In late 2009, Ramesh Kesanupalli, at the time CTO of Validity Sensors, visited Michael Barrett, then PayPal’s CISO, to discuss how PayPal.com could use biometrics for identification of online users instead of passwords. Barrett was intrigued by the concept but insisted that the solution be based on some kind of industry standard supporting multiple vendors.
Kesanupalli took him at his word and reached out to his counterparts at other fingerprint sensor companies, as well as large device distributors and industry experts. The discussions led to the basic design insight that a device biometric should be used to unlock a cryptographic key housed on the device. This key would be registered with a server and subsequent authentications would require exhibiting a signature based on the key — thus enabling a passwordless log-in backed purely by local authentication.
This work became the foundation of the FIDO Alliance, which was founded in the summer of 2012 by PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio. Barrett and Kesanupalli took leadership roles and work on a passwordless authentication protocol began. The Alliance was launched publicly in February 2013.
That same year, the Alliance accepted work in April on an open, second-factor authentication protocol that Google, Yubico and NXP had been developing. This work shared the basic philosophy of FIDO’s biometric solution in that the second-factor device self-issued a key which was registered with the server. Subsequent authentications were based on a challenge issued by the service and answered using the key that had previously been registered. The key was unlocked by a user presence gesture such as the press of a button. Such second-factor devices were successfully deployed to Google employees as a precursor to publicly publishing the second-factor protocol.
Historically, strong authentication had been tied to a user’s real identity or a central service provider. During development of the second-factor protocol, Jakob Ehrensvard, Yubico’s CTO, also focused on the concept of an authenticator that works across any number of services with no shared secrets. This enabled users to be anonymous, and have multiple, yet secure identities — which is foundational to all FIDO standards.
On Dec. 9, 2014, the completed v1.0 passwordless protocol (called Universal Authentication Framework - UAF) and the second-factor protocol (called Universal 2nd Factor - U2F) were completed and published simultaneously. Production deployments of fully compliant v1.0 devices and servers began in earnest and have grown since.
Since the founding stream of members, many industry leaders in various segments have joined FIDO to advance the vision of device based, simple secure authentication designed to eliminate the reliance on passwords. FIDO now includes major software platform vendors, financial relying parties, leading security hardware vendors, top biometric vendors and more.
In 2015, the energy from these new members accelerated FIDO Alliance programs and the growth of the FIDO ecosystem. In May of 2015, the Alliance introduced the FIDO® Certified testing program, and the first FIDO Certified testing sessions were conducted. The Alliance now regularly conducts certification workshops worldwide.
Major advancements in the FIDO ecosystem followed, including the first FIDO Certified iOS products, a line-up of smartphones from the world’s leading OEMs, and support in FIDO 1.0 specifications for contactless transport over Bluetooth and Near Field Communication (NFC). NTT DOCOMO became the first mobile network operator to deploy FIDO authentication, enabling a passwordless future for 65 million users in Japan. And Microsoft announced that it would support FIDO authentication in Windows 10, based on its contributions to new FIDO specifications coming in 2017.
The Alliance also grew with the introduction of a government membership program that attracted government agencies from the United States, United Kingdom, Germany and Australia. The Alliance also added the FIDO Cooperation and Liaison Program, which invites industry associations worldwide to influence development of FIDO standards.
The next FIDO Alliance chapter began in February 2016, when the World Wide Web Consortium (W3C) launched a new standards effort in Web Authentication based upon FIDO 2.0 Web APIs submitted by the Alliance. The intent was to standardize strong authentication across all web browsers and related web platform infrastructure.
EMVCo, the global payment specification organization, and FIDO followed with a collaborative effort to review how FIDO authentication standards could support EMV mobile payment use cases. A key aim of the initiative is to investigate providing simpler and stronger authentication for cardholders making mobile payments using on-device authenticators, such as biometrics, thereby reducing consumer fraud globally while maintaining a good consumer experience.
By the end of 2016, the FIDO Alliance was firmly established as the world’s largest ecosystem for standards-based, interoperable authentication with more than 200 certified solutions. With Facebook’s announcement in early 2017 that they will also support FIDO authentication, more than 3 billion user accounts now can leverage FIDO Certified authentication.