Apple Inc., the Tech giant, hasn’t always made the right choices. Still, today, it emerges as a Tech Giant which most startups wish to become one day and modern tech companies idealize. This is a story about such technology, whose ancestor was rejected by Apple Inc., but later the successor was adopted: FIDO2, the technology that has the potential to change the future of Authentication.
Years ago, Authentec was a very emerging company. It started off to cater for the basic and growing need of the cyber world: Cybersecurity. Authentec was a part of FIDO (Fast Identity Online) Alliance. The Alliance was made with a focus on the Cybersecurity needs of the future. The idea behind the FIDO Alliance was to create a state-of-the-art open web authentication standard to be used as a standard for all web applications that would be developed in the future.
The FIDO Alliance
The FIDO Alliance is dedicated to serve the mission to develop standards, mainly authentication standards, certain certificates and generate programs that are adoptable in the market to thwart over reliance on passwords for authentication in the cyber world. FIDO is an open industry association. The FIDO alliance facilitates consumer electronics platforms like Microsoft, Google, Lenovo, Intel, Samsung, Infineon, NXP and many others. It further facilitates security and biometrics related companies like Synaptic, nok nok, OneSpan, VMWare etc. The most important use of FIDO Alliance comes into play for the High Assurance services which include major financial institutions like Alibaba.com, PayPal, MasterCard, VISA, amazon, Bank of America and many others.
FIDO emphasizes one major thing: Simpler and stronger authentication for the web. The methods include encryption but it is done via public key cryptography. A single gesture phishing resistant MFA is one of the methods that has been introduced under the FIDO Alliance.
FIDO Alliance stores personally identifying information (PII), like biometric authentication data over the user’s device to make it a trusted device. According to the latest statistics, password leakage is the root cause of 80% of data breaches. One third of the purchases in the online domain are canceled only because the user had forgotten the password. With a world of more than 90 million user accounts, up to 51% of passwords are reused.
The importance of FIDO Mission
The mission to create a new web authentication standard is so incredibly important because authentication needs to evolve into a strong identity verification assurance system that enables users to recover their accounts in a better manner. Another requirement of state-of-the-art authentication is automatic secure device logon or onboarding in order to remove the need for passwords from IoT. With the Advent of IoT, devices are connected everywhere.
Due to the emerging needs of IoT security, it has now become essential to secure users’ devices according to a device-centric model. Similarly, there is a need in the domain of user authentication, the conventional password approach must be changed and a passwordless approach must be adopted for user devices. According to Gartner, there will be 15 billion connected devices by the year 2021. This huge amount of connected devices usage not only opens up new areas of innovation but also makes it essential to invent new ways to protect these devices among the emerging trends of Cybersecurity.
Under this vision to achieve the passwordless mission, FIDO has formed IoT Technical Working Group (IoT TWG). This group focuses on different architectures and specifications to cover IoT device attestation/authentication profiles for better interoperability among service providers and IoT devices. It further focuses on automated onboarding which is used to bind applications and/or users to IoT devices. The third point, FIDO focuses on, is the smart routers and IoT hubs that facilitate IoT device authentication and provisioning.
FIDO was initially started off for a couple of banks and financial institutes but with growing needs of device authentication and cyber threats lurking all over the internet, the mission of FIDO has become the dream of every smart device user on the internet.
Apple’s move and its impact on FIDO and standard
Apple Inc., being the industry leader in computers and other smart devices like iPhone and iPad, also opt for the best in the industry. Apple wanted to stay on top of the curve in the domain of web authentication. But Apple wanted to achieve it on its own. So, it decided to leave FIDO after acquiring Authentec and continued its struggle to achieve a passwordless authentication mechanism.
Apple Inc., made news that it has acquired Authentec, a $356 million acquisition was good news for a small company but not great news for for FIDO Alliance. Authentec was one of the early contributors towards the achievement of a single web based authentication method that could be set as an industry standard. The acquisition of that company has slowed down the progress of FIDO mission.
In reality, Apple Inc. announced that it is not forming a part of the Alliance. Apple Inc. was planning to implement things on its own. The act raised a lot of eyebrows and caused a wave of criticism. FIDO however continued to grow. The quest for creating a passwordless environment was being achieved. Even without Authentec, FIDO was progressing well until in mid-2019, it changed into FIDO 2. And the most reliable authentication achievement of FIDO 2 came into scene: The WebAuthn. Nevertheless, FIDO achieved what it had been aiming for since 2012. 7 years down the lane and the dream was finally a reality. WebAuthn was here.
Introduction of FIDO2 standard in the mid 2019 was such a huge thing
With WebAuthn, a public-key cryptography solution was achieved and a standard interface for user authentication around the web came into being.
There are a variety of ways how WebAuthn can be implemented on the client side. There is a basic authenticator introduced at the core. Authenticator is an abstract functional model that deals with the key material management. In this way, WebAuthn can be purely implemented in software with the help of processor's execution environment or a Trusted Platform Module (TPM).
FIDO 2 is a successor of the original FIDO Universal 2nd Factor (U2F) legacy protocol and emerged as the new industry standard. It has two options for implementation. Either developer can implement single-factor mode or multi-factor mode. In the single factor mode, the authenticator checks for user presence and in the multi-factor mode, the authenticator takes a few verifications steps into account before authenticating like biometric verification using voice, fingerprint or retina scan. Multifactor authentication is based generally on two things: something the user knows and something that the user has. While the former is generally a secret, the latter involves biometrics.
In the normal flow of events, the WebAuthn requires a website which is a conforming WebAuthn Relying Party, a browser that is a conforming WebAuthn Client and an authenticator that is a FIDO2 authenticator. The introduction of such simple implementation yet such powerful backend has moved the security domain in the cyber world.
This leads to another big news in the first quarter of 2020: Apple joining the Alliance for FIDO 2 project with existing members like Microsoft, Google, VMware and more. Finally, Apple did what the management had versioned years ago. In reality, Apple had been trying to promote FIDO-like capabilities for authentication among its devices such as Face ID and Touch ID. After joining FIDO 2, Apple has provided the ability for FIDO compliant security keys like the Yubico YubiKey that can be used to authenticate web services in Safari under the latest iOS 13.3
The protocols designed at FIDO protect user privacy and are designed from scratch. The process of registration and authentication is fairly smooth. User is prompted to select an available authenticator, the user then unlock the authenticator via a button on a second–factor device, a fingerprint reader; securely–entered PIN or any other method, the device then makes a new public/private key pair for the online service, local device and user’s account. Finally, the public key generated is now sent to online service and thus associated with the user’s account. The private key and any local authentication method stays with the device. Always.
Going passwordless: The future of authentication
The concept of going passwordless means that the FIDO alliance is committed to deliver trusted devices in which there is no need to have a password. The logic behind going passwordless is that passwords are easy to forget, and they are also easy to get from a data breach. With the increase in cyber threats especially data breaches, passwords are no longer a secure way of authentication. With the increase in IoT based devices, enduring end-point security is a huge challenge.
FIDO envisioned this in time and hence started to work on the future of authentication: WebAuthn. With a passwordless approach, one might feel, it becomes unsecure but in reality it is the highest level of security any device can offer. The device impersonates the person or user using that device and hence needs no other text and symbols based authentication.
In a common scenario, if an account is attached to multiple devices and the user loses the password or forgets in the first place, he will have to update his account password on each device. With WebAuthn, the user is able to authenticate multiple websites of logged in from a trusted device. For example, a person can login to a YouTube service via the iPhone.
Apple joining FIDO in 2020 is a huge thing that legitimized and justified the mission of the alliance. Not only is it big news for the tech industry, it is a big step for Apple Inc. itself. By Conforming to a single standard, not only Authentec became a baseline for the big step Apple Inc. took to facilitate the Alliance and hence its own devices.
For Apple, there has been a steady approach when it comes to innovation. They generally propose a solution or standard of their own. Hence, to acquire a company, Apple absolutely makes sure the move is worth it. In reality, Apple has joined the Alliance because it felt the pressure to join in. FIDO had enough momentum that Apple couldn’t outrun with its own standards alone.
Over the years, tech giants learn from their mistakes. Apple realized that it cannot compete with all other Alliance members’ singlehandedly for its standard authentication procedure. With now Apple on board, the FIDO alliance’s mission to make all manufacturers come at one page and sign up to this approach is achieved. Now all smart devices users can seamlessly login from multiple platforms, for Example, Android smartphone, Chrome book, iPad, Android tablet, Windows PC, Mac or any other trusted device.
Now that Apple is onboard with others, the work on the concept of going passwordless can go much further.
How FIDO2 standard will change the future of authentication
With a passwordless approach, the struggle to create stronger passwords and other authentication approaches can soon fade away. The public and private keys paired with biometric authentication on local devices are a big leap, just like the first step on the moon. By joining into the alliance, Apple Inc. only did well, if not the best.
Had the joining been a few years before, the WebAuthn, might have emerged earlier. Need for device security is increasing with the increase in cyber-attacks like data breach and identity theft increase. Passwordless is the future.