Cloud-Biometric Authentication Fortifies FIDO’s Multi-Device Credentials

By Jeremiah Mason, SVP, Product, authID.ai

On May 5, World Password Day, the FIDO Alliance and three tech giants – Microsoft, Apple and Google – announced plans to expand their support for a common passwordless sign-in standard created by the FIDO Alliance and the World Wide Web Consortium. FIDO is the acronym for “fast identity online.” As part of today’s news, expanded standards-based capabilities as well as Microsoft, Google and Apple platform implementations will give websites and apps the ability to offer a multi-device passwordless option.

Core to FIDO’s mission is “changing the nature of authentication.” FIDO’s authentication standard enables password-only logins to be replaced with secure and fast passwordless login experiences across websites and apps. FIDO2 is the overarching term for FIDO’s set of specifications, which enables users to leverage common devices to easily authenticate to online services in both mobile and desktop environments. With previous versions of FIDO’s standards, users would need to enroll every device that they logged in from with FIDO. They could not re-use credentials from another device. The new features solve the need to re-enroll on every device the user leverages.

FIDO announced today that they have developed a process to offer portability between devices whereby users can log into online accounts with their faces, fingerprints, and PIN codes immediately, across devices and even on brand-new devices. Now, with Apple, Google, and Microsoft building passwordless support into their respective platforms, it appears users will be able to setup FIDO across multiple devices, provided the original device is nearby. .

While FIDO’s news does offer enhanced usability, FIDO passwordless solutions still have shortcomings including:

  • During device registration current FIDO2 passwordless solutions do not verify the identity of the true account owner, rather they assume the person holding/registering the device is the account owner.
  • A device can hold multiple authenticated users (a husband and wife, a child) but the enterprise has no record of which device-authenticated user authorized login or a transaction.
  • Registration of a second FIDO2 device requires possession of the original FIDO registered device in close proximity to the second device – thus limiting portability
  • These standards still require new software from the Big 3 tech giants to be released in the marketplace.

All of these weaknesses help fraudsters bypass security protocols and also can create customer dissatisfaction that can lead to account and transaction abandonment. FIDO2 is still vulnerable to first and second-party fraud, as it does NOT identify the user and the enterprise does not know ‘who’s behind that device’. Yes, my kids can open my phone with my pincode, and order age-restricted goods. But does the vendor really know ‘who’ made that purchase? Can I dispute that purchase? In short – device authentication simply does not provide a definitive audit trail of “WHO” made a purchase, or “WHO” transferred funds.

At authID, our vision is to help organizations move away from device-only authentication to more secure, cloud-based biometric authentication coupled with FIDO2 authentication. With a patent-pending method, authID takes passwordless security to another level by binding a biometrically confirmed identity with the registration of a FIDO2 token on a device. With a quick scan of an identity document and a selfie, Verified biometrically verifies the true account owner at registration, to establish a digital chain of trust between a user, their account, and their devices.

Furthermore, when there’s a need to step up – the preferred authentication method should also be based on Something You Are – your biometrics. Why Biometrics? Because biometrics eliminates any assumptions of ‘who’ performed a transaction. Biometrics validates the identity of the user and verifies the true account owner whenever increased assurance is needed.

Our patented step-up authentication provides critical tools to organizations that are fighting fraud and need auditable records to help dispute increasing rates of friendly fraud. Verified combines an account holder’s explicit consent for a transaction along with a Verified selfie and biometric identity authentication. Verified secures that consent with a unique digital signature, thereby creating an unchallengeable audit trail for all parties.

We applaud FIDO’s progress to change the nature of authentication by championing a passwordless world. Achieving the reality of this mandate calls for seamless, biometric identity verification to establish trusted identity during device registration. Enterprises should also incorporate secure cloud-base biometric identity authentication to gain high assurance of the user behind the device  and an indisputable audit trail for valued transactions.