompt the user to select an appropriate authentication method and device for both sides. The client library then generates the special key pair for this combination of local device, online service, and user account. The public key, also linked to the user account, then ends up on the server. The server does not receive any information about the local links on the customer side, so anyone breaking in would not be able to find out which authentication type the customer has chosen.

In detail, the registration process is as follows: The server sends a challenge to the user to log in as before (i.e., on the device and with the procedure that allows the keys to be read). If the client succeeds, it signs the challenge with its private key and sends the whole thing to the server. The server then only needs to check whether the public key matches the signature and then logs the user on. Alternatively, it triggers a requested process. The user can also store several keys on suitable media, which can then be use as required.