FIDO | From Whence We Came

“Know from whence you came. If you know whence you came,

there are absolutely no limitations to where you can go.”

— James Baldwin

The FIDO (Fast IDentity Online) Alliance was founded by a small group of companies including Nok Nok Labs five short years ago. A lot has happened in five years. We have progressed, pushed forward and our solution has built up an Alliance of over 250 of the worlds largest organizations all dedicated to solving one of the largest problems in today’s digital world: Authentication.

Five years ago, Nok Nok set out on a mission to solve a problem. Passwords had become an ungainly mess. One analysis of 6 million online accounts from that time revealed that there were only 10,000 unique passwords covering 99.8% of accounts. 73% of banking accounts were using passwords that were shared amongst other online services. From a security point of view, that is a massive problem. From a user’s point of view, the password problem could be proxied by a different statistic: cart abandonment. In 2013, 71.6% of online carts were abandoned. 31% of those were abandoned due to friction. [SOURCE: Barrilliance].

 

SOURCE: Statista

It’s clear that the problem we had 5 years ago was significant and the underlying themes still resonate. Passwords, quite simply, are not designed for the modern computing ecosystems   We needed to design something better.

Nok Nok Labs knew that solving a systemic issue with computing would need a consortium of institutions to agree to the design and architecture of a fundamentally revolutionizing concept. And thus the FIDO Alliance was born.

The design parameters were straightforward: any new solution needed to provide for (1) User Experience, (2) Interoperability, (3) Privacy and (4) Security. The final solution had to be user friendly as widespread adoption was critical for viability.

Use Cases and Usability

The friction a user experiences due to username and passwords means that any authentication based on that scheme would have to be limited to granting access to an account. By creating something was both easier to use and provided additional identity assurance signals , end-users could be prompted to authenticate at any time without significantly increasing their friction and risking them abandoning their engagement.

The biometric revolution took off, it became clear that simple biometrics, like fingerprints, could provide the strong signal needed to not only provide account access but also confirm transactions, or log-in through a desktop or laptop or even through a kiosk or ATM. Usability drove usage and during the course of the last few years, FIDO-based authentication has reached out to over 3 billion users. It is deployed across the United States, China, Japan, Europe and Africa.

Interoperability

3 billion users from markets as diverse as mobile network operators, finance, healthcare and physical access control is a testament to a founding principle of the standard: Interoperability.  

The modern computing ecosystem is not a homogenous one. The FIDO specifications were designed so that their recommendations could be realized on any device for any application using any method of authentication. Therefore, it is now possible to perform strong authentication on a device from Apple, from Samsung, from Fujitsu - using a variety of biometrics from fingerprints to facial recognition. And each permutation or combination of FIDO-certified products (of which there are over 400) will provide the same level of privacy and security.

Privacy

FIDO-based solutions are being used by some of the largest banks and telecommunications companies in the world. These are institutions that are responsible for protecting your most details secrets. It was vital, in the design of the FIDO solution, that privacy was forefront.

First and foremost, biometric data that is used in an authentication event is never sent to a centralized server. The data stays on the user's device, in the user’s control. Second, the FIDO protocol is based on asymmetric public key cryptography in such a way that users cannot be linked or tracked based on the information the company stores.

Security

One of the biggest flaws in the username/password system of authentication is the storage of shared secrets in a centralized database.  This allows one single breach to gain access to the entire dragons hoard of data that can be reused for attack after attack. The solution that Nok Nok Labs created and was encoded into the FIDO protocol was the decentralization of valuable identifiers. Private keys and the users biometric data would rest on the personal devices of the billions of FIDO users - making it infeasible for a bad actor to compromise the whole system.

Results

In the five years since the Alliance began, we have seen remarkable progress. Business have seen the cost of authentication go down significantly without compromising security. One financial institution reporting a savings of almost $3 million per year. Other reports include a decrease of requests for password resets by 60%. Multiple organizations have hailed how quickly this new architecture has been able to incorporate new technology like the Apple FaceID. And we are just getting started. The mission that Nok Nok started 5 years ago to transform authentication for the modern computing ecosystem is being realized and there are great things ahead.

* * *

If you would like to know more about Nok Nok's work with Ericsson - please download our case study.

Ericsson Case Study