The Cloud Consultancy Europe Ltd.
+44 (0) 203 637 6667 [email protected]

Passwords are a hassle, and unfortunately, they’re often a security risk. Even when a password is complicated, it may be compromised through brute-force attacks, leaks, or malware. That’s why Apple, Google, and Microsoft are now collaborating on our passwordless future through the FIDO standard.

Maybe you’ve heard of FIDO – it’s a popular standard that turns local devices, such as your phone or a USB key, into tools for sign-in or multi-factor authentication. If you secure your PC with FIDO, for example, it may only unlock when you scan a fingerprint or enter a PIN on your phone.

A hacker who lives halfway across the planet can steal your passwords with a phishing email. But chances are, they’ll never hold your phone in their hands. Because FIDO works locally, it’s much more secure than regular old passwords. It also eliminates the need to memorize, write, or store passwords, which is just icing on the cake.

Apple, Microsoft, and Google now say that they’ll accelerate FIDO adoption by properly integrating the standard with all of their products. Not only will FIDO become easier to use, but websites and apps will have the option to offer FIDO as their only sign-on option without a password-based setup process.

Here are the two main goals of this scheme, as communicated by the FIDO Alliance:

  1. Allow users to automatically access their FIDO sign-in credentials (referred to by some as a “passkey”) on many of their devices, even new ones, without having to re-enroll every account.
  2. Enable users to use FIDO authentication on their mobile device to sign in to an app or website on a nearby device, regardless of the OS platform or browser they are running.

These two changes to FIDO should make it much more appealing to the average person. Syncing FIDO credentials between devices is especially helpful, as it ensures that you can always verify your identity, even if you lose a device.

The brains at Microsoft, Apple, and Google hope to finalize these changes sometime in 2023. Our passwordless future may be right around the corner. Of course, there’s no telling how people will respond to FIDO; if the standard doesn’t prove popular enough, we may be stuck with passwords for a while.

What Makes FIDO Different?

The core ideas driving FIDO are (1) ease of use, (2) privacy and security, and (3) standardization. For implementing authentication beyond a password (and perhaps an OTP), companies have traditionally been faced with an entire stack of proprietary clients and protocols.

FIDO changes this by standardizing the client and protocol layers. This ignites a thriving ecosystem of client authentication methods such as biometrics, PINs and second–factors that can be used with a variety of online services in an interoperable manner.

FIDO Standardization

Source: fido Alliance

Online Crypto Protocol Standardization
FIDO standardizes the authentication protocol used between the client and the online service. The protocol is based on standard public key cryptography — the client registers a public key with the online service at initial setup. Later, when authenticating, the service verifies that the client owns the private key by asking it to sign a challenge. The protocol is designed to ensure user privacy and security in the current day state of the internet.

Source: fido Alliance

Client Standardization for Local Authentication
FIDO standards define a common interface at the client for the local authentication method that the user exercises. The client can be pre–installed on the operating system or web browser, or FIDO Authentication can be called through the browser using a standard API. Different authentication methods such as secure PIN, biometrics (face, voice, iris, fingerprint recognition, etc.) and second–factor devices can be “plugged in” via this standardized interface into the client.

Sources: Review Geek & Fido Alliance