A Decade of Federated Identity – Is FIDO Adopted?
The conversation around removing passwords and ensuring smoother and more secure authentication processes have gone on for years. As the FIDO Alliance recruits more partners and continues to make landmark announcements, what does its adoption actually look like? Dan Raywood looks into the first decade of federated identity.
This year marks ten years since the first seeds for the FIDO (Fast IDentity Online) Alliance were planted. At that first meeting, on Valentine’s Day 2013, the gathering of FIDO Alliance leaders set out what the FIDO Alliance was intended to do and what its next steps were.
An open industry consortium “delivering standards for simpler, stronger authentication,” the concept was for an open industry standard for online and mobile secure authentication. Consisting of influential names from technology, financial services, and major websites, the ideology of the FIDO Alliance was to “enable simpler, stronger authentication to scale in the market.”
The first product came 18 months later when Google launched the Security Key, the first FIDO Universal Second Factor (FIDO U2F) authentication deployment. This was a physical USB second-factor device which offered an alternative to six-digit one-time passcodes. The following year saw around a hundred FIDO-certified products released, rising to 150 by the time the FIDO Alliance was marking its second anniversary.
However, a few years into its life, the FIDO2 standard was introduced, enabling users to “leverage common devices to easily authenticate to online services in both mobile and desktop environments.”
FIDO2 is based on two standards: WebAuthn and Client to Authenticator Protocol (CTAP), and built around security and convenience: security as the login details are unique across every website, never leave the user’s device and are never stored on a server; and convenience, as users unlock cryptographic login credentials with built-in methods such as fingerprint readers or cameras on their devices, or by leveraging FIDO security keys.
Perhaps the strongest endorsement was from Apple last year, when it announced the launch of the FIDO2-enabled Passkey, which is built on WebAuthn, and where a combination of a public and private key are used and are compatible with Touch ID and Face ID.
Is FIDO 2 Well Adopted by Industry?
All of these years in, how well accepted and adopted has the FIDO2 standard become? Andrew Shikiar, the executive director of FIDO Alliance, says the initial concept of the FIDO Alliance was “to solve the data breach problem as passwords caused the vast majority, and if we take them away, then the problem goes away.”
In terms of industry adoption, the FIDO Alliance Authentication Barometer from October 2022 found that password use had dropped in the verticals it was monitoring, while the adoption of multi-factor authentication through SMS one-time passcodes was increasing.
Shikiar believes that adoption of FIDO2 continues to increase, especially with the buy-in from web browsers, where Microsoft and Google “built adoption in which allows FIDO to be in a position to take on passwords.”
Shikiar says that to the average person, then the likes of WebAuthn remain generally unknown. Still, the increased adoption of FIDO2 will mean increased MFA and reduced password use, which can lead to more business benefits. “Businesses will see more employee uptime and success rate is higher, and IT costs are down, ” which leads to both cost savings and happier employees.
One company that saw the benefit is Beyond Identity, which announced it had received FIDO2 certification at the start of 2023. A provider of passwordless and MFA products, its chief marketing officer Patrick McBride says that FIDO2 benefits Beyond Identity in multiple ways. “On the tech front, it gives us a standard way to leverage passkeys and multiple ways to integrate with other FIDO2 compatible technologies.”
Was it worthwhile to become FIDO2 compliant as a company and join this initiative? McBride says it is, as Beyond Identity is a “multi-year, card-carrying FIDO alliance member” with multiple additional product plans on the roadmap that will leverage various parts of the FIDO2 standard.
“So we believe the FIDO juice is definitely worth the squeeze – both on a technical and market education front.”
FIDO Setting the Standard
As FIDO has been well adopted by prominent online names, does it now deserve to be considered as one of the significant cybersecurity standards? Shikiar agrees, saying that strong authentication is a “top priority for businesses” as it enables more productive employees and a better sign-in rate. In one case, a business saw an increased profit line due to it. “We are invested in user experience, as people will be put off if it is too complicated,” he says.
The next step for FIDO2 adoption will be when it becomes mandated by regulators and potentially even cyber insurance providers to ensure a more secure and proven type of authentication to reduce the chances of a data breach better and remove passwords.
Jonathan Armstrong is a partner at Cordery and said that while he is unaware of any regulation which requires strong authentication, he would not rule it out from happening in the future. “Often data security law and regulation follows events,” he says. If there is a significant breach and a change is required by public opinion, then that is where a rule for stronger authentication could come into force. “Some countries could add stuff like this into their local implementation of NIS II; I’ve not heard of it yet, but it’s a possibility for sure.”
As well as regulatory factors, there are also cyber insurance considerations, and Shikiar says that the adoption of FIDO2 is something which could aid in a better policy as it shows the company is better protected. “A simple step to adopt FIDO for MFA can address a number one threat and will help drive further adoption.”
Over the past decade, we have seen many incidents of data breaches and password loss, and businesses continue to battle this issue and the one of keeping employees online and able to access devices, desktops and apps. The adoption of FIDO2 is making waves to enable businesses to be more secure against a common issue, and more enterprises achieving compliance should be welcomed.
Strengthen Your Information Security Today
If you’re looking to start your journey to better Information Security, we can help.
Our ISMS solution enables a simple, secure and sustainable approach to information security and data management with ISO 27001 and over fifty other frameworks. Realise your competitive advantage today.