SSI and FIDO2: Different approaches for a passwordless world

Grace Macej 20 May 2022

How SSI digital wallets go steps beyond FIDO’s passwordless authentication.

At the beginning of May, Apple, Google, and Microsoft announced their commitment to a common password-less sign-in standard created by the FIDO Alliance and the World Wide Web Consortium.

This new set of specifications, FIDO2, will enable users to authenticate to online services password-free across mobile and desktop platforms. The standard is based on cryptographic keys — called passkeys — which are generated and stored on users' devices and then exchanged with the server to which the user is authenticating.

FIDO's mission is to eliminate the password and make multi-factor authentication (MFA) easy, fast, and ubiquitous. And with FIDO2, the alliance is making great gains for cybersecurity.

In the past, attempts at password-less authentication were stumped by issues with use across multiple devices and uncertainty in the event that a device is lost. But recent announcements from the alliance show that FIDO2 is receiving support from major OS vendors (e.g., Apple, Google, and Microsoft) that are making gains in addressing these issues: moving forward, OS vendors will not only handle the sync of passkeys across devices, but they'll also tackle the challenge of automating backup and recovery.

With these advancements, the FIDO Alliance is close to completing its mission to eliminate passwords by making it very easy to use cryptographic keys to authenticate a user. However the endgame for FIDO is actually the beginning of the game for SSI — self-sovereign identity.

A passwordless world with SSI

SSI enables individuals and organizations to take control of their data, effectively giving them the power to control what and with whom they share with the utmost security and privacy. SSI is supported by a set of open standards and specifications that the Avast team helped develop, which make the exchange of trusted data seamless among issuers, holders, and verifiers — even without a centralized trust role.

FIDO and SSI share the same core idea: creating and storing cryptographic keys locally for the user. But while they have a common vision for a passwordless world where users can safely and securely authenticate to online services without having to rely on cumbersome (and potentially insecure) passwords, FIDO's approach is much more limited.

"What's happened over FIDO's ten-year journey is that the idea of users controlling their own digital keys has grown up into the larger idea of users controlling their own digital wallets containing verifiable information about themselves for purposes of not only authentication but for proving who they are more generally—for example their credit card information, shipping address, marketing preferences, driver's license, and any number of other attributes related to their identity," says Drummond Reed, Director, Trust Services at Avast. "That's what we now call decentralized identity or SSI. And with the SSI model, passwordless authentication using cryptography will be built into a user's digital wallet."

The movement to SSI-based digital wallets is rapidly gaining momentum in the industry because it enables users to “bring their own identity” to websites, services, and applications in exactly the same way they can prove their identity in the real world using credentials stored in a physical wallet.

An example is the European Digital Identity Wallet initiative. Under this new legislation from the European Commission, any EU citizen, resident, or business who chooses to participate will be able to identify themselves or provide confirmation of certain personal information with a personal digital wallet. They will be able to use it to access public and private services across all member states in the European Union — anything from paying taxes to renting a bicycle — both online and offline. Furthermore, all major online tech platforms must support the EU digital wallet for user onboarding and authentication.

This is perhaps the broadest scale example of adoption of the core principles of SSI digital wallets and verifiable credentials — and it is an illustration of how the SSI approach is quickly advancing us towards that idealistic vision of a passwordless world.

Avast congratulates the FIDO Alliance for making a major step forward in the elimination of passwords — this is a very positive development for cybersecurity globally. We are even more excited about how it helps pave the road for adoption of digital wallets that can fully empower individuals with greater control over their digital lives.