FIDO authentication is a method of verifying the identity of a user that relies on physical characteristics, such as a fingerprint, rather than something that can be easily guessed or stolen, like a password. The FIDO Alliance, an industry consortium that develops open standards for strong authentication, defines FIDO authentication as “an emerging set of technologies that redefine how we authenticate users and devices.” In order to use FIDO authentication, a user must first register their physical characteristic with a compliant device or service. Once registered, the user can then use their physical characteristic to authenticate themselves to the device or service. FIDO authentication is often used in combination with other methods of authentication, such as username and password, two- factor authentication, or biometrics. This ensures that even if one method of authentication is compromised, the other can still be used to verify the user’s identity. FIDO authentication is an important tool for protecting online accounts and services from unauthorized access.
This is huge and has been a long time coming! With Apple, Google and Microsoft jointly supporting a “PassKey” standard based on FIDO, perhaps now we can ditch passwords. Mercator first identified FIDO as the leading biometric standard in our report “Biometrics: A Market Forecast for Consumer Adoption” published in January 2017 and urged financial institutions to standardize their authentication technology in 2018. This took far longer than I predicted but perhaps now we can kill passwords and slow down criminal account takeovers and other crimes based on failed authentication:
“The standard is being called either a “multi-device FIDO credential” or just a “passkey.” Instead of a long string of characters, this new scheme would have the app or website you’re logging in to push a request to your phone for authentication. From there, you’d need to unlock the phone, authenticate with some kind of pin or biometric, and then you’re on your way. This sounds like a familiar system for anyone with phone-based two-factor authentication set up, but this is a replacement for the password rather than an additional factor.
Similar to how a password manager can unify your logins under a single password, your passkeys can be backed up by some big platform-holder like Apple or Google. This would let you easily bring your credentials to a new device, prevent you from losing them, and make it easy to sync passkeys across devices. If you lose your device, you can still recover your accounts by signing in (uh—with a password?) to your big platform-holder account. It may also be a good idea to have more than one device set up as an authenticator.”
Overview by Tim Sloane, VP, Payments Innovation at Mercator Advisory Group