Apple Joins FIDO: Highlights of the 2020 FIDO Alliance Plenary

The first Fast Identity Online (FIDO) member plenary of 2020 took place earlier this month in Lisbon, Portugal, assembling hundreds of members attending from all over the world. It was an opportunity for key contributors of FIDO to collaborate and align on proposed changes and innovations over the last several months.

This member plenary was particularly exciting for several reasons:

  1. Apple joined the FIDO Alliance as a board member
  2. There was a focus on identity and the Internet of Things (IoT)
  3. There are plans for FIDO certification of technology professionals
  4. There was an emphasis on user experience (UX)

Apple Joined as a Board Member

To date, category leaders such as Google, Microsoft, Samsung, and Mastercard have contributed to the standard as FIDO board members in several ways. A crucial yet absent player for a very long time was Apple. I had the opportunity to meet Christopher Sharp from Apple who is the Director of Engineering for the Apple Pay technology and their FIDO board delegate.

Apple has a history of making fundamental shifts in the way people approach authentication. When Touch ID was released on the iPhone 5s it was an overnight success. It brought biometric authentication into the hands of the general public, making biometrics — formerly in the domain of criminal justice and border access authorities — commercially viable. This paved the way for the FIDO Alliance to deliver secure authentication to apps on every Apple device and improve the security posture for any relying party that chooses to adopt the technology.

The Focus on Identity and IoT

While there is progress and innovation taking place with FIDO2 and UAF, some of the more recent developments include work being done on identity verification and IoT. Working groups are outlining a process for the FIDO Alliance to provide a standard for identity verification and machine-to-machine (M2M) authentication. The goal is to develop measures for preventing massive security breaches caused by devices shipped to consumers with default credentials.

FIDO Certification for Technology Professionals

Certification for software and hardware products has been a core component of the FIDO Alliance since the beginning. The most recent development is the professional certification program for individuals. As this new program evolves, IAM and security professionals will be able to obtain certification that gives their prospective employers and peers proof of knowledge on the leading standard for strong authentication — FIDO. Keep an eye out for more news on this over the coming months!

Emphasis on UX

FIDO enables passwordless authentication which significantly improves the UX for both customers and the enterprise workforce. Working groups want FIDO adoption to occur as fast as possible in order to achieve maximum internet-scale security through speedy, mass adoption. This encompassed discussion on modifying the standard to include enhancements in UX which would accelerate global adoption. There was also discussion on incorporating QR codes in the authentication process as well as adding a network transport capability to the CTAP2 protocol so that users can authenticate without having to strictly use Bluetooth, USB, or NFC.

The biggest point of contention with any improved or simplified UX is the potential compromise on security with regard to credential-based attacks. FIDO is by default resistant to credential-based attacks including credential stuffing and phishing. Organizations will want to  avoid adding new ambiguous or overly flexible methods for authentication that can create new attack vectors.

Looking Forward

The next FIDO plenary will be at the alliance’s own inaugural Authenticate Conference which takes place June 2-3, 2020 in Seattle, Washington. I look forward to presenting with my peers and representatives from organizations who have successfully deployed FIDO authentication at global scale. We also welcome new players such as Apple, which is bound to add a great deal more to the conversation about our collective goal of ending our over-reliance on passwords.