Security News > 2022 > March > FIDO: Here’s Another Knife to Help Murder Passwords
At the heart of the matter: proposed WebAuthn changes that will smooth the traditional security-versus-usability trade-off that users face when considering FIDO. While FIDO can deliver better security, users have hoops to jump through, FIDO said, including the need to adopt a security key - for example, the fobs sold by Yubico - as an authentication device.
Nearly a decade ago, FIDO made it its mission to fight stale, plaintext passwords and create a new, interoperable system of authentication technologies.
"While traditional multi-factor authentication solutions like SMS one-time codes add another layer of security," wrote FIDO representatives in 2019, "They are still vulnerable to phishing attacks, aren't simple to use and suffer from low opt-in rates." Hackers can even bypass the 2FA process entirely.
FIDO2 combines WebAuthn - in the words of its creators, W3C, "An API enabling the creation and use of strong, attested, scoped, public key-based credentials by web applications" - and FIDO's client to authenticator protocol, which "Enables external devices such as mobile handsets or FIDO security keys to work with browsers supporting WebAuthn, and also to serve as authenticators to desktop applications and web services."
Past all the technical detail, the bottom line is this: By downloading FIDO2 specs, "Users log in with convenient methods such as fingerprint readers, cameras, FIDO security keys, or their personal mobile device," in a way that "Eliminates the risks of phishing, all forms of password theft and replay attacks." That, according to a FIDO press release from 2019.
The system uses your mobile devices to reduce login theft because, wrote FIDO, "Cryptographic login credentials are unique across every website, biometrics or other secrets like passwords never leave the user's device and are never stored on a server." And "Because FIDO keys are unique for each Internet site, they cannot be used to track you across sites."