IDmelon, as one of the pioneers in phishing-resistant passwordless authentication, represents a full implementation of FIDO2 which allows both individuals and organizations to turn their smartphones or any type of contactless cards they are already using typically for physical access control into a security key device for logical access.
Today access to almost everything depends on using passwords to sign in to an online account or device on a daily basis, be it a bank account for online financial transactions, a work account for occupational task fulfilment, or a personal account for personal private data collection etc. Passwordless authentication is a system of authentication that allows users to access these protected devices, services, and accounts without having to rely on a traditional password. It relies on a user’s device or biometrics, such as fingerprint or facial recognition, and is a method of guaranteeing that users are who they say they are in order to access an account, device, or service. It is generally considered to be a more secure way of authenticating than traditional passwords as it is more difficult to guess or hack.
Passwordless authentication is important because it provides a more secure and convenient way to access accounts and services. With passwordless authentication, users no longer need to juggle with multiple passwords or worry about their credentials being compromised. With passwordless authentication, users are able to securely and quickly access their accounts and services without the need to remember a complex password. This eliminates the risk of having passwords stolen or hacked. Passwordless authentication also helps protect users from phishing attacks, where malicious actors attempt to gain access to your accounts by sending malicious emails or links. Overall, passwordless authentication helps to ensure secure access to accounts and services while also providing a more convenient and user-friendly experience.
FIDO (Fast IDentity Online) is a set of security specifications developed by the FIDO Alliance, a non-profit open industry association launched in February 2013 whose mission is to develop and promote authentication standards at the client and protocol layers that “help reduce the world’s over-reliance on passwords”. It is a type of security standards that is used to authenticate users and provide a higher level of security for online transactions. It is designed to help protect against identity theft and fraud, log in to websites and apps, make online purchases, and access other online services. With the use of biometrics, such as a fingerprint scan, to confirm the user’s identity, this helps to ensure that the user is who they say they are and that their data is kept safe.
FIDO specifications support a wide range of authentication technologies and solutions, including biometrics such as fingerprint, USB security keys with various form-factors, wireless (Bluetooth and NFC), embedded Secure Elements (eSE), and smart cards. This variety in range of devices and methods available provides both individual users and organizations with flexibility to meet their cybersecurity needs. Meanwhile open industry standards assure that current and new products and services are and will be compatible and can be evaluated by anyone. Users can rely on their FIDO devices with full confidence everywhere FIDO authentication is supported. Organizations can roll out different devices and services to safeguard their company’s data without having to make new investments. And technology developers can bring innovative products and services to the table that support FIDO protocols to make online authentication simpler and stronger than before for their clients.
A passkey is a passwordless way to create online accounts and authenticate access to them. A safer and more convenient replacement for passwords across all of a user’s devices. It means that with passkeys, you do not enter a password when you create an account. Instead, you use your device (e.g., your smartphone, tablet, security key etc.) with your desired authentication method such as biometrics to authenticate your identity and prevent unauthorized access. Robust and phishing-resistant. Simple, too. Because you no longer deal with passwords.
Passkeys are discoverable FIDO credentials. They have been designed to work with no shared secrets. For a safe authentication with passkeys, the cryptographic keys which are stored on a user’s devices will be used. In fact, when you create an account that supports passkeys, your device creates a pair of public and private keys. The public key, which is sent to the service provider for storage, does not get a cyber-criminal anywhere, while the private key must stay secret and not leave your device. When you send a login request to the server, it sends a challenge (i.e., some random data to confirm that you are who you say you are) to your device. The challenge can be solved only by the private key on your device. But normally passkeys can live on cloud services and will be synced between the user’s devices. The cloud service also needs to store an encrypted copy of the related FIDO credentials.
Different OSs implement required features to allow passkeys on devices such as smartphones or laptops, to sync to the related cloud services tied to the user’s platform account. The example can be Apple ID for iOS or macOS, and Google account for Android or ChromeOS. The syncing of passkeys to all user’s devices on the same OS if signed on the same user’s platform account will be done automatically when the user creates a passkey on one of his devices. Thus, passkeys that have been created on one device will be available on all other devices.
IDmelon, as one of the pioneers in producing security keys as a service based on FIDO standards, represents a full implementation of passkeys. We support the primary mode of passkeys (multi-device) and also its single-device mode for individuals and organizational users. In addition to smartphones as one of the popular devices used as a FIDO security key, IDmelon also supports different types of contactless cards as another device for supporting passkeys. Therefore, with the solutions offered by IDmelon, both individual users and organizations’ workfoce can change their smartphones or any type of contactless cards they are already using into a security key device to take advantage of passkeys.