A little history about FIDO.
For over two decades, the technology industry produced a plethora of multifactor authentication (MFA) schemes based on the principles of something you know, something you have and something you are. Ignoring the fact that the vast majority of these schemes piled additional secrets (one-time passcodes, a.k.a. OTPs; knowledge-based answers, a.k.a. KBA; or biometric templates) on top of the original secret (the password), and were, consequently, susceptible to scalable attacks similar to passwords, the vast majority of businesses and government agencies have deployed one form of MFA or the other.
Since California passed its seminal breach disclosure law in 2004, more than 10,000 data breaches were publicly disclosed compromising over 10 billion personal records. The vast majority were the result of compromised passwords. Despite the multitude of MFA solutions, they did not adequately address the problem effectively. Proprietary schemes, expensive devices, and the fact that the “gold standard” of MFA schemes—RSA’s SecurID—was compromised in a scalable attack nearly a decade ago proved that secret-based authentication schemes were simply not up to the task.
What about public key infrastructure (PKI)? Didn’t PKI break the mold by authenticating users through challenges and digital signatures without the need for a secret on the server? Indeed, it did. Many companies, government agencies, and nations invested billions of dollars in PKI. They issued hundreds of millions of smart cards, and built applications using strong authentication delivered through the Transport Layer Security (TLS) Client Authentication (ClientAuth) protocol enabled by X.509 digital certificates and cryptographic keys on the smart cards. However, the complexity of building and maintaining a PKI, and the challenging user experience (UX) when working with digital certificates left a lot to be desired.
Around 2014, a group of companies believed the time had come for something stronger and better to eliminate passwords off the internet. The world of computing and the worldwide web had changed dramatically and something different was needed. A non-profit standards group, the FIDO Alliance was created, and with over 200 companies worldwide as members—including the governments of US, UK, Australia, Germany—2019 saw the latest version of the FIDO protocol standardized by the FIDO Alliance, with the World Wide Web Consortium (W3C) supporting a standard JavaScript application programming interface (API)—WebAuthn—to define a standard way of integrating FIDO into web applications. Some of the world’s largest internet sites, corporations, and the US government have done so with many more coming. Every modern web browser (with the exception of the legacy Internet Explorer), Windows 10, Android (7 or greater), and iOS currently supports FIDO without the need for special drivers, middleware, or readers.