In late 2009, Ramesh Kesanupalli, at the time CTO of Validity Sensors, visited Michael Barrett, then PayPal’s CISO, to discuss how PayPal.com could use biometrics for identification of online users instead of passwords. Barrett was intrigued by the concept but insisted that the solution needed to be based on some kind of industry standard that would support multiple vendors.
Kesanupalli took him at his word and reached out to his counterparts at other fingerprint sensor companies, as well as large device distributors and industry experts. The discussions lead to the basic design insight that a device biometric should be used to unlock a cryptographic key on the device. This key is registered with the server and reauthentication is based on exhibiting a signature based on the key thus enabling a passwordless authentication based purely on local authentication.
The FIDO Alliance was formed in the summer of 2012, with PayPal, Lenovo, Nok Nok Labs, Validity Sensors, Infineon, and Agnitio as the founding companies. Barrett and Kesanupalli were the first President and Vice President, respectively. Active work on a passwordless authentication protocol began. The Alliance was publicly launched in February 2013.
Meanwhile, starting in 2011, Google, Yubico and NXP were working on an open standard, strong second-factor device to enable unphishable web authentication. This work shared the basic design insight that the device should self-issue a key which is registered with the server. Subsequent authentications are based on exhibiting a signature based on the key. The key is unlocked by a user presence gesture such as the press of a button. Such second-factor devices were successfully deployed to Google employees as a precursor to publicly publishing the second-factor authentication protocol. At that time, due to the obvious synergies, this stream of activity was welcomed into the FIDO Alliance in April 2013.
The completed v1.0 password-less protocol (called Universal Authentication Framework - UAF) and the second-factor protocol (called Universal 2nd Factor - U2F) were completed and published simultaneously on Dec. 9, 2014, and production deployments of fully compliant v1.0 devices and servers began in earnest and have grown since.
Since the founding stream of members, many industry leaders in various segments have joined FIDO to advance the vision of device based, simple secure authentication designed to move the world beyond passwords. This includes major software platform vendors, financial relying parties, leading security hardware vendors, top biometric vendors and more.
In 2015, FIDO’s focus turned to enabling deployment of the technologies that have been brought to market. Future work is focused on ensuring that major software platforms have FIDO built-in to ensure that users have an intuitive, simple experience right out of the box.