With Apple, FIDO covers its bases with all browsers

Register now

Similar to a sports team landing a major free agent, the Faster IDentity Online Alliance has scored a major victory for its identity modernization cause in revealing Apple has joined the organization.

It might seem as if Apple's involvement in the standards-based organization has never been in question, considering how both have pushed biometrics for authorization.

But Apple's entry into the FIDO Alliance, and announcement it would also take a leadership role in becoming a board member, is one of the most significant memberships since the organization formed in 2013 because it officially makes all major browsers part of the effort to strengthen online security.

Because Google has been a member, the Chrome browser is part of the FIDO Alliance, as is Edge through Microsoft's membership and Firefox through Mozilla's membership. Now, Apple brings Safari into the fold.Other than bringing full FIDO support to its powerful vertically integrated Apple services and security ecosystem, the membership creates new potential to expand biometrics.

"The speculation would be that Safari users will be able to use TouchID or FaceID based FIDO platform authenticators through the browser," said Rolf Lindemann, co-chair of a security working group for FIDO and vice president of products at Nok Nok Labs, a co-founder of FIDO. "I think biometrics is key and that is widely used by the Apple ecosystem, and potentially even by the Apple Watch in the future, which is another speculation."

Apple, which has already deployed TouchID and FacialID on its latest iPhone models, will operate as a FIDO board member at a time when the organization says it is seeing broad adoption of FIDO standards. The interest and demand has unfolded in part because of increasing global regulations that mandate strong authentication for online services, such as Strong Customer Authentication in the PSD2 mandates of the European Banking Authority.

Since 2014, Nok Nok Labs has supported Apple native applications on iOS devices and in 2019 it launched the Nok Nok App software development kit for the Smart Watch. With Apple now a FIDO member, users of any Apple device will have the support of user authentication through Nok Nok's S3 Authentication Suite. The support includes through native mobile apps and the Safari browser.

"Password-related breaches are far more prevalent than they should be, given the alternatives we have available," said Richard Clarke, an advisory board member to Nok Nok Labs and a former special advisor to the president on cybersecurity. "Apple and other alliance members are transforming digital identity by committing to secure, standards-based authentication."

In terms of authentication and its role in protecting payments and personal data, FIDO standards are falling in place in just about any site in which consumers interact for social or financial purposes.

FIDO made its strongest push into payments authentication four years ago when agreeing to work with EMVCo, the card brand-operated EMV standards body, to focus on technology that enhanced device authentication that would replace static passwords.

The organization has also worked closely with the World Wide Web Consortium in creating the Web Authentication standard, which approved use of FIDO authentication methods in browser use.

Nok Nok customers using FIDO standards include financial institution BBVA, Intuit and T-Mobile, which reported a decrease in "forgot password" user requests from 65% to 7% with FIDO technology.

Twitter adopted FIDO standards as second-factor authentication keys two years ago at a time when Twitter was leaning toward more "transactions" through the social media channel as either payments or personal information.

Six years ago, with Alibaba, Discover, Google, Mastercard, Microsoft, PayPal and Visa as board members, the organization revealed its first set of specifications for universal second-factor authentication and its framework. It was an announcement that set the stage for e-commerce merchants to add second authentication factors such as biometrics.

"With use of FIDO, the reliance on passwords is reduced," Lindemann said. "Most deployments typically start with a first phase to replace messaging or passwords as a second factor with a FIDO-enabled mobile app, but keep the password as backup option."

In a second phase, providers could add support for authentication through the web browser, in addition to using FIDO enabled mobile apps, Lindemann added. "And in a third phase, people might be ready to fully deprecate passwords — but this will require a good account recovery solution."

The Nok Nok S3 Suite already supports account recovery, FIDO through the browser and FIDO in mobile apps and watch apps, Lindemann said.

For reprint and licensing requests for this article, click here.