John Craddock, Microsoft MVP (speaker, consultant, writer and instructor of the Identity Masterclass) explains the principles of FIDO2 (Fast IDentity Online)
Many websites require users to authenticate to allow access to their services. The majority will require a user to register and create an account, with access to the account secured with just a username and password. It’s long been recognized that passwords are the weakest link in identity ecosystems and various vendors have implemented passwordless authentication.
FIDO2 aims to eliminate passwords
However, if passwords are to be truly eliminated, any solutions must be standards-based and scalable across the internet. The FIDO Alliance was founded in July 2012 with a mission to work on creating a passwordless authentication protocol. In 2019 the World Wide Web Consortium (W3C) adopted the FIDO2 core Web Authentication protocol (WebAuthN) as an official web standard. This immediately opened the door for a significant number of vendors to go to market with FIDO2 security devices.
A FIDO2 security device allows the generation of a cryptographic private/public key pair. Unlike password-based systems where a shared secret (password) is held by both users and the website, the private key never leaves the user’s possession. The user proves their identity to the website by creating a signed message, the message is signed using the user’s private key. The website validates the signature on the message using the user’s public key which has been passed to the website during registration. The security is further enhanced by requiring the user to be validated by the FIDO2 device, using a PIN or biometric or PIN, before private keys can be generated or used.
FIDO2 security devices can be implemented as roaming authenticators, a USB device, or inbuilt into the platform and OS, Windows Hello.
FIDO stands for Fast IDentity Online.