Author: Christian Lamprechter
FIDO: The good, the bad and the alternative
Last year, on World Password Day, the global IT community woke up to some startling news. The Fast IDentity Online (FIDO) Alliance — headed by Google, Apple and Microsoft — announced it had finally cracked the task of making passwords obsolete.
“Simpler, stronger authentication is not just (our) tagline — it’s also been the guiding principle for our specifications and deployment guidelines,” Andrew Shikiar, the Alliance’s executive director declared. “Ubiquity and usability are critical to seeing multi-factor authentication adopted at scale, and we applaud Google, Apple and Microsoft for helping to make this objective a reality.”
What is that reality? On the surface, it’s a revolution in how we access the sites and applications we all depend on without the fear of losing our login credentials. It’s a brave new world in which hackers are shoved into the cold, unable to phish or grab passwords from tireless assaults. Shikiar’s words, at first, seem like the beginning of the end for user risks that can cripple any business.
We admire FIDO. We respect and value any work focused on breaking bad security habits: the kind we’ve had to tolerate for so long. But, we think the whole approach needs to go even further. Why? Keep reading.
The seed of fresh thinking
The Alliance has been carefully shaping its approach to passwordless sign-ins for over a decade. After initial sparks grew out of a collaboration between PayPal and Validity Sensors for biometrics in 2009, a group of major players came together three years later, bent on exploring an industry standard for digital security. Infineon, Lenovo and Agnitio are several founders, joined swiftly by Google and NXP. Back then, multi-factor authentication (MFA) was in its infancy, mostly relegated to departments within those companies. FIDO was born from the ambition to find a second factor — a device-based system — that could push passwords out of the mainstream.
By December 2014, the inaugural standards were revealed: the v1.0 passwordless protocol (called the FIDO Universal Authentication Framework, or FIDO UAF for short) and second-factor protocol (U2F). These templates described how browsers, plugins and native apps could deploy authenticators designed and approved by Alliance members. From creating specs and development guidelines to offering security qualifications across the board, it was a significant step in the right direction.
The pitch went like this: you register an encryption key on a user’s device, but that key is origin-specific i.e., it’s a combination of the protocol, port and hostname. That means when you want to log in, your device generates a new public and private key pair. You take action on a device — for example, entering a PIN code, scanning your thumb or giving a voice command. The action “signs” the access attempt and you’re authenticated. Since a potential hacker doesn’t have the device in their hand, they’re powerless to meet a second security check.
So far, so good. The problem is, U2F relies on a FIDO dongle as the authenticator token. This piece of hardware proved to be awkward and expensive. It’s small enough to lose easily and too important for a single purchase. Reviewers have noted that many companies offering MFA dongles urge you to buy two. Given that they tend to cost around $20 each, that’s a big investment for an organization with hundreds or thousands of network users. Additionally, if you do misplace the device, you have to wait weeks for a replacement. As Tom Lawrence from Laurence Tech sighs, “That’s just life.”
What FIDO2 proposes
Today, FIDO partners still manufacture and sell U2F dongles. Yet, the Alliance’s latest plan involves smartphones — making them the key, rather than a fiddly stick hardly larger than a piece of chewing gum.
You can see why we’re interested in an authentication system that’s somewhat similar to our own, in which a smartphone becomes the main hardware for confirming identity. FIDO users will soon have more options for registering their phone with online services. They’ll have to sign a two-factor method in line with that service’s security policy, scanning or entering a code in an app to create an encryption key pair. Once they’ve done so, they can access their account without a password.
But, there’s more at risk here than many people realize. It makes FIDO2 standards less of a silver bullet and more of a repeated aim at security targets that keep shifting as we fully understand them.
Where Almefy goes further
Quite obviously, hardware-based tokens like the FIDO dongle are absurd in 2023. They’re too small, costly, unscalable and rife with the potential for locking users out for weeks at a time. Yet even the smartphone strategy has flaws — chief amongst them being the fact that it needs a public encryption key.
We’ve written about the Public Key Infrastructure (PKI) before here, but suffice to say, this authentication system has been cracked and hacked. A public key is available in network traffic for anyone who’s looking for it. The administrator’s private key, on the other hand, can be lost, forcing massive overhauls for every device on the list while a new key is confirmed. There are problems with authentication certificates, too: Digital records can expire and make a key invalid.
Additionally, you must have a FIDO-compatible browser for authentication to function. Since they’re strictly designed with FIDO standards, you might be unable to implement, say, an AI tool to detect fraud. Custom development is held back by locks on what FIDO can and can’t work alongside. As Lily Hay Newman from Wired explains:
“Its success will depend on the security of each operating system’s implementation … FIDO’s vision will simply create a different, if potentially better and more sensible, set of weaknesses and points of failure. As FIDO itself notes, its plan for mainstream adoption of passwordless authentication is meant as a general-purpose solution and may not always fit the most extreme security requirements.”
FIDO2 is therefore prone to frustrating user issues, depending on the device and service you’re using, as well as the hacking potential associated with PKIs. And, throughout, there’s a more general concern — that of user data. FIDO Alliance members have significant banks of personal information at their fingertips.
We have a different approach to providing simple, reliable MFA in a single step with a smartphone. Almefy’s technology doesn’t use a public key infrastructure. Instead, we’re putting our own spin on identity-based encryption (IBE), a well-known standard. IBE brings a challenge and response pattern to a registered user’s device. With Almefy, this challenge is a QR code — a quick and painless method for signing an identity on our authentication service. Nothing is shared, and no data is left in the air, waiting to be snatched up by advanced compromise techniques. Registered users can simply open the Almefy app, scan an image and get access granted.
While the tech under our hood is quite different, we’re staying up to date with FIDO’s ongoing plans for a password-free security environment. As it stands, they may not be perfect, but we’re in favor of any advance toward commonsense MFA. Learn more about how Almefy works here or download our app to try it for yourself.