Fido Alliance, an open security industry association, wants to accelerate the elimination of password use among consumers, with the introduction of its first user experience (UX) guidelines and new FIDO2 standards enhancements.
The increase in phishing attacks targeting remote employees prompted the group to come up with an implementation path for organizations to follow which will then maximize the adoption and will simplify Fido deployments.
“Eliminating the reliance on passwords is now a major objective for everyone offering online services — both to provide more seamless yet secure access to consumer services, as well as to address the growing threat from sophisticated attacks targeting distributed workforces and systems,” said Andrew Shikiar, executive director and CMO of the Fido Alliance. “Our first UX guidelines and FIDO2 enhancements give consumers and enterprises the tools, protection and roadmap to a simpler, more secure, passwordless future.”
According to Fido, a growing number of large service providers and financial institutions are providing this built-in functionality in order to give their customers the option to log in without the risk and hassle of passwords. These Fido UX guidelines, which can be found on the Fido Alliance website, were created as a set of best practices to help service providers encourage their customers to log in with Fido Authentication on desktop environments; other FIDO authentication use cases will be addressed through UX guidelines in the future.
The enhancements to the FIDO2 specifications include several new features that will be helpful for passwordless enterprise deployments and other complex security applications. Both FIDO2 specifications were recently updated by their governing bodies, with the World Wide Web Consortium (W3C) approving WebAuthn Level 2 and FIDO doing the same for CTAP 2.1.
According to Fido, the key to these enhancements is enterprise attestation, which provides enterprise IT with improved management of Fido authenticators used by employees. Enterprise attestation enables better binding of an authenticator to an account, assists with usage tracking and other management functions including credential and pin management, and biometric enrollment required in the enterprise.