We have been using a username and password pair for all of our accounts, and this is the weakest link in the chain for our security. The industry is pushing to develop a passwordless authentication system that will replace passwords, and FIDO is the one. The goal of FIDO (Fast IDentity Online) is to secure web and mobile applications and use biometric mechanisms (fingerprints, voice recognition, and face IDs) to protect identity.

There are too many problems with password-based authentication. (1) Users use weak passwords, and accounts are breached by brute force attacks. (2) Users use the same password in multiple accounts, and data breach in one account makes other accounts vulnerable. (3) Users forget passwords and resetting them via help desks costs money, especially in the financial industry. (4) Building password-based authentication is costly.

In February 2013, the FIDO Alliance was formed to develop open standards to implement a secure passwordless authentication system. This is accomplished by using public key cryptography (PKC), and WebAuthn is one implementation of FIDO2 standards. There are various ways to support FIDO, and smart devices, biometrics, USB security tokens, smart cards, and NFC (Near Field Communication) are a few methods. The FIDO uses PKC, and registers a user's "trusted" device to a server, and creates a public key. The user's device will provide a private key, which will be used to decrypt the authentication challenge required by the server.

What is Public Key Cryptography?

Public key cryptography is a protocol that uses two keys (public and private) to encrypt and decrypt data to protect against unauthorized access. The public key is a randomly generated ID that is available for the public to use when encrypting the data. The private key is the secret key that is used to decrypt the data, and it should be kept secret by the authorized person.

Public Key Cryptography is modern security primitive used in various applications, and it underpins TLS/SSL, S/MIME, PGP, and GPG standards. By using public and private key pair, the server and client can exchange data that can only be decrypted by the trusted client, and it can also be used in a robust authentication system like FIDO.

What is FIDO2 and how does it work?

FIDO2 is the newest standard developed by the FIDO alliance, and it uses a device that a user already has to authenticate in web (desktop) and mobile environments. The FIDO2 include W3C's WebAuthn and CTAP (Client-to-Authenticator Protocol).

FIDO2 can be used in a standalone environment like WebAuthn, or used in 2FA. The FIDO standard uses personally identifiable information (PII) like biometrics in a user's device to create the private key, which is then used to decrypt the authentication request encrypted by the public key on the server. By storing PII in the user's device instead of a cloud (or server), FIDO is much more secure than password authentication not to mention the trouble of memorizing a password.

FIDO supports UAF (Universal Authentication Framework) and U2F (Universal Second Factor) protocols. UAF allows a client device to create a public and private key pair and registers the public key with the server and stores the private key in its local storage. With UAF, the server requests a client to authenticate itself, and the user will provide a biometric signature to prove his identity.

The U2F is mostly used in second-factor authentication (2FA), and a USB or NFC device is required to authenticate itself. A popular U2F devices include YubiKey from Yubico, Titan from Google, and FIDO U2F from Thetis.