What About FIDO?

FIDO and the FIDO Alliance (“Fast Identity Online”) is a recent effort to address the same issues described earlier with passwords and end user credentials.  Given the failure of TLS, digital certificates and Certificate Authorities, it seems that another solution was necessary to address the problems with passwords.

However, while FIDO uses asymmetric cryptography to replace passwords, it avoids the governance provided by a Certificate Authority.  This and other decisions present governance issues with FIDO credentials:

  • FIDO has one public/private key pair for each Web site accessed by the subscriber.  This approach replaces UserId’s and passwords for each Web site with an asymmetric key pair for each Web site.  While a significant improvement over passwords and a defense against Phishing, this approach does not address the issue credential proliferation.   Rather than have many passwords to manage, an end user has many key pairs to manage. That means if a key ring is lost or stolen, the end user has to reach out to each and every website to disable that key pair and create a replacement.  An X.509 solution as described earlier allows a single credential to be used across multiple web sites and if that single credential is lost or stolen, it can be revoked and replaced.

  • FIDO does not have a real time validation solution where SaaS vendors validate a credential at logon.  As a result, if FIDO credentials are stolen, they can be used until the owner contacts each SaaS site to revoke it.  X.509 technologies include a real time validation service called “Online Certificate Status Protocol’, which allows a SaaS vendor to validate each credential at logon.  This technology is typically available as part of the Apache Web server by default.

  • FIDO recommends the use of biometrics to access the public/private key pairs.  Requiring a biometric to access the keys limits their use to devices that support biometric solutions.  X.509 technologies are embedded in standard Web browsers. In a corporate environment with physical and logical security protecting employees’ computers, digital certificates could still be used to address the password issues without the overhead of additional biometric devices.

  • FIDO credentials are typically managed by the end user: end users create their key pairs and associate them with the SaaS services they use.  This approach does not easily support delegated administration of the credentials in a B2B environment. As a result, from an employee and employer perspective, FIDO credentials are still unmanaged: they are created and managed by the employer.  As discussed earlier, X.509 technologies allow for delegation and governance. In a corporate environment, the employer can issue and manage credentials for its employees, including revoking them when an employee leave the firm. This is a significant improvement over credentials today, including FIDO, and allows corporations to manage their employees SaaS access just like they manage their employees’ corporate credit cards.  

In addition, new technologies need to be deployed to support FIDO, including enhancements to Web browsers to support the FIDO keys and protocol as well as enhancements to Web sites to accept the FIDO protocol.  While a significant benefit over passwords, the functional gaps and implementation overhead may be significant obstacles to widespread deployment. To compare, X.509 digital certificates and TLS have been part of standard Web browsers and servers for over 20 years.