FIDO2 authentication standards enable websites to replace vulnerable passwords with cryptographically secure logins using convenient alternatives like biometrics and security keys
MOUNTAIN VIEW, Calif., September 26, 2018 — FIDO2 browser support and first certified products are now available to reduce password use on the web, the FIDO Alliance announced today. Now, any website can leverage FIDO2 strong authentication protocols from the W3C and FIDO Alliance to replace passwords with cryptographically secure logins using convenient alternatives like on-device biometrics and FIDO Security Keys.
Google Chrome, Microsoft Edge and Mozilla Firefox browsers now support FIDO2, a big advancement since the standards were introduced last April. Between this support and newly certified products supporting a wide variety of use cases, service providers have all of the tools needed to roll out FIDO Authentication for their websites and applications. FIDO Authentication has been proven to protect against the phishing and security risks associated with passwords, provide better user experiences over remembering and typing passwords, and lower authentication support costs.
“With FIDO2, the tech industry has, for the first time, established a technology standard for strong, phishing-resistant authentication on the web that promises better security and a better user experience. These announcements today of certified products and leading web browser support deliver on that promise by bringing these new capabilities to market,” said Brett McDowell, executive director of the FIDO Alliance. “Any web application — consumer or enterprise, mobile or desktop — can now be enabled to take advantage of these innovations at internet scale with the full confidence that comes from an independent certification program designed and governed by their peers.”
Organizations that have achieved FIDO2 certification for security key and biometric authenticators, clients and servers include: CROSSCERT: KECA (Korea Electronic Certification Authority); Dream Security Co., Ltd. Korea; ETRI; eWBM Co., Ltd.; IBM; Infineon Technologies; INITECH Co., Ltd.; Nok Nok Labs (Universal Server); OneSpan; Raonsecure; Samsung SDS; Singular Key; Whykeykey Inc.; Yahoo Japan Corporation; Yubico. Products are certified for FIDO2 by the FIDO Alliance to ensure compliance with the specifications, as well as interoperability among FIDO products. Today’s announcement also includes the first certified FIDO Universal Server, which a service provider can use to ensure compatibility with authenticators based on all FIDO specifications (FIDO UAF, FIDO U2F and FIDO2).
FIDO2 Details
FIDO2 is comprised of the W3C’s Web Authentication specification and the corresponding Client to Authenticator Protocol (CTAP) from FIDO Alliance. Collectively, these standards enable users to leverage common devices to more easily authenticate to online services through mobile and desktop browsers. FIDO2 supports a variety of authentication use cases and experiences, including passwordless, second-factor and multifactor for the highest levels of assurance. Password-only logins can now be replaced with easy user gestures using embedded biometrics (facial recognition, iris scan, fingerprint swipe) and/or portable security keys.
These simple user experiences are backed by strong cryptographic security that is transparent to the user and protects against phishing, man-in-the-middle and attacks using stolen credentials. FIDO2 web browsers and online services are also fully backward compatible with all previously certified FIDO U2F Security Keys.
Visit the FIDO Alliance website to get more information on FIDO2, including resources for developers and product vendors interested in taking part in the FIDO Certified program.
About the FIDO Alliance
The FIDO (Fast IDentity Online) Alliance, www.fidoalliance.org, was formed in July 2012 to address the lack of interoperability among strong authentication technologies, and remedy the problems users face with creating and remembering multiple usernames and passwords. The FIDO Alliance is changing the nature of authentication with standards for simpler, stronger authentication that define an open, scalable, interoperable set of mechanisms that reduce reliance on passwords. FIDO Authentication is stronger, private, and easier to use when authenticating to online services.
Supporting quotes from certified companies:
CROSSCERT: KECA (Korea Electronic Certification Authority), David Ahn, Director
“Our FIDO Certification service is credited for its strong security and convenience in the market, and the cumulative number of domestic users exceeded 280 million as of September. We will lead the biometric authentication market with the FIDO2 Simplified Cloud Authentication, the next-generation authentication technology.”
eWBM Co., Ltd., Stephen Oh, Ph.D., CEO
“The eWBM Golden Gate (model eFA500), the FIDO2-certified fingerprint authenticator, opens the door to the world of biometric authentication web access. It is a compact and portable security device that provides a superior user experience, thanks to its no-ID and no-password authentication functions.”
IBM Security, Shane Weeden, Senior Technical Staff Member
“IBM’s strong and alternative-to-password authentication strategy will benefit significantly from the WebAuthn and FIDO2 standards. These specifications bring convenient, frictionless strong authentication services to the mainstream web with consumer privacy as a primary consideration.”
Infineon Technologies, Joerg Borchert, VP of Chip Card and Security
“We are very happy to provide the industry’s first FIDO2 certified Reference Design based on the SLE78 single-chip solution. Infineon’s reference design serves as development kit for fast and low risk FIDO2 USB and USB/NFC token designs prepared to reach highest security levels. Certification according to the specifications of the FIDO2 standard increases interoperability of the token and reduces production and support costs on the manufacturer side.”
Nok Nok Labs, Phillip Dunkelberger, CEO and President
“Every day there is news of a new phishing or other scalable attack, caused by the use of weak and stolen passwords. Our breadth of experience as the most broadly deployed FIDO-based platform puts us in a unique position to deliver phishing-resistant, privacy-conscious authentication in a passwordless user experience. We look forward to bringing these solutions and benefits to our customers and partners as we deliver on our vision of fixing the security and ease of use flaws on the internet.”
OneSpan, Scott Clements, CEO
“OneSpan has joined tech leaders such as Google and Microsoft in embracing the FIDO2 standard, most recently with the certification of our Digipass 785 authenticator. Rapid adoption of the FIDO2 standard spells good news for the unification of the authentication industry and for the security of consumers online.”
Raonsecure, Lee Soon-hyung, CEO
“Considering South Korea’s PC-oriented business environment, it is expected that there are demands for FIDO2 for business systems such as groupware, ERP, CRM and others.”
Samsung SDS, Sean Im, Senior Vice President of solution business division
“By acquiring FIDO2 certification, Samsung SDS now offers secure and convenient Nexsign solution to PC users as well as mobile users. In business perspective, a stepping stone has been prepared to target the domestic and overseas B2B authentication markets.”
Singular Key, Hitesh Kalra, Founder
“Today’s announcement is a significant milestone towards a safer internet by eliminating the use of passwords and shared secrets. FIDO provides agility for evolving user authentication flows and digital journeys. Singular Key is committed to make it easy to deploy high assurance authentication at scale with its cloud-based FIDO Authentication Service.”
Yahoo Japan Corporation, Shinya Sugawara, Vice President, ID Solution Division
“Yahoo! JAPAN launches a FIDO2-certified authentication service that has been officially accredited by FIDO Alliance at the first FIDO2 conformance test. This innovative service ensures simpler and more secure authentication, lessening the reliance on traditional passwords for users. Yahoo! JAPAN contributes to enhancing users’ passwordless experiences aligned with FIDO’s effort towards simpler, stronger authentication on the Web.”
Yubico, Stina Ehrensvard, CEO and Founder
“Our mission has always been to drive open standards and ecosystem adoption by creating technical specifications, open source components, and the gold standard for authenticators. With the YubiKey 5 Series FIDO2 Certification and growing momentum towards a passwordless world, we’re proud to see our vision of one single security key to any number of services becoming a reality.”