In late 2009, Ramesh Kesanupalli, at the time CTO of Validity Sensors, visited Michael Barrett, then PayPal’s CISO, to discuss how PayPal.com could use biometrics for identification of online users instead of passwords. Barrett was intrigued by the concept but insisted that the solution needed to be based on some kind of industry standard that would support multiple vendors.
Kesanupalli took him at his word and reached out to his counterparts at other fingerprint sensor companies, as well as large device distributors and industry experts. The discussions lead to the basic design insight that a device biometric should be used to unlock a cryptographic key on the device. This key is registered with the server and reauthentication is based on exhibiting a signature based on the key thus enabling a passwordless authentication based purely on local authentication.
The FIDO Alliance was formed in the summer of 2012, with PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio as the founding companies. Barrett and Kesanupalli were the first President and Vice President, respectively. Active work on a passwordless authentication protocol began. The Alliance was publicly launched in February 2013.
Meanwhile, starting in 2011, Google, Yubico and NXP were working on an open standard, strong second-factor device to enable unphishable web authentication. This work shared the basic design insight that the device should self-issue a key which is registered with the server. Subsequent authentications are based on exhibiting a signature based on the key. The key is unlocked by a user presence gesture such as the press of a button. Such second-factor devices were successfully deployed to Google employees as a precursor to publicly publishing the second-factor authentication protocol. At that time, due to the obvious synergies, this stream of activity was welcomed into the FIDO Alliance in April 2013.
The completed v1.0 password-less protocol (called Universal Authentication Framework - UAF) and the second-factor protocol (called Universal 2nd Factor - U2F) were completed and published simultaneously on Dec. 9, 2014, and production deployments of fully compliant v1.0 devices and servers began in earnest and have grown since.
Since the founding stream of members, many industry leaders in various segments have joined FIDO to advance the vision of device based, simple secure authentication designed to move the world beyond passwords. This includes major software platform vendors, financial relying parties, leading security hardware vendors, top biometric vendors and more.
In 2015, the energy from these new members accelerated the advance of the FIDO Alliance’s programs and the growth of the FIDO ecosystem. In May, the Alliance introduced the FIDO® Certified testing program, and the first FIDO Certified testing sessions were conducted. The Alliance now regularly conducts certification workshops worldwide.
Significant advances were made in the FIDO ecosystem, including the first FIDO Certified iOS products, a line-up of smartphones from the world’s leading OEMs and support added to the FIDO 1.0 specifications for Bluetooth and Bluetooth Smart, and Near Field Communication (NFC). NTT DOCOMO became the first mobile network operator to deploy FIDO authentication, enabling a password-less future for 65 million throughout Japan. And Microsoft announced that it would support FIDO authentication in Windows 10, based on its contributions to new specifications coming from the FIDO Alliance in 2017.
Other achievements were the introduction of the government membership program, including the U.S., UK and German Federal Office for Information Security (BSI-Bundesamt für Sicherheit in der Informationstechnik), and the FIDO Cooperation and Liaison Program, which gives industry associations worldwide an opportunity to provide their requirements and perspectives to influence development of FIDO standards.
Momentum continued to grow in 2016, when in February the World Wide Web Consortium (W3C), the international standards organization for the World Wide Web, officially launched a new standards effort in Web Authentication based upon FIDO 2.0 Web APIs submitted by FIDO members. Standardizing the submitted FIDO Web APIs can ensure standards-based strong authentication across all web browsers and related web platform infrastructure.
EMVCo, the global payment specification body, also announced a collaborative effort with the FIDO Alliance, to review how FIDO authentication standards can support EMV payment use cases. A key aim of the initiative is to investigate providing simpler and stronger authentication for cardholders making mobile payments using on-device authenticators, such as biometrics, thereby reducing consumer fraud globally while maintaining a good consumer experience.
By the end of 2016, the FIDO Alliance was firmly established as the world’s largest ecosystem for standards-based, interoperable authentication with more than 200 certified solutions. More than 1.5 billion people have the option of FIDO-certified authentication available to them.