For years the FIDO Alliance has been dedicated to changing and improving online authentication. FIDO, which stands for Fast Identity Online, envisions a future where online security methods go beyond passwords and provide stronger authentication solutions such as biometrics and second-factor solutions.
Google recently did a two-year research study on FIDO’s approach to examine how well it worked.
“At Google, we prefer to make data-driven decisions based on statistical and empirical verification,” Google wrote in a post. “This is particularly true when the security and privacy of more than billion users are stake, so we applied this philosophy to verify the practical benefits of deploying FIDO-based Security Keys to our more than 50,000 employees.”
(Related: What kind of security problems do top retailers have?)
FIDO-based Security Keys are devices designed to make two-step verification more secure and easier to use. “Our system design goals required Security Keys to be easy to use; easy for developers to integrate with a website via simple APIs; non-trackability to ensure privacy; and protect users from password reuse, phishing, and man-in-the-middle attacks,” Google wrote. “The currently most common version of our Security Key is a tiny dongle that plugs into a computer’s USB port, although the Security Key’s underlying protocols are standardized and can also be used via NFC (contactless) and Bluetooth Low Energy.”
The company compared the Security Keys against one-time password generators and two-step SMS verifications looking at usability, deployability, and security. According to the company’s results, FIDO Security Keys proved to be the most secure as well as the easiest to use and deploy.
“Our employees have been very happy with the switch to Security Keys, and we have received many instances of unsolicited positive feedback,” Google wrote. “With Security Keys, Google employees (and external consumers using this supported option) now have stronger protection against phishing, including well-known campaigns that have elsewhere resulted in major breaches.”
The full report is available here.