With Multi-Device Fido Credentials, You Can Now Go All-in on Passwordless

This blog was originally published by CXO REvolutionaries here.

Written by Maneesh Sahu, Senior Director, OT and IIoT Product Management, Zscaler.

In a previous post, The Passwordless future has arrived, here are your options, I enumerated some options for app developers and end-users to use instead of passwords. New developments, however, make the case for going all-in with one particular option – FIDO credentials.

Last month, I decided to upgrade my aging smartphone. For a smooth transition, I first set up my phone and transferred my apps. I then used my existing password manager to synchronize credentials like passwords and OTP codes before logging into each app on my new phone. Soon I had most of my personal and work apps configured and operational. The unfinished part of my upgrade was configuring the apps where I had enrolled using FIDO credentials.

FIDO, short for "fast identity online," is a standard intended to make user authentication simpler and stronger without relying on passwords. FIDO requires a simple user gesture, like a biometric verification or tapping on a device to enroll, in order to unlock cryptographic keys on a device. The cryptographic keys are then used to authenticate users in apps and websites. As of 2021, an estimated 150 million people were using FIDO authentication every month. There were about 4 billion+ FIDO-capable devices available and more than 800 services that supported the standard.

For all the simplicity and speed of FIDO authentication, the re-enrollment process in a new device is manual and lengthy. I was lucky that my old smartphone was operational, which allowed me to easily perform the re-enrollment. If I had lost or damaged my old smartphone, I would have had to follow an additional, lengthier account recovery process.

That’s because, until a few days ago, FIDO mandated that cryptographic keys never leave the device. So, if the original device was not accessible, there was no easy way to prove account ownership. Each service required an account verification, recovery, and re-enrollment process that had not been standardized.

Today, users frequently own multiple smartphones, tablets, and laptops. Because of this restriction, each device requires new FIDO credentials to be enrolled for each service. Some "smart" devices like televisions and digital assistants don’t have the ability to securely store the FIDO credentials, so a native enrollment isn’t even possible.

Given these limitations, FIDO credentials were a hard sell. That is until Apple, Google, and Microsoft recently announced plans to expand support for multi-device FIDO credentials. The three tech titans produce the platforms that power the majority of the smart devices on the market, at least in the U.S., so their decision carries immense weight.

These platform enhancements will provide users more capabilities for seamless and secure passwordless logins, including by:

• Allowing them to automatically access their FIDO credentials on many of their devices, even new ones, without having to re-enroll every account.
• Enabling FIDO authentication on mobile devices for signing into an app or website on a nearby device, regardless of the OS platform or browser it is running.

Apple previewed these capabilities with the iCloud Keychain features it unveiled at WWDC 2021, but it is exciting to see the big three make this an open standard. That said, the enhancements will be rolled out on each’s different platforms over the course of the coming year and there is still no word on backing up FIDO credentials from one ecosystem to another. Given their fierce competition, there is no incentive for any of the ecosystem’s major players to easily allow for credential transfers.

The second important development was the release of the Federal Zero Trust Strategy by the Office of Management and Budget earlier in the year. This requires agency users to enable a phishing-resistant method like FIDO2 to access agency-hosted accounts.

While rumors of the death of passwords have, for a long time, been greatly exaggerated, it now seems we are at least approaching the end of their heyday. These two developments will enable low-cost deployments of an authentication mechanism with high assurance levels previously available only with traditional smart card authentication. Multi-device FIDO credentials will enable FIDO technology to supplant passwords for both consumer and federal use cases, as they make the FIDO credentials available to users whenever they need them – even after replacing a device.