How FIDO Authentication Can Complement Federation Protocols

How FIDO Authentication Can Complement Federation ProtocolsAs a growing number of organizations embrace FIDO-based security, there is some confusion about whether FIDO authentication is meant to replace federation protocols like SAML (Security Assertion Markup Language) and OpenID Connect (OIDC). But in fact FIDO can complement such authentication mechanisms, argues FIDO Enterprise Adoption Group Co-chair Salah Machani.

As Machani explains in a post on the FIDO Alliance website, the key difference between FIDO authentication and authentication based on federation protocols is that the former established trust between the user and an application provider, whereas the latter establishes trust between the user and a third party authentication authority, which also provides assurance to the application provider. Nevertheless, the two are compatible. In authentication with a federation protocol, the application provider could specifically request that the third-party authentication authority require FIDO-based authentication; and even in cases where authentication has already been conducted via federation protocol, an authentication provider can ask for a step-up in user authentication based on FIDO standards.

In other words, FIDO Alliance standards can be integrated into an existing federation protocol authentication process; they don’t conflict with such systems, and they aren’t incompatible with them.

Machani’s assertion may help to reassure numerous ISOs and other security administrators working in the many businesses that are now looking to FIDO standards to help them fight fraud, and to comply with new data security regulations such as the European Union’s incoming PSD2 and GDPR directives. And for those who are ready to dig deeper into how FIDO standards can be incorporated into their existing authentication infrastructures, the FIDO Alliance has issued a white paper that goes into greater detail.