Apple Joins the FIDO Alliance to Help Develop and Promote Authentication Standards

MacRumors

macrumors bot
Original poster
Apr 12, 2001
47,165
9,192



Apple has joined the Fast Identity Online (FIDO) Alliance, an open industry association whose mission is to develop and promote stronger authentication standards and help reduce the world's over-reliance on passwords.


Apple joins existing members Amazon, Facebook, Microsoft, Samsung and others in a common goal to secure online connections and support the adoption of the U2F authentication standard, which the alliance hosts.

Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized USB or near-field communication (NFC) devices based on similar security technology found in smart cards. U2F security keys can be used as an additional method of two-step verification in online services that support the U2F protocol, such as Google, Dropbox, and Facebook.

Chrome, Firefox, Edge, and Opera browsers natively support U2F. With iOS 13.3, Apple's Safari also supports FIDO2-compliant physical security keys like the Lightning-equipped YubiKey.

With Safari support, the YubiKey 5Ci is a useful tool that can be more convenient than software-based two-factor authentication because there's no need to enter a security code -- you simply plug it in to an iPhone or Mac (there's also a USB-C connector) to authenticate. Support for FIDO2-compliant USB security keys using WebAuthn was previously added to Safari 13 in macOS.

FIDO was founded in 2013 by a group including Lenovo and Paypal to address the lack of interoperability among strong authentication. MacGeneration was first to spot Apple's logo added to the list of board members.

Article Link: Apple Joins the FIDO Alliance to Help Develop and Promote Authentication Standards
 

gnasher729

macrumors P6
Nov 25, 2005
16,648
3,315
As long as the outcome is something that (1) I need to have only once and can use safely with any device I might use, (2) that is convenient for me to take anywhere where a computer/phone could be that I use, and (3) that I and only I can disable from anywhere.
 
  • Like
Reactions: tennisproha

Shirasaki

macrumors G3
May 16, 2015
9,535
3,541
I will wait for a more advanced and secured standard that has many built in loopholes to replace our password and security questions.
 

needsomecoffee

macrumors regular
May 6, 2008
169
403
Seattle
Been pressing my bank to do this for years (as have many other customers - there is a Q/A thread on this topic many pages long at their site). Maybe this will help convince them. Why force reliance on passwords when FIDO is an option ?? The bank is so progressive and great, yet fails so badly here.
 

cmaier

macrumors P6
Jul 25, 2007
15,372
10,671
California
How about a basic connector standard? We're sick of USB-A, USB-C, Lightning port and dongle roulette.
No “we” aren’t.
- - Post merged: - -

Been pressing my bank to do this for years (as have many other customers - there is a Q/A thread on this topic many pages long at their site). Maybe this will help convince them. Why force reliance on passwords when FIDO is an option ?? The bank is so progressive and great, yet fails so badly here.
FIDO is a second factor, not a replacement for the first factor (password).
 

Jsfrederick

macrumors newbie
Jul 22, 2017
15
17
Fredericksburg, VA, USA
FIDO is a second factor, not a replacement for the first factor (password).
Actually, FIDO2 is single factor as well.

It supports the following methods:
  • Single Factor - Username + FIDO2 Credential
  • Second Factor - Username + Password + FIDO2 Credential
  • Passwordless Single Factor - FIDO2 Resident Key Credential
  • Passwordless MFA - FIDO2 Resident Key Credential + PIN
 

cmaier

macrumors P6
Jul 25, 2007
15,372
10,671
California
Actually, FIDO2 is single factor as well.

It supports the following methods:
  • Single Factor - Username + FIDO2 Credential
  • Second Factor - Username + Password + FIDO2 Credential
  • Passwordless Single Factor - FIDO2 Resident Key Credential
  • Passwordless MFA - FIDO2 Resident Key Credential + PIN
Thanks for the info.
 
  • Like
Reactions: Peter K.

Gaspode67

macrumors regular
Jul 30, 2008
170
137
Oxon, UK
As long as the outcome is something that (1) I need to have only once and can use safely with any device I might use, (2) that is convenient for me to take anywhere where a computer/phone could be that I use, and (3) that I and only I can disable from anywhere.
I have U2F on a number of account using one of the options. I have two keys that cost me a total of £30 (approx $42). One stays at home as a backup in case I need it. The other lives on my keyring. It connects through NFC, Bluetooth or USB (Micro USB on the fob that you can connect any cable to. I only need to use it on a machine once unless I choose to logout from a service. If I do, I simply have to log into the service again (including the p/w for that service) then when asked connect the key in whatever way I want & press the button on top. Works a treat...

MVIMG_20200211_181420.jpg
 

cmaier

macrumors P6
Jul 25, 2007
15,372
10,671
California
I have U2F on a number of account using one of the options. I have two keys that cost me a total of £30 (approx $42). One stays at home as a backup in case I need it. The other lives on my keyring. It connects through NFC, Bluetooth or USB (Micro USB on the fob that you can connect any cable to. I only need to use it on a machine once unless I choose to logout from a service. If I do, I simply have to log into the service again (including the p/w for that service) then when asked connect the key in whatever way I want & press the button on top. Works a treat...

View attachment 893632
To me this is a horror. I finally got to the point where I no longer have to carry any keys!
 

[AUT] Thomas

macrumors 6502
Mar 13, 2016
417
368
Graz [Austria]
too many passwords - the bane of modern computing
password... modern computing? That's an oxymoron.

Passwords should have gone extinct 10 years ago. You can make a 5000$ purchase with your bank card by putting in the card + PIN. Yet for onlinebanking you need to login with a username+passwords then enter an SMS code as 2FA and another SMS code for the actual transaction. That's ridiculous.

SmartCards existet for the past 20 years if not longer...
 
  • Like
Reactions: compwiz1202

konqerror

macrumors 68000
Dec 31, 2013
1,583
2,570
Passwords should have gone extinct 10 years ago. You can make a 5000$ purchase with your bank card by putting in the card + PIN. Yet for onlinebanking you need to login with a username+passwords then enter an SMS code as 2FA and another SMS code for the actual transaction. That's ridiculous.
Even with smartcards, bankcard terminals are highly secure, locked down hardware with internal tamper resistance that only run certified software. Every few years, bankcard terminals have to be thrown out and replaced due to new standards (PCI).

If you don't want to apply the same level of lockdown to your PC, you'll need to do additional steps.
 

dwaite

macrumors regular
Jun 11, 2008
215
153
No “we” aren’t.
- - Post merged: - -


FIDO is a second factor, not a replacement for the first factor (password).
U2F is a second factor only, but is the older version. FIDO 2 (CTAP2 + WebAuthn) allows for being a full passwordless authentication replacement.
 

dwaite

macrumors regular
Jun 11, 2008
215
153
Actually, FIDO2 is single factor as well.

It supports the following methods:
  • Single Factor - Username + FIDO2 Credential
  • Second Factor - Username + Password + FIDO2 Credential
  • Passwordless Single Factor - FIDO2 Resident Key Credential
  • Passwordless MFA - FIDO2 Resident Key Credential + PIN
To elaborate - you 'register' a 'FIDO authenticator' like a key fob at account creation time or while managing your account, which generates a cryptographic key pair. The public key gets associated with your account, while the private key never leaves hardware.

You can then use that key in the future to log in to that account. FIDO2 can associate save additional information such as an account identifier at registration time, allowing you to log in without providing any additional information. No typing in a username or password; just a tap/click to choose to authenticate, and then the action on the authenticator (button press?) to continue.

Older U2F models (and the equivalent flows for FIDO2 keys) require the site to present user-specific information in order to use the key after registration, because they don't necessarily have internal storage, or want to preserve limited hardware storage for private keys. For these cases, you have to identify the user first in order to get that user-specific information from the site - which is why these keys are only used for secondary authentication.

FIDO 2 allows you to use biometrics or a PIN code to do user verification on the hardware device, to do multi-factor authentication entirely by the hardware. You generally want to do multi-factor with FIDO (either on the hardware or in concert with a separate username/password), since otherwise you are only proving possession of the hardware.
 

[AUT] Thomas

macrumors 6502
Mar 13, 2016
417
368
Graz [Austria]
Even with smartcards, bankcard terminals are highly secure, locked down hardware with internal tamper resistance that only run certified software. Every few years, bankcard terminals have to be thrown out and replaced due to new standards (PCI).

If you don't want to apply the same level of lockdown to your PC, you'll need to do additional steps.
That is absolutely correct. https://directrm.com/da-pin-pad-smart-card/ would solve the problem. That way the PIN is not entered on the devices keyboard. That should be secure enough for what the average person does. For even higher security the data to be signed would need to be displayed on the secure device (in that case the card itself).
But that's just an example that we could have had a solution for that problem long ago...with barely any additional effort.
 

konqerror

macrumors 68000
Dec 31, 2013
1,583
2,570
That should be secure enough for what the average person does. For even higher security the data to be signed would need to be displayed on the secure device (in that case the card itself).
Not really. Those PIN solutions solve the issue of password compromise. PIN cards like those, and even the EMV standard do not solve the problem of MITM attacks which have become prevalent. A simple phishing attack can defeat PIN cards and OATH tokens. FIDO U2F and FIDO2 solve this, but require hooking into the browser to obtain domain information.

The second problem that FIDO solves is one of privacy. The protocol is specifically designed so that the same token can be used by multiple users in combination with multiple sites without the ability to correlate use. In contrast, PIN cards and smart cards had the issue of "wallet explosion" in which security concerns meant that every account needed a different card by a different vendor.