FIDO pushes its 'death of the password' narrative into Europe

With Google, Mozilla and Microsoft all adopting the passwordless standards, FIDO2 is a 'strong regulatory fit' with GDPR and PSD2

FIDO, the industry consortium with the stated aim of ridding the world of passwords, is seeking to make its authentication protocols the de facto global standard with a concerted push into Europe.

Co-founded in 2012 by PayPal, Lenovo and Nok Nok Labs, FIDO (Fast IDentity Online) seeks to address the lack of interoperability between strong authentication technologies. Its ultimate aim is to eliminate the need for passwords altogether by enabling all credentials to be stored on the user's device and person in a way that services can access them securely and privately.

So what does FIDO have against passwords? In short, they are easy to compromise at scale. They can be stolen through phishing and social engineering, and because they are stored on servers they are also easy to hack by the million. A perpetrator can download the password database and then try brute force attacks on the salted passwords. Since most passwords are short and simple, this can be extremely effective.

81 per cent of all data breaches in 2016 involved weak, default or stolen passwords

The organisation says that 81 per cent of all data breaches in 2016 involved weak, default or stolen passwords. Worse, the number of breaches rose by 45 per cent between 2016 and 2017. And perhaps worst of all only one in 20 businesses uses 'high-assurance' strong authentication, generally meaning multifactor systems using public key cryptography and often biometrics too.

Multifactor authentication (MFA) systems have been around for a while, of course, including one-time passwords (OTP) sent by SMS, apps like Google Authenticator to tokens and security keys, but all of these have their weaknesses. SMS is vulnerable to phishing and the SS7 hack and its use is no longer advised, while the others are strong, but fall down on convenience.

FIDO2, a set of open authentication standards announced in April this year, combines the W3C's Web Authentication specification (WebAuthn) and FIDO's corresponding Client-to-Authenticator Protocol (CTAP) which governs security credentials on devices such as smartphones.

WebAuthn is a standard web API that can be built into browsers. This week Google announced that the latest version of its Chrome browser now supports WebAuthn natively, rather than requiring a plugin. Firefox and Opera also support the FIDO2 standard and Microsoft will do so from September for Windows 10, including the Windows Hello biometrics authenticator and Edge.

"It's a game changer, frankly," said FIDO chief marketing officer Andrew Shikiar. "Windows 10 supporting FIDO2 natively changes everything. It really opens the door for enterprise deployments."

Shikiar continued: "Windows 10 desktops is also a very addressable market for service providers to reach consumers".

In addition, the open standard should also ease the burden on web app developers who need to provide authentication capabilities.

"WebAuthn is a single JavaScript API. It's well documented so it's quite easy now to add authentication to a website," Shikiar said.

A notable absence from the list of supported browsers and OSs (Android will also soon support FIDO2) is Apple. Despite that company's participation in the WebAuthn working group Safari does not support the standard, presumably because Apple has its own competing standards. Long a leader in the biometrics field - Apple introduced touch ID and Face ID - it may prefer to continue ploughing its own furrow. Shikiar hopes not.

"Our feeling is that authentication is not an area of competitive differentiation so it is a thing to commoditise and standardise," he said.

CTAP enables external devices such as smartphones or FIDO security keys to work with WebAuthn and serve as authenticators to desktop applications and web services. Again, many of the main device vendors are on board, including key vendors Yubico, ePass, Feitien and HID, semiconductor firm Infineon and the Nok Nok Labs universal server which unifies the various FIDO standards FIDO2, U2F and UAF.

Like any open standard, the ultimate aim is ubiquity. Apple aside, FIDO standards are becoming more widely accepted, supported by Google, Dropbox, Paypal, VISA and recent joiners Facebook and Amazon among many global names, but the reach also needs to be spread geographically. Uptake so far has been most enthusiastic in the US and the Far East. Eighty per cent of Korean banks use FIDO and countries and countries such as China that are very much ‘mobile-first' in their approach are also keen adopters.

Take up in Europe has been a little more leisurely. Last year the organisation started its European working group co-chaired by executives from Gemalto and ING Bank, to spearhead adoption here.

It's the decentralised approach where biometrics never leave the device

"FIDO's privacy-by-design approach to our specifications makes for a strong regulatory fit with Europe," said Shikiar. "FIDO's decentralised approach to authentication where biometrics never leave the device pairs very well with GDPR which specifies biometrics as sensitive data."

Another relevant piece of legislation is the Payment Services Directive 2 (PSD2) open banking regulation with its demand for Strong Customer Authentication (SCA).

So does this spell the end for the password? Not yet. A half-way house solution will exist for some time, probably many years. Instead FIDO is focused on reducing reliance on passwords by making multifactor authentication technologies easier to use and pushing for acceptance by more and more services.