Most services you use on your phone or laptop, from email providers to food delivery providers, require you to have a password. With so many services and websites, it’s hard to come up with unique passwords and remember all of them.

So, a lot of people end up using the same password for multiple services — and that’s a threat. If one website is compromised, your other accounts can be at risk too. A 2019 Verizon report suggests that 80% of hacking-related breaches are caused by using weak or compromised passwords.

That’s why the FIDO (Fast IDentity Online) Alliance is trying to get rid of passwords altogether.

The organization was founded in 2013 by Lenovo, Agnitio, Infineon, Nok Nok Labs, PayPal, and Validity Sensors. Since then a number of big-name partners such as Google, Apple, Microsoft, and Intel have joined the organization to support a password-less future.

I talked to Andrew Shikiar, executive director of the FIDO Alliance, and its partner and hardware security key maker Yubico, about authentication without passwords through the FIDO2 standard. But before we look at what companies are doing to allow users to login to services in different ways, let’s look at what FIDO2 is and how it works.

What is FIDO2?

To solve the problem of authentication through passwords, the World Wide Web Consortium (W3C) and FIDO Alliance came up with the FIDO2 standard. It’s a combination of W3C’s Web Authentication (WebAuthn) specification and FIDO Alliance’s corresponding Client-to-Authenticator Protocol (CTAP). This allows you to use your phone or laptop to identify yourself safely to a web service.

To reduce the risk of phishing or any other attacks, the FIDO2 method doesn’t involve storing your credentials on a server. Instead, it uses features such as biometric authentication to validate your identity so the password never leaves your device.

Credit: FIDO