Tech industry leaders ship FIDO2 certified solutions to reduce password use on the web
FIDO2 browser support and first certified products are now available to reduce password use on the web, the FIDO Alliance announced. Now, any website can leverage FIDO2 strong authentication protocols from the W3C and FIDO Alliance to replace passwords with cryptographically secure logins using convenient alternatives like on-device biometrics and FIDO Security Keys.
Google Chrome, Microsoft Edge and Mozilla Firefox browsers now support FIDO2, a big advancement since the standards were introduced last April. Between this support and newly certified products supporting a wide variety of use cases, service providers have all of the tools needed to roll out FIDO Authentication for their websites and applications. FIDO Authentication has been proven to protect against the phishing and security risks associated with passwords, provide better user experiences over remembering and typing passwords and lower authentication support costs.
“With FIDO2, the tech industry has, for the first time, established a technology standard for strong, phishing-resistant authentication on the web that promises better security and a better user experience. These announcements today of certified products and leading web browser support deliver on that promise by bringing these new capabilities to market,” said Brett McDowell, executive director of the FIDO Alliance.
“Any web application — consumer or enterprise, mobile or desktop — can now be enabled to take advantage of these innovations at internet scale with the full confidence that comes from an independent certification program designed and governed by their peers.”
Organisations that have achieved FIDO2 certification for security key and biometric authenticators, clients and servers include: CROSSCERT: KECA (Korea Electronic Certification Authority); Dream Security Co., Ltd. Korea; ETRI; eWBM Co., Ltd.; IBM; Infineon Technologies; INITECH Co., Ltd.; Nok Nok Labs (Universal Server); OneSpan; Raonsecure; Samsung SDS; Singular Key; Whykeykey Inc.;Yahoo Japan Corporation; Yubico.
Products are certified for FIDO2 by the FIDO Alliance to ensure compliance with the specifications, as well as interoperability among FIDO products. Today’s announcement also includes the first certified FIDO Universal Server, which a service provider can use to ensure compatibility with authenticators based on all FIDO specifications (FIDO UAF, FIDO U2F and FIDO2).
FIDO2 is comprised of the W3C’s Web Authentication specification and the corresponding Client to Authenticator Protocol (CTAP) from FIDO Alliance. Collectively, these standards enable users to leverage common devices to more easily authenticate to online services through mobile and desktop browsers.
FIDO2 supports a variety of authentication use cases and experiences, including passwordless, second-factor and multifactor for the highest levels of assurance. Password-only logins can now be replaced with easy user gestures using embedded biometrics (facial recognition, iris scan, fingerprint swipe) and/or portable security keys.
These simple user experiences are backed by strong cryptographic security that is transparent to the user and protects against phishing, man-in-the-middle and attacks using stolen credentials. FIDO2 web browsers and online services are also fully backward compatible with all previously certified FIDO U2F Security Keys.
The FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance aims to change the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, more private, and easier to use when authenticating to online services.
According to IBM Security’s senior technical staff member, Shane Weeden, “IBM’s strong and alternative-to-password authentication strategy will benefit significantly from the WebAuthn and FIDO2 standards. These specifications bring convenient, frictionless strong authentication services to the mainstream web with consumer privacy as a primary consideration.”
Joerg Borchert, VP of Chip Card and Security at Infineon Technologies, adds, “We are very happy to provide the industry’s first FIDO2 certified Reference Design based on the SLE78 single-chip solution. Infineon’s reference design serves as development kit for fast and low risk FIDO2 USB and USB/NFC token designs prepared to reach highest security levels. Certification according to the specifications of the FIDO2 standard increases interoperability of the token and reduces production and support costs on the manufacturer side.”