Dr Bernd Zwattendorfer & Navneeta Deo
Electronic IDs (eIDs) are typically the means of choice for securing online identification and authentication processes in data-sensitive areas of application, mainly driven by governments for their electronic services.
However, even though deployed in the field for many years, e-IDs still lack in broad applicability and wide user-acceptance for accessing online services.
A new, industry-driven approach is trying to bypass these shortcomings – FIDO (Fast Identity Online).
Will FIDO replace electronic IDs or will both approaches co-exist?
In the following, we elaborate the basic idea and functionality of FIDO and draw a comparison to traditional eIDs to answer this question.
What is FIDO?
Many online services, irrespective of the area of application (for example, e-commerce, social networks, e-government), require proper user authentication before data processing.
Currently, the dominant user authentication mechanisms on the web are still username/password schemes, although they were proven to be weak already a long time ago.
The security of passwords gets even worse when users choose a passphrase, which can easily be guessed.
For instance, until 2017 the strings ‘123456’ and ‘password’ remained the most commonly used passwords resulting in a data breach of up to 81% .
Passwords are simply one knowledge-based authentication factor.
The strength heavily depends on the combination of characters; however, users tend to select combinations that are easy to remember.
A step ahead of classic username/password, one-time passwords started gaining popularity as a tool for second factor authentication providing higher security.
Although one-time passwords could circumvent the issue of weak passwords, the issue with phishing attacks still remains unsolved.
Regardless whether normal or one-time passwords are entered into a phishing site, users’ login credentials could be revealed and stolen anyhow.
So how can this problem be combated?
The simple answer has four letters: FIDO.
FIDO is an open standard developed by the FIDO alliance  and is the world’s largest ecosystem for interoperable secured authentication.
The FIDO alliance is an open industry association including more than 40 industry members and was started in 2013.
In general, FIDO’s aim and vision can be summarised as follows:
- Go for stronger (multi-factor) authentication
- Ease of use
- Privacy protection
- Open standard
How FIDO works
FIDO’s main goal is to enhance the security of online authentication processes.
Thereby, the basic idea is that users securely authenticate to their client device first, and then subsequently authenticate at a remote server (relying party) using the FIDO authentication protocol.
The following illustrates the basic architectural concept of FIDO:
The core component within the FIDO architecture is a so-called FIDO authenticator, which is a cryptographic-enabled device supporting secured key generation, secured key storage, and secured signature creation.
A FIDO authenticator can be either built into the client device (on-device or platform authenticator) or external to the client device (external or roaming authenticator).
Typical examples for platform authenticators are fingerprint readers embedded into a laptop or mobile phone.
Typical examples for external authenticators are USB tokens or contactless smart cards.
Platform authenticators are usable just on one device whereas external authenticators are usable at multiple devices.
In other words, FIDO authenticators are security tokens or devices that are used to securely authenticate at FIDO-enabled relying parties.
Communication to an external authenticator can be carried out using different transport protocols, currently the communication via USB (Universal Serial Bus), NFC (Near Field Communication), and BLE (Bluetooth Low Energy) is standardized by the FIDO alliance.
The protocol between a client device and a FIDO authenticator is called CTAP (Client-to-Authenticator Protocol) , whereas the protocol between the client device and a remote server is called WebAuthn .
So how does a FIDO authentication process actually work?
FIDO works using standard public key cryptography.
There are basically two steps involved: i. Registration, and ii. Authentication.
The pre-condition for both steps is that an account at the remote server already has been created in the past.
Examples for well-known services and accounts that support FIDO are Facebook, Gmail, Dropbox or GitHub.
No personal information will be transferred to the remote server, neither during registration nor authentication.
In the registration phase, a FIDO token is bound to the existing account to become phishing-free.
Thereby, the online service (website) asks the user for registering a FIDO token, for example for second factor authentication.
A public-private key pair and a key handle is created by the FIDO token for this particular online service.
The generated public key together with the key handle gets transferred to the online service.
A key handle is nothing else than an identifier for the specific online service.
The public key is stored at the online service as trust anchor for verifying FIDO authentications.
In the authentication phase, the online service sends back the original key handle in order to be verified by the FIDO token.
If there is a match, the FIDO token creates a signature and sends the signature back to the online service.
The online service verifies the signature and – if valid – authentication is completed and the user gets logged-in.
A FIDO token can create several private-public key pairs, thereby allowing a FIDO token to handle various accounts or various services.
FIDO versus eID
Identity describes distinct and non-ambitious properties and characteristics of a person.
By these properties and characteristics, the person can be distinguished from others.
For instance, such characteristics are name, gender, or the colour of hair and eyes.
The term identity plays an important role both in real life and in the online world.
It is used in every situation where the proof of being a particular person or having specific attributes or properties are required.
In many situations, the proof of identity is essential, for example by showing an electronic passport or an electronic ID when travelling into another country.
Distinguishing identities from others or proofing an identity is usually based on the processes of identification, authentication, and authorisation.
During an identification process, a person just claims that she is a specific identity, for example by claiming a name or by presenting a username in an online login scenario.
The process of proving a claimed identity is called authentication, usually by presenting one or more credentials based on one or several authentication factors.
A typical example for authentication is the presentation of a password at an online login form.
Finally, identification and authentication processes are typically succeeded by an authorisation process, where a verified identity particular rights or permissions will be assigned, for example for accessing a certain user profile.
Identifying a citizen is crucial in most cases when communicating with public authorities. Especially within Europe, the eIDAS (Electronic Identification, Authentication and Trust Services) regulation  sets out specifications and procedures for electronic identification and authentication means.
Within the governmental or business sector, eIDs are actually the means of choice for securing online identification and authentication when strong data security is required.
In other words, they combine both, providing identity attributes as well as their authenticity.
In contrast to that, FIDO targets the process of authentication only.
Hence, FIDO tokens are privacy protecting, as they do not reveal any personal identifying attribute besides the FIDO public authentication key.
Identity attributes protected by FIDO tokens are stored on server-side, where FIDO only provides protected access to them.
No personal information is transferred between a FIDO token and an online server as opposed to eIDs, where personal information is stored on card-side and also transmitted during an authentication process.
The following illustrates the difference of eIDs and FIDO in relationship to identification, authentication, and authorisation:
FIDO and traditional eIDs have similarities but also differences. In the following, we elaborate a comparison based on different factors.
|eIDs typically store personal information such as name or date of birth directly on the smart card. During an identification process, these data will be transferred to the verifying entity, when released by the user.
|FIDO tokens do not store any personal information besides a private/public key pair. FIDO does not provide mechanisms for personally identifying a user by a FIDO token.
|Personal data stored on an eID is typically electronically signed by a trusted authority, thereby allowing to prove authenticity of the data. Furthermore, citizens usually prove the legitimate possession of the eID by a PIN code or fingerprint, thus triggering also the authentication process.
|FIDO authentication is based on signature creation using the authentication key pair. Authenticators provide different mechanisms for triggering the authentication process, for example by simply pressing a button, entering a PIN (Personal Identification Number), or providing a fingerprint.
|Authorisation is usually a subsequent step after successful identification and authentication, assigning different rights or permission to a verified identity. Authorisation is mainly covered by identity and access management systems, being actually independent on the underlying identification and authentication approach. Hence, eIDs and FIDO tokens can support authorisation.
|eIDs are typically contactless smart cards. However, other implementations such as server-based solutions exist, targeting the online identification and authentication use case only.
|FIDO supports platform authenticators (for example, fingerprint sensor embedded in a mobile phone or a laptop) or external authenticators (NFC-, BLE-, or USB-enabled tokens).
|eIDs require the setup of a complex PKI (Public Key Infrastructure). Each user gets a digital certificate issued by a certificate authority. The certificates also need to be maintained and managed in a proper directory. Finally, eID tokens need to be personalised, requiring a thorough enrolment process to provide the strong binding between a user and an eID.
|FIDO does not require a PKI. Authentication key pairs are generated during registration and stored on a FIDO-enabled service provider. FIDO tokens do not store personal information. Hence, the binding between a user account and a FIDO token is up to the user itself, without the need of a trusted third party in between.
|The landscape for eID implementations is heterogeneous; no common international standard does exist. Some eID implementations rely on standards using electronic signatures, SSL/TLS (Secure Sockets Layer / Transport Layer Security) client-server authentication, or the eIDAS token specification, which uses the EACv2 (Extended Access Control Version2) protocol for device and server communication.
|FIDO specifications are freely available and provide standards both on token-side and client-side as well as on server-side. A FIDO certification scheme allows also interoperability between different implementations.
|Client Device Support
|To interact between an eID and a server, usually a piece of software (aka middleware) needs to be installed on the client device. For instance, this could be a mobile App, specific driver, or browser plugin. Any change or update of the system or browser could also require an update of the middleware, thus the middleware components need to be continuously maintained.
|FIDO does not need the installation of any software on the client device. FIDO is supported out of the box by nearly all mobile and desktop operating systems and web browsers. Required updates are carried out using standard maintenance and update mechanisms provided by operating system and browser vendors.
|Open source implementations of middleware or server-side components are rather an exception than standard.
|FIDO has already been well-established in the market and several industry players offer open source components, especially for server-side integration.
|Ease of use
|eIDs require the installation of software components by the end-user, which might be a cumbersome task for none technology-experienced users.
|FIDO provides easy-to-use strong authentication mechanisms by providing direct browser and client support without any requirement for external software installations.
|eIDs are typically security evaluated according to Common Criteria (CC)  assuring that a certain set of security requirements are met by the eID. CC evaluations have been well-established in the market as an indicator for high protection against attacks. Evaluation assurance levels EAL4+, EAL5+, and EAL6+ are currently state-of-the art for eIDs.
|The FIDO alliance has established its own certification program. FIDO provides a certification framework for both functional and security evaluation to validate product conformance and interoperability. FIDO certification levels reach from lower levels L1, L1+ up to L3, L3+ when defending high-sophisticated attacks. However, a mapping exists between FIDO certification levels and CC EALs reducing time, effort, and costs.
Areas of applicability
FIDO can be adopted in different application areas, actually in fact everywhere where strong user authentication is required. In the following, selected markets are briefly elaborated for their applicability for FIDO.
Government representatives such as the German BSI (Federal Office for Information Security), NIST (National Institute of Standards and Technology), or the UK Cabinet Office are active participants in the FIDO alliance.
This can be interpreted as an indicator for the importance of FIDO also in the public sector.
According to the German BSI, smart cards with FIDO have the same high assurance level for authentication as traditional eID cards following the eIDAS level of assurance classification .
Hence, FIDO tokens can be used as an alternative for authentication at governmental online services, when no explicit identification process is required.
Enterprises usually process sensitive data they need to protect.
Commonly and widely used are still username/password authentication mechanisms, which require strict but cumbersome password policies.
Enterprises can use a FIDO token for secured desktop login but also for protecting their online services with secured two- or multi-factor authentication processes.
For setup, neither a middleware installation on the client device is required nor the set-up of a complex PKI.
Within the payment domain, the European payment services directive (PSD2)  is currently all over the news.
EU’s PSD2 requires strong consumer authentication for payment service providers (PSPs).
According to the PSD2 directive, strong consumer authentication is defined as two- or multi-factor authentication.
FIDO can be used to fulfil this requirement.
FIDO could be an easy-to-use hardware-based alternative against the two apps’ approach, which is currently adopted by many banks (Banking App and Authentication App on mobile devices).
In addition, FIDO could be also used to secure online payment transactions.
Health data are considered as very sensitive data and thus require strong protection.
Currently, personal health data are typically not provided remotely to patients.
By having FIDO as strong authentication mechanism, secured remote access to personal health data could be provided.
Moreover, FIDO could also be used for terminal/device access (log-on) in health care organisations such as hospitals.
Although FIDO has been driving the enhancement of secured online authentication since a couple of years, unfortunately the big breakthrough and a wide adoption has not been reached by now.
However, FIDO will get a new boost in the upcoming future.
One indicator is the increased FIDO support of the big platform (for example Microsoft and Android) and browser vendors (for example Chrome and Firefox), especially backed by the announcement of Apple on opening the NFC interface for security services in the latest iOS 13.x version.
Another indicator is the increased awareness and sensitivity of enterprises and end-users about the negative impact of potential identity theft and data breaches, where secured FIDO authentication can help to protect and avoid.
Furthermore, FIDO can help to stem the bunch of different passwords users typically have to cope with when accessing different only services.
Many eID solutions have been already rolled-out in the field for securing online authentication, but they still lack acceptance due to their complexity, for example due to necessary middleware installations.
FIDO can help out here due to its easy-to-use approach, missing client-side software installation requirements, and strong out-of-the-box support by platform and browser vendors.
FIDO tokens will not substitute traditional eID cards.
They will rather provide an easy-to-use option for online authentication without installing complex client software by actually providing the same level of assurance for authentication .
FIDO tokens and eIDs will rather go hand in hand.
For secured identification, eIDs should remain the means of choice.
For secured authentication, FIDO could act as proper alternative.
Combining both, traditional eIDs can be used for identification and account enrolment (non-recurrent event) providing high identity assurance, and FIDO tokens then subsequently for daily-use high assurance authentication.
Finally, eIDs then can also help for account recovery, when the FIDO token got lost.
MORE ABOUT THE AUTHORS
Dr Bernd Zwattendorfer is a technical marketing manager in Infineon Technologies’ identity solutions product line. He is responsible for various technical topics in the field of electronic identity, authentication, and electronic signatures. His scope includes driving strategic ID topics and new applications, particularly from a system perspective.
Navneeta Deo is working as a Technical Marketing Specialist at Infineon Technologies. She is responsible for driving various topics in the security space such as FIDO, secure payment with NFC Forum tags, new and innovative NFC tag applications etc.
 Verizon, “Data Breach Investigation Report”, 2019.
 Rolf Lindemann, Nok Nok Labs, “Technical principles of FIDO authentication”, 2019.
 Client to Authenticator Protocol (CTAP), Proposed Standard, January 30, 2019.
 EU Regulation (EU) No 910/2014 of the European Parliament and of the Council of 23 July 2014 on electronic identification and trust services for electronic transactions in the internal market and repealing Directive 1999/93/EC (‘eIDAS Regulation’)
 Common Criteria
 Directive (EU) 2015/2366 of the European Parliament and of the Council of 25 November 2015 on payment services in the internal market, amending Directives 2002/65/EC, 2009/110/EC and 2013/36/EU and Regulation (EU) No 1093/2010, and repealing Directive 2007/64/EC
The Keesing Platform team brings you the latest in various fields, including security documents, security printing, banknotes, identity management, biometrics, blockchain, crypto technology and online onboarding.