Password-free world gets closer with FIDO2 authentication

 

The Fast Identification Online (FIDO) Alliance, which includes some of the biggest names in online security, payments and IT field, announced that devices running Android 7.0 and higher will now be compatible with FIDO2, the latest version of the alliance’s authentication solution. The announcement hammers yet another nail into the passwords coffin.

FIDO2 provides a Web authentication standard that combines the World Wide Web Consortium’s Web Authentication specification with FIDO’s Client-to-Authenticator protocol. With it, devices gain secure access to online services in both mobile and desktop environments.

Expanding FIDO2 to the Android world allows Web and application developers to add strong authentication to their apps and websites through a simple API call, delivering passwordless, phishing-resistant, security to their users.

Since FIDO2 was introduced last year, it has gained support from all the major Web browsers, as well Microsoft, which has integrated it into Windows 10. Google has long worked with the FIDO Alliance and W3C to standardize FIDO2 protocols, which give any application the ability to move beyond password authentication while offering protection against phishing attacks.

With more than 1 billion Android 7.0+ handsets that can be addressed by websites supporting FIDO authentication, the stage is set for developers and service providers to add standards-based FIDO2 authentication into their websites and apps.

FIDO is trying the solve the world’s password problem. Passwords are often reused on multiple online accounts and the root cause of over 80 percent of data breaches. Passwords are also costly to maintain for service providers on centralized servers.

When passwords are stored on central servers, those servers become a attack target for hackers. In the past, billions of passwords have been stolen from such servers. However, with the public key cryptography approach of FIDO2, the user’s authentication credentials remain with the user’s device, and the server retains only the corresponding public key.

This not only helps protect the user’s privacy, but also begins to de-risk the authentication process for the service provider. In the unfortunate occurrence of a data breach, they no longer need to worry about credential theft. This not only protects their customers but also helps stop the scourge of credential stuffing — where hackers use credentials stolen from one site to compromise accounts on other sites because the owners have used the same credentials on multiple sites.

Credential stuffing occurs when credentials stolen from one site are used to compromise accounts on other sites because the credentials have been used by their owner on multiple sites.

A major challenge to FIDO is consumer education as many consumers are still not ready to say goodbye to their passwords. Education will be a major part of the efforts to facilitate adoption of FIDO2, including by working with the vendor community to educate the market at large on the benefits of FIDO authentication.