By: Zach Melnick, Director of Software Engineering Solutions
If the joke above didn’t land, don’t worry. You are in good company. But hopefully that won’t last long. If you don’t know anything about FIDO2 or the FIDO Alliance, they are quietly making big waves in how people sign in to accounts online. Someday soon, you will be looking to implement a FIDO server of your own.
FIDO, or Fast Identity Online, is an alliance of tech companies looking to move us towards a password-less future. And if this sounds like some farfetched scheme, it’s not. The World Wide Web Consortium (W3C) that oversees web standards adopted FIDO2 as the basis for the Web Authentication (WebAuthn) standard published back in 2016, and support has since quietly been rolled out into every major browser. Support for the standard has slowly, quietly, made it’s way into every device you probably use to connect to the internet. Android, Windows, and Apple devices all support it.
The force driving all these companies to build support for FIDO2 (and eventually you too) is security and convenience. FIDO2 allows devices to use public key cryptography to bypass any need to supply usernames and passwords. Registering for a website, as well as logging in, can be little more effort for the user than going through a FaceID or Windows Hello check. The user supplies a public certificate, the same technology used to encrypt messages on the internet and validate the authenticity of the websites you visit, to the website and associates it with an account. Later proving that you own the matching private certificate from the server issuing a challenge authenticates the user and will log them in. No more passwords to store, lose, or even type.
Your userbase likely won’t have to learn anything new either. Login with biometrics has been around for a while and people are comfortable with it. The FIDO2 solution is also about to get a huge push from Apple through new support for passkeys in their next operating systems releases. Passkeys are multi-device FIDO credentials which will allow multiple devices to share a single login certificate.
With support from web browsers, operating systems, and new pushes from giants like Apple we can expect quick changes to many login experiences across the web in short order. But support from these companies won’t do the work for you. In order to participate in this new world your website or service needs to deploy a FIDO2 solution and server.
So that’s today’s Tech Tip! Go fetch yourself a FIDO2 implementation and watch as you improve your users experience while improving your security posture. Be prepared to wow your bosses with what you have accomplished.