FIDO and ambient cryptography

Cryptography is one of the most important technologies for any consumer in the 21st century, because the internet as it is could not work without it. In fact, the very future of cyberspace depends on making cryptographic integrity and fidelity ubiquitous, in news, video streaming, social media and smart devices.

Every consumer uses cryptography everyday but usually without being remotely aware of it. Cryptography has been consumerized, thanks largely to the work of the FIDO Alliance.

FIDO has helped to embed a suite of near-standard cryptographic functions in many of the products we use on a daily basis, from the cloud all the way out the edge.  Consumers enjoy sublimely powerful, yet easy-to-use security.

In my view, the FIDO Alliance is the most important identity industry consortium of all time. FIDO’s mission started out in solving the world’s password problem. Its founders realised that cryptographic capabilities were becoming widespread in mobile technologies, and they built up from that.

Under the covers, every FIDO-capable device has a common suite of features. It will have a tamper-resistant secure element or microcontroller which stores private keys, biometric templates, and other critical secrets. Core software operations are executed privately within the confines of that secure silicon, including key pair generation, digital signing of data and transactions on behalf of the device user, and confidential verification (match-on-device) of the user’s biometrics against stored templates. Ideally the secure element firmware will be independently tested and quality-certified.

Pardon me for going into this detail; it’s exactly the sort of detail that no smart phone user ever needs to know.  But that’s the point! It is essential that this complexity has become ambient; it’s what makes mobile payments and mobile wallets so safe.

FIDO’s founders in 2013 were in the right place at the right time to apply increasingly powerful mobile technology to password-less authentication. Famously, a single smartphone today is far more powerful than NASA’s Apollo computers in the 1960s.

Yet looking at security, it is more remarkable that the smartphone has more cryptographic power than the National Security Agency (NSA) had at its disposal in the 1990s.

Just as important as the technology is consumer behaviour. We are thoroughly habituated to mobile devices; they are on our person pretty much all the time, they are core to our daily social and retail routines.  Their safekeeping is becoming second nature.

And this is critical because developers can pretty safely assume that a common cryptography stack is available for their apps and services, and also that almost all users are operating that stack safely.

Of course, the technology is not perfect, but think about the tacit assumption in mobile banking apps, wallets and airline boarding passes: these enormous consequential capabilities are almost always going to stay in the right hands.

There are trusted processes for credentials to be provisioned by the right banks and airlines to the right users.

With the IoT, manufacturers will be deploying even more cryptography to consumers, within automobiles, televisions, drones and wearables.  These smart devices will be interacting autonomously with each other, with their supply chains, and with public infrastructure — exchanging verifiable data about their operating states, performance, standards compliance, warranties, service histories and so on. All transactions will be digitally signed, automatically, to prove authority and originality.

This post is based on my FIDO Authenticate Conference speech, Leading at the Edge: FIDO and the normalization of cryptography, 2022.

Lockstep’s Data Verification Platform is a scheme to rationalise and organise data flows between data originators such as government and the risk owners who rely on accurate data to guide decisions. Join us in conversation.

If you’d like to follow the development of the Data Verification Platform model, please subscribe for email updates.​