FIDO Explained: A Shift Towards a Password-Free Future

FIDO 認證
Contents

Password leakage is an ever-present concern for internet users. As soon as you enter a password, it is susceptible to hacks during the transmission verification process. People who share passwords with others are even more likely to fall victim to password leaks.

Despite the minimization of security risks through two-factor authentication (2FA) verification, a struggle remains: too many passwords to remember. But this may soon change as FIDO steps into the picture.

Even the Government is Promoting FIDO. But What Exactly Is It?

FIDO, short for Fast Identity Online, is a user authentication mechanism. You may be most familiar with its application in biometric authentication. Fingerprint recognition, face recognition, iris scanner and even voice recognition all fall under the umbrella term, FIDO.

Even though traditional passwords can be strengthened by incorporating lower and uppercase letters, numbers, and symbols, phishing and brute-force attacks are inevitable. This is because the password is stored on both the user’s device and the external server.

FIDO, on the other hand, uses an authentication process that stores a public key on the external server while storing a private key on the user’s local device. In other words, the user’s data is distributed onto the external server, and is registered with the online service through the public and private keys.

The key differentiator between biometric recognition and traditional passwords is that biometric characteristics are distinctive and can serve as identifiers unique to individuals: it is nearly impossible to find two people with identical fingerprints. This means FIDO authentication based on biometrics recognizes “you” rather than the password created by you. Hence, the password can be entered by anyone, but it will only grant access if it was entered by you. Seems like the only possibility you need to worry about now is if you were kidnapped…

This upgraded form of security even caught the attention of the Taiwanese government as they introduced TW FidO, a citizen digital certificate, to mitigate the risk of personal data breaches and even be used in the ID verification for tax declarations.

Finance and Technology Sectors are Adopting FIDO

Because FIDO does not store biometric data on the external server, it is popular among the finance and technology sector that prioritizes data security.

As declared by the Financial Supervisory Commission (FSC) in the Fintech Development Roadmap, a major focus of the year 2021 was the adoption of FIDO for identity verification in the finance industry. In May 2021, the FSC also established the Financial Identity Recognition Alliance. In the case of Taiwan’s finance industry, in recent years, several large financial holdings have begun to adopt FIDO authentication technology and employ financial identity recognition in hopes of replacing traditional passwords.

As for the technology sector, tech giants including Apple, Google and Microsoft have all joined the FIDO alliance, embracing the development towards a passwordless system.

In addition to ensuring greater security, a password-free future solves the issue of different password policies across online platforms and apps. Some say we must include uppercase letters, others say the password must be over a certain length… the different password requirements easily confuse users, leading to password frustration and even negative login experience.

Today, regardless of the industry, businesses’ management of internal and external data  rely on 2FA verification for information security. However, the repeated password-based logins and two-step verification processes can hinder user experience in terms of efficiency and convenience.

FIDO Upgrades the Security of Business Service Middleware

In recent years, information system architecture has been moving towards microservices and middleware applications. The demand for horizontal scaling of different systems is becoming increasingly more complex and the need for access control is growing in importance. Therefore, middleware must provide diverse, multi-layer security measures to protect the systems. With the adoption of FIDO, security measures can add an additional line of defense. This allows us to resolve the identity verification problems that the 2FA verification was unable to overcome, making corporate information better-protected than ever.

To conclude, FIDO can reduce the risk of online phishing and data breaches but at its core, the fundamental requirement for businesses is having high-quality middleware as a stronger foundation. To learn more about how our enterprise iPaaS Middle Platform DigiFusion can help you integrate FIDO with your systems, please contact us.