An introduction to FIDO
Note from Jack: As more EUC pros are getting involved in identity, and as we’ve been covering it more here at BrianMadden.com, we’ve been exposed to additional concepts and technologies, including FIDO,
an MFA standard. Today David Strom, a frequent contributor to other TechTarget sites, gives us an introduction.
By submitting your personal information, you agree that TechTarget and its partners may contact you regarding relevant content, products and special offers.
Many years ago, the idea of making a more universal multi-factor authentication (MFA) token seemed like a good idea. Back then, hardware tokens were proliferating, and so were the number of logins for different web-based services. Out of that era, the Fast Identity Online (FIDO) Alliance was created in July 2012 and publicly announced in February 2013 to try to bring some standards to this arena. Since then, the FIDO standards have gone through several revisions and extensions, and more than 100 vendors have joined the non-profit association, including some of the largest names in the identity and authentication business.
While it has taken a while to gain traction, FIDO is now at an inflection point and has reached sufficient maturity that deploying it isn’t a matter of if, but when for most enterprises.
Originally, FIDO filled a big need for enterprise IT managers who wanted to have a single authentication process that could span many of their apps, including both homegrown and SaaS apps. The notion behind FIDO is simple to explain: separate the actual authentication mechanisms from the authentication process itself, so that authentications could run over a variety of hardware fobs, software apps, and digital identity methods.
By doing this, FIDO also offered two other advantages: It can be more secure because no identifying information is stored or transmitted anywhere. Instead, authentication data is processed by software on the end user’s device. This proved useful as more smartphones were created with built-in facial and fingerprint recognition sensors that could be leveraged as additional MFA factors. Finally, FIDO also gets rid of custom programming and proprietary methods and replaces them with a more standards-based approach.
However, FIDO turned out to be harder than it initially looked. This is because FIDO had several issues.
First, there are actually two separate standards, called Universal Two-Factor and Universal Authentication. The first is for MFA interoperability, the second is for password-less logins. You don’t need both to deploy FIDO, although chances are you will likely encounter both in the products that support FIDO. There are now more than 50 FIDO-certified apps, including ones from Yubico, NokNok, Facebook, Dropbox, Google, GitHub and others.
Early on, the FIDO Alliance sought membership from both technology vendors and end user organizations, and now representatives from the IT departments of Bank of America, Netflix, ING, MasterCard and USAA are on its board of directors. This was both a blessing and a curse, because the users wanted something that could actually be implemented, and not some academic standard that would take years of consensus-building like some of the early TCP/IP protocols. Guess what? It took years to develop the FIDO-ready products anyway.
Another frustration was that these products still required a lot of work from IT staffs, both to learn the various APIs and toolkits needed to implement effectively, and to integrate with their existing identity infrastructures, if they had any. Think of FIDO as the Ikea of identity: lots of functionality is available but some assembly is required.
And then there is the evolution of the authentication token market itself. A few years back, hardware one-time fobs like RSA’s SecurID were the norm, and FIDO was posited in a world where multiple fobs were required. But then software tokens were created, and a move towards biometric-enabled smartphones happened. So while the original idea behind FIDO is still sound, its implementation has had to keep up with this evolution, too.Finally, outside of a few identity pros, few in the IT department understood these issues at the time of FIDO’s birth. Even the largest of corporations usually have one or two staffers who manage their entire identity infrastructure, which meant a lot of education was required for the rest of the company into why they should spend time, money and energy on this new standard.
So that was then—nowadays, FIDO has grown up. Newer FIDO-certified products include more creative MFA approaches that adapt to individual user behavior. In addition, identity as a service (IDaaS) is becoming much more commonplace, and serves a convenient point to integrate FIDO.
So where does FIDO now fit into an enterprise identity strategy? Several places:
- FIDO can complement your existing SSO and authentication tools. NokNok, for example, can act as a “hub” and provide FIDO functionality across multiple enterprise apps and systems.
- FIDO and SAML can work together to protect and extend authentications across your enterprise. The FIDO Alliance has published a paper that goes into implementation details here, but essentially, your FIDO implementation will run in conjunction with you federation implementation (i.e. you’ll likely integrate it with your IDaaS, if you have one).
- It can help your company with broader MFA adoption without having to pound a user into a headlock.
All of these are movements in the right direction, but it will take some time for deployments to kick in and fully realize FIDO’s potential.