The following blog is based on my FIDO Authenticate Conference speech, 2022 https://authenticatecon.com/session/leading-at-the-edge-fido-and-the-normalization-of-cryptography/
Since its inception in 2013, the FIDO Alliance has played a largely unsung role in consumerizing cryptography. FIDO has helped to embed a standard cryptographic stack that extends from the cloud all the way out the edge, where consumers enjoy supremely powerful yet blissfully easy-to-use security.
I assess FIDO to be the most important identity industry consortium of all time. FIDO’s mission, of course started out in solving the world's password problem. And along the way, it has normalised a minimum set of edge device capabilities — a de facto standard for the mission-critical cryptography that we all depend, without knowing it, on in the digital world.
Under the covers, every FIDO capable device has a common suite of features. It will have a tamper-resistant secure element or microcontroller which stores private keys, biometric templates, and other secrets. Critical software operations are executed privately within the confines of that secure element, including key pair generation, digital signing of transactions on behalf of the device user, and verification of the user’s biometrics against stored templates. The secure element will also hold compact firmware that runs all these cryptographic operations and will ideally be independently quality certified.
Pardon me for going into this detail; it’s exactly the sort of detail that no smart phone user ever needs to know. But this is what makes mobile payments and mobile wallets so safe
The FIDO bag of tricks is the cousin of portable cryptographic technologies going back over 30 years ago, including SIMs (arguably the world’s first verifiable credentials), Chip-and-PIN payment cards, e-passports, health insurance smartcards in Europe, and ID smartcards such as the U.S. Federal Government PIV card.
In 2013, FIDO’s founders were in the right place at the right time to leverage increasingly powerful mobile technology into password-less authentication. Famously, it is said that a single smartphone today contains more computing power than the whole of NASA at the time of the Apollo moon landings. What's even more remarkable for security is that the smartphone has more cryptography than the National Security Agency had at its disposal in 1999.
Just as important as the technology is the consumer behaviour. These personal devices have become habituated; they are on our person pretty much all the time, they are core to our social presence, and so much of our retail business. We have come to feel viscerally how important they are, so their safekeeping has become second nature.
So not only can digital developers pretty safely assume that a common cryptography stack is available for their apps and service, they can also assume that almost all users are operating that stack safely!
Of course, the technology is not perfect, but think about the common tacit assumption in smartphone banking apps, mobile wallets and airline boarding passes. These are capabilities of enormous consequence; it must be assumed that the capabilities are almost always in the right hands.
There are trusted processes for apps and credentials to be provisioned to the right users. And now we have coordinated with human factors engineering to the extent that we can rely on apps and credentials stay safe and sound, where they belong.
The FIDO Alliance, with its normalized basket of security and privacy primitives, sits adjacent to some of the most important security developments today: verifiable credentials and data wallets.