FIDO and the importance of data signing

This blog is a companion to my on-demand speech at FIDO Authenticate 2022 happening this week in Seattle. 

Annotated handouts can be downloaded here.

All fraud is due to unreliable data, often data that has been stolen and replayed by an imposter, without the relying party being able to tell that it’s not the true user in charge. Fake bank accounts are opened using stolen IDs; credit card fraud is perpetrated typing stolen account numbers into online order forms; Medicare fraud is committed by crooked doctors quoting IDs of patients they never saw.

There are pinch points throughout the digital economy where special numbers are presented and accepted as proof of identity, or proof of membership, entitlements, authorisation, liquidity and numerous other properties or attributes.  All manner of systems are vulnerable if those numbers are manipulated, and especially if they are presented by imposters.

Relying parties accepting numbers from end users really need to know if the numbers have been presented in their original form by their legitimate subjects, but at present, most Internet-based systems do not provide for originality; it is almost impossible to tell if data presented online has originated from its authoritative source and has been presented by its proper owner.

Data signing is essential to close the originality gap.  We should be deploying consumer grade cryptography across all consumer platforms so that every important digital action is signed and verifiable as original.

The FIDO Alliance has consumerised cryptography and normalised a near-standard set of security capabilities.  FIDO protocols rest on tamper-resistant private key storage, personal biometric and/or PIN activation, high quality key generation, and built-in cryptographic modules used to sign protocol messages.

FIDO’s reason-for-being has been passwordless authentication.  FIDO uses public key cryptography and digital signatures to generate proofs that the correct registered user is logging on, with a known type of device, and the device is in the right hands.

Beyond secure authentication, these capabilities are common to secure payments, data wallets, verifiable credentials, and transaction signing. Thus the FIDO standards are adjacent to the most important data security functions today. If an end user device can perform FIDO authentication, then it should only be a matter of programming to extend that device to hold and present verifiable credentials.