FIDO for Cybersecurity: What It Is and Why It Matters

By Sanjay Bhakta, VP & Head of Solutions
FIDO biometric log-in

Phishing attacks have hit a crisis point. Year over year, malicious phishing emails increased 1,265 percent (with a 967 percent rise in credential phishing in particular), according SlashNext. This is largely because bad actors are applying generative AI to write more sophisticated and realistic-looking phishing messages. Businesses are looking for more effective ways to fight phishing and myriad other forms of cybersecurity attacks. FIDO, which stands for fast identity online, could be an answer. 

What Is FIDO?

FIDO is a set of open, standardized authentication protocols that allow users to sign in to resources without a password or username. That’s right: no password or user name. FIDO uses public key cryptography to create a more secure, phishing-resistant, and convenient login experience than passwords. FIDO allows users and organizations to use the standard to sign in to their resources using an external security key or a platform key built into a device.

Some examples include: 

  • MacBook’s TouchBar
  • Windows Hello
  • iOS Touch/FaceId
  • Android’s fingerprint/face recognition

FIDO is developed by the FIDO Alliance, a nonprofit organization that seeks to standardize authentication at the client and protocol layers. According to the FIDO Alliance, FIDO authentication has been adoption across various sectors, including finance, healthcare, e-commerce, and government services.  Industries facing high risks and compliance requirements (finance, healthcare) tend to prioritize FIDO adoption as do organizations with Organizations with modern IT infrastructures, which are more likely to integrate FIDO seamlessly. Some early adopters include:

Financial Services

This sector is a prominent adopter, driven by the need for secure transactions and regulatory compliance. Banks and financial institutions are using FIDO for secure customer authentication in online banking, mobile apps, and even at ATMs.

Technology and IT Services

Tech companies, particularly those involved in cloud services, online platforms, and cybersecurity, are adopting FIDO to secure user accounts and protect against data breaches. Tech giants like Google, Microsoft, and Apple have been early adopters, integrating FIDO into their own platforms and encouraging developers to build compatible solutions.

E-commerce and Retail

Online retailers are increasingly implementing FIDO to enhance customer security during transactions and to streamline the login process, improving the overall user experience.

On the other hand, the manufacturing sector has been slower in adopting FIDO, often due to the reliance on legacy systems and the less frequent need for consumer-facing digital authentication. While there is a growing interest in cybersecurity in the education sector, widespread adoption is still not as common, possibly due to budget constraints and the complexity of integrating new technologies into existing systems.

Here are some representative case studies for more insight

Why Is FIDO Considered to Be an Answer to Phishing Threats?

Traditional passwords are vulnerable to phishing attacks, where fake websites trick users into revealing their credentials. FIDO uses public key cryptography and private keys stored on devices, making it much harder to steal login information. FIDO also allows for biometric authentication (fingerprints, facial recognition) or secure hardware keys, which are more difficult to compromise than passwords.

According to the FIDO Alliance, Passkeys, which provide secure and convenient passwordless sign-ins to online services, have grown in consumer awareness despite still being live just over a year. The non-phishable authentication method has been publicly backed Big Tech. Google recently announced that passkeys are now available for all its users to move away from passwords and two-step verification, and so has Apple

FIDO offers other advantages, too. Not having to remember complex passwords or needing to reset them is a better user experience. Authentication is simpler and faster, using familiar methods like biometrics or PINs. Credentials can be used across different devices and platforms, eliminating the need for separate logins for each service.

Is FIDO Hacker-Proof?

FIDO is not infallible. Although passwordless authentication is generally considered to be more secure than traditional password-based logins, biometrics can be spoofed and hardware tokens can be stolen. 

While FIDO jailbreaking hasn’t become a widespread problem yet, the dark web does present potential avenues for bad actors to exploit. Potential vulnerabilities include:

  • Social engineering: while FIDO can’t be directly jailbroken, attackers could still employ social engineering tactics to trick users into revealing their private keys or biometrics.
  • Zero-day exploits: like any security system, FIDO is not immune to unforeseen software vulnerabilities that attackers could exploit.
  • Supply chain attacks: compromising hardware or software components in the FIDO ecosystem could potentially create backdoors for attackers.

While there are tools like FraudGPT in the dark web that can aid in phishing attacks and social engineering, they haven’t been directly linked to cracking FIDO specifically. Currently, there’s limited evidence of readily available FIDO jailbreaking tools or services being sold on the dark web. However, the anonymity and unregulated nature of the dark web make it difficult to completely rule out such activity.

Practicing good security hygiene is always the best approach to mitigating against breaches, an example being keeping software and firmware updated to patch vulnerabilities and choosing reputable devices and services 

How Does FIDO Strengthen a Zero Trust Architecture (ZTA)?

zero trust architecture (ZTA) is an increasingly popular and important cybersecurity model that operates on the principle of “never trust, always verify.” This approach is a significant shift from traditional network security, which often relied on a perimeter-based model (i.e., trust everything inside the network and distrust everything outside it).

FIDO strengthens ZTA in a number of important ways. For instance, as noted, ZTA means trusting no one by default and continuously verifying every access request. FIDO eliminates reliance on vulnerable passwords with strong authentication methods like biometrics or hardware security keys, making it much harder for attackers to gain unauthorized access. 

Least Privilege Access Enforcement

Another tenet of ZTA is least privilege access enforcement. Only the minimum permissions needed for a specific task or resource are granted. FIDO facilitates granular access control by enabling device- and user-specific authentication, ensuring that only authorized individuals with approved devices can access sensitive data or systems. FIDO also can integrate with risk assessment tools to provide additional context for authentication decisions, such as the trustworthiness of the device being used or the user’s location.

Put another way, FIDO complements ZTA. By combining secure authentication capabilities with the principles of ZTA, organizations can create a more resilient and adaptive security posture that effectively protects against modern threats. This resource contains more insight.

What Are the Benefits?

At a time when cyberattacks are a cause for concern, FIDO delivers some important benefits, such as:

  • Reduced hacking risk: FIDO addresses the majority of hacking-related breaches caused by weak or stolen passwords.
  • Improved user satisfaction: users appreciate the ease and security of authentication as noted above. 
  • Lower costs for businesses: businesses can save money on password management and support related to password issues. Password resets and management can be costly for IT departments. FIDO reduces these costs by minimizing the reliance on passwords. For more insight, read “In the Numbers: the Cost of Authentication.” 
  • Interoperability and flexibility: as noted above, FIDO standards are designed to be compatible with a wide range of devices and platforms. It is supported in Google Chrome, Mozilla Firefox, Microsoft Edge and Apple Safari (MacOS), iOS web browsers, as well as Windows 10 and Android platforms according to the FIDO alliance.
  • Scalability: FIDO solutions are scalable, making them suitable for businesses of all sizes. They can be easily integrated into existing systems and can grow with the company.
  • Reduced risk of internal threats: By using biometric data or physical devices for authentication, FIDO reduces the risk of internal threats, such as employees sharing or misusing passwords.

Measurable Improvments

FIDO delivers measurable performance improvements, such as:

  • 75 percent reduction in sign-in time.
  • 4X improvement in sign-in success rate (versus passwords).
  • 50 percent reduction in abandonment rates.
  • 95 percent password reset reduction.

Those metrics point to improved efficiency and productivity owing to less friction in user access to needed systems. In addition, consider that the average cost of a single data breach is $4.45 million. Any ROI analysis should factor in the millions saved in avoiding data breaches. For more insight, read “The Economics of FIDO.”

What Are the Downsides?

As noted above, FIDO is not infallible. And while FIDO offers a significant improvement over traditional password-based authentication, it’s not without its limitations and potential challenges. Here are some caveats to keep in mind:

  • Adoption and awareness: It is still a relatively new technology, and widespread adoption across websites and services is slow. Users may encounter situations where FIDO isn’t available, requiring them to fall back on passwords.
  • Backup and recovery: losing access to your FIDO authenticator (biometric sensor malfunction, lost hardware key) can be problematic. Strong backup and recovery mechanisms are crucial, but their implementation varies across different solutions.
  • Not infallible. As noted above, while phishing attacks become less effective, FIDO is not infallible. User education and vigilance remain essential. 
  • Standardization and fragmentation: Different FIDO standards exist, potentially leading to compatibility issues between devices and services. Choosing interoperable solutions that adhere to established standards like FIDO2 is crucial.
  • Privacy concerns: while FIDO doesn’t store user credentials centrally, some concerns exist about privacy implications depending on the specific implementation. For instance, using facial recognition for authentication raises questions about data collection and storage.
  • Accessibility: not everyone may have access to devices or biometric sensors suitable for authentication. This could create accessibility barriers for certain user groups.
  • Cost and complexity: implementing FIDO might require changes to existing infrastructure and user education, potentially increasing costs and complexity for businesses.

Be aware of these potential caveats and ensure proper implementation and user education to maximize its benefits while mitigating risks.

What Are Caveats to Keep in Mind with Regard to Implementation?

Implementing FIDO standards in an organization can bring several architectural challenges. These challenges often stem from the need to integrate new technologies into existing systems, manage user experiences, and ensure security. One of the primary challenges is ensuring that standards are compatible with current IT infrastructure. This includes integrating with legacy systems, which may not have been designed with modern authentication methods in mind.

Integration with Existing Systems

Integrating FIDO into existing systems might require custom development or API adapters to bridge the gap between legacy authentication protocols and modern standards. Furthermore, transitioning user credentials and authorization data from password-based systems to FIDO can be complex, requiring careful planning and potential downtime during migration. And maintaining support for users with older devices or lacking compatible biometric capabilities necessitates implementing fallback mechanisms or parallel authentication options.

A Significant Investment

The implementation might require significant investment in new hardware, software, or development resources, which can be a challenge, particularly for smaller organizations. Estimating the costs of implementing FIDO in an organization can be complex, as it varies significantly based on several factors. These factors include the size of the organization, the current IT infrastructure, the specific FIDO solutions chosen, and the scope of implementation.

Rolling Back FIDO

It’s also important to keep in mind that if an organization begins to implement FIDO, it can be difficult to roll it back mid-stream. For example, depending on the FIDO implementation, rolling back might involve deleting or migrating user authentication data associated with keys. This raises security and privacy concerns that need careful handling. FIDO integrates with existing authentication systems and workflows. Rolling back completely might require disentangling these integrations, potentially impacting other functionalities.  Businesses should weigh rolling back a FIDO implementation carefully due to the potential inconvenience, security risks, and integration complexities. Decision makers should prioritize exploring alternative solutions like troubleshooting or hybrid approaches to maximize user experience and maintain data security.

Which Technology Stacks or Cloud Providers Are Compliant?

FIDO isn’t directly tied to specific technology stacks or cloud providers, as it functions as a set of open standards for secure authentication. However, many technology stacks and cloud providers offer features and services that comply with FIDO protocols and facilitate its implementation.

For example, inside a typical technology stack, popular front-end frameworks like React, Angular, and Vue.js offer libraries and integrations for FIDO functionality. Cloud providers that integrate with FIDO include Amazon Web Services, Microsoft Azure, and Google Cloud Platform. 

Choosing a technology stack or cloud provider compatible with FIDO involves analyzing your specific needs and desired level of FIDO implementation. Consider factors like:

  • Supported protocols: make sure the chosen stack or provider supports the specific FIDO protocols you need (e.g., FIDO2 Web vs. FIDO2 U2F)
  • Ease of integration: look for options with readily available libraries, documentation, and examples for seamless integration.
  • Scalability and security: choose a stack or provider that can handle your user base and offers robust security features for FIDO implementation.
  • Compliance requirements: ensure the chosen technology meets any relevant data privacy and security regulations you need to comply with.

For information on specific compatibility and integration options, check out the FIDO Alliance website

How Should Businesses Get Started?

Transitioning to FIDO authentication requires careful planning. Here’s a roadmap to guide you:

Assess Current Security Infrastructure

Begin by evaluating your current cybersecurity infrastructure. Understand where and how FIDO can be integrated to enhance security. This involves identifying systems that rely on passwords and could benefit from stronger authentication methods.

Define Security Goals and Requirements

Determine what you want to achieve with FIDO. This could include enhancing user experience, increasing security, or complying with regulatory standards. Set clear, measurable goals.

Choose the Right Solutions

There are various FIDO solutions available, including FIDO2, U2F, and others. Decide which one aligns best with your security needs and infrastructure. Consider factors like user experience, type of devices used in the organization, and the nature of data being protected.

Plan for Integration and Compatibility

Ensure that the chosen solution is compatible with your existing systems. This might involve updating software, acquiring new hardware (like biometric scanners or security keys), or making changes to network architecture.

Educate and Train Employees

One of the biggest challenges in deploying a new security system is user adaptation. Educate your employees about the benefits and use of FIDO. Training sessions can help users become familiar with the new authentication methods.

Do Pilot Testing

Before a full rollout, conduct a pilot test with a select group of users or in a specific department. This will help identify any issues or areas for improvement in the deployment process.

Roll Out in Phases

Deploy the FIDO solution in phases, rather than all at once. This phased approach allows for monitoring and managing any issues more effectively and reduces the impact on business operations.

Monitor and Gather Feedback

Continuously monitor the implementation for any security or usability issues. Collect feedback from users to understand their experience and identify areas for improvement.

Update and Maintain

Regularly update the FIDO system to protect against new threats. Maintenance is crucial to ensure the security and efficiency of the authentication process.

Review and Audit

Regularly review and audit the FIDO implementation to ensure it meets the set security goals and complies with relevant regulations and standards.

An effective cybersecurity expert can help you assess the upsides and downsides of FIDO and implement it correctly. Centific can do that. We take a proactive approach to protecting a client’s digital estate in order to continuously outsmart bad bots. Our team constantly applies evolving tools in context of our process at speed to support your revenue growth, optimize costs, and protect your customer experience. Click to learn more about our Digital Safety Services.