Mobile: +61 (0) 414 488 851
Email: swilson@lockstep.com.au

My analysis of the FIDO Alliance

I've written a new Constellation Research "Quark" Report on the FIDO Alliance ("Fast Identity Online"), a fresh, fast growing consortium working out protocols and standards to connect authentication endpoints to services.

With a degree of clarity that is uncommon in Identity and Access Management (IDAM), FIDO envisages simply "doing for authentication what Ethernet did for networking".

Not quite one year old, 2013, the FIDO Alliance has already grown to nearly 70 members, amongst which are heavyweights like Google, Lenovo, MasterCard, Microsoft and PayPal as well as a dozen biometrics vendors and several global players in the smartcard supply chain.

STOP PRESS! Discover Card joined a few days ago at board level.

FIDO is different. The typical hackneyed IDAM elevator pitch in promises to "fix the password crisis" but usually with unintended impacts on how business is done. Most IDAM initiatives unwittingly convert clear-cut technology problems into open-ended business transformation problems.

In welcome contrast, FIDO’s mission is clear cut: it seeks to make strong authentication interoperable between devices and servers. When users have activated FIDO-compliant endpoints, reliable fine-grained information about the state of authentication becomes readily discoverable by any server, which can then make access control decisions according to its own security policy.

FIDO is not about federation; it's not even about "identity"!

With its focus, pragmatism and critical mass, FIDO is justifiably today’s go-to authentication industry standards effort.

For more detail, please have a look at The FIDO Alliance at the Constellation Research website.

Posted in Security, Identity, FIDO Alliance, Biometrics, Smartcards


Jim FentonFri 20 Dec 2013, 12:56pm


Notwithstanding its name, I characterize FIDO as an authentication technology rather than an identity management protocol. In practice, I would want management for my token to handle situations such as loss or theft. As it currently stands, I would need to contact each site where I use my FIDO token individually to revoke the lost token. A management layer is needed that is not part of FIDO. This is not meant as a criticism; FIDO folks I have spoken with recognize this and rightly characterize this as maintaining focus.

The interoperability promised by FIDO then is beneficial in giving users a wider choice of identity management providers that they use their FIDO tokens with, rather than that they would use a given FIDO token directly with a large number of services. Google seems to be positioning themselves in this direction, and I hope others recognize this need as well.

It's yet a bit of a stretch to characterize FIDO as a standard. The specification has yet to be published outside the FIDO Alliance, and outside review and acceptance is needed before it can truly be called a standard.

Stephen WilsonFri 20 Dec 2013, 1:08pm

Thanks Jim. I agree with all that. I described FIDO as a standards effort and a standards group. Time will tell if their deliverables indeed become standards. And you're exactly right that it's an "authentication technology [not] an identity management protocol". In fact in the body of the report (available to Constellation clients) I write:

"The best thing about FIDO is that it is not about federation. This might seem to run against the IDAM tide, but it’s refreshing, and it may help the Alliance sidestep the quagmire of policy mapping and legal complexities. FIDO is not really about the vexed general issue of 'identity' at all! Instead, it’s about low level authentication protocols; that is, the plumbing."

Post a comment

If you are a registered user, Please click here to Sign In

Your Name*

Your Email Address* required, but won't be displayed on this site

To help prevent spam in our blog comments, please type in "My" (without the quotation marks) below*