illustration of laptop

The Path to Passwordless Authentication: PKI vs. FIDO

The Case for Going Passwordless

Passwords are a familiar punching bag — annoying for users to remember, expensive for IT teams to manage and dishearteningly simple for criminals to hack. According to Forrester, large organizations spend up to $1 million per year just to handle password resets. Gartner estimates that 40% of all helpdesk calls are related to passwords.

Meanwhile, researchers at Digital Shadows recently reported that more than 24 billion log-in credentials were breached in 2022

No wonder major tech providers like Apple, Google and Microsoft are expanding their support for passwordless authentication. Of course, until these solutions are widely adopted, organizations are still putting their employees and customers at risk.

There are several different ways to implement passwordless authentication, from emailed authentication links to SMS codes. Historically, one of the most secure methods has been the use of PKI digital certificates, and more recently FIDO (Fast Identity Online) security keys has emerged as a widely supported authentication method. How can organizations navigate these choices to protect their networks and services?

In this article, we’ll review how FIDO and PKI keep users safe — and why organizations might choose one technology over the other.

How PKI and FIDO Power Passwordless Authentication

Both PKI and FIDO use asymmetric cryptography where the user keeps a private key secure and uses it to generate a cryptogram that is verified with an associated public key. So how does passwordless authentication work? PKI relies on digital certificates to distribute public keys. A digital certificate is a digitally signed document that binds a public key to the identity of the certificate holder. Certificates are signed by a trusted certificate authority (CA) which establishes the authenticity and integrity of public keys. When a user wants to communicate securely with another party, they can obtain the recipient’s public key which will allow a user to encrypt the data that can be decrypted by the recipient using their corresponding private key. IT ecosystem players including operating system, browser and application vendors have worked to implement native support for PKI over the years, and when users attempt to access sensitive information on a network, a PKI certificate validates their identity via a secure, cryptographic connection that works seamlessly in the background.

FIDO also leverages public key cryptography to authenticate users. But instead of using certificates for key distribution, it generates a new key pair for each website (often called a Relying Party, RP for short, in FIDO documents) and the website keeps the public key. This is why FIDO keys are said to be “scoped” to a single RP reducing the potential for an attack targeting one site to impact another. The corresponding unique private key is always kept securely stored on an individual device.

Until recently, FIDO keys were usually stored on dedicated hardware tokens known as security keys that the user would plug into a computer or phone, or they were stored in some embedded cryptographic module for the exclusive use on a specific device. Since the end of 2022, thanks to increased support from all major ecosystem players, FIDO keys can also be stored in Android and iOS devices that people already have on hand and used either in that device or in a nearby desktop computer. These new FIDO keys are known as passkeys and are poised to further reduce the reliance on passwords. Devices containing FIDO keys can offer additional protection using biometrics like fingerprints or face scans for a simplified user experience.

What Do PKI and FIDO Have in Common?

Since PKI and FIDO both rely on asymmetric key cryptography — widely regarded as one of the most secure and reliable forms of encryption — both provide the same level of security. Both eliminate the need for passwords and offer a seamless experience for end users. When the cryptographic keys are generated and stored in separate hardware devices like smart cards and security keys, both PKI and FIDO are suitable for achieving the highest Authenticator Assurance Level 3 (AAL3) defined by the NIST SP 800-63 Digital Identity Guidelines, and Authentication Level of Assurance 4 (LoA4) defined in the ISO/IEC 29115 standard that enables eIDAS identity assurance HIGH.

What’s the Difference Between PKI and FIDO?

There are several differences between PKI and FIDO that go beyond how public keys are distributed.

Customization
FIDO is an open standard that enjoys growing support from major tech manufacturers. It’s easy for IT teams to implement, and it benefits from almost universal client built-in support. Organizations can choose how and where FIDO keys are deployed — they can be integrated passkeys in users’ mobile phones, in the form of security keys and smart cards, or integrated platform authenticator when available. Furthermore, although FIDO was designed initially for authentication in the open Web where it benefits from broad deployment, it is also available in major platforms for native app authentication.

PKI is also an open standard, and it has been the backbone of network security since the late 1970s. It requires more careful planning, deployment and management, but it also offers capabilities beyond authentication and can be used for data encryption and digital signatures.

Management
FIDO maintains individual authentication keys for each service/user pair. The use of asymmetric cryptography protects them from server breaches, and the use of scoped keys means that privacy is protected by preventing linking users across services. But it also means there’s no unique, centralized place for IT teams to view or manage accounts.

PKI, on the other hand, is centrally managed by design, and the best-in-class solutions offer robust, on-demand audit and reporting mechanisms. IT teams can oversee the entire certificate lifecycle management process from issuing to revoking the certificate via a centralized management console.

Trust
PKI relies on the hierarchical trust model where trust is established through a trusted third party — a certificate authority (CA) to register and issue digital certificates, and on organizations to broker that trust between users and systems. However, PKI certificates are system agnostic and there are multiple implementations available to support them, meaning the user experience and capabilities can vary significantly across applications.

By contrast, FIDO authentication is decentralized, establishing trust individually between systems and their users. FIDO keys can therefore only be used within the security domain where they were originally registered, but the user experience is highly consistent because of the close collaboration between ecosystem players.

PKI vs. FIDO: What’s Best for Your Needs?

The choice between PKI and FIDO often comes down to each organization’s specific needs — and what infrastructure is already in place.

Consider using PKI for passwordless authentication if you:

  • Already use PKI certificates for data encryption, digital signatures or server authentication
  • Need stricter identity management protocols or would like to use federation to accept identities external to your own security domain
  • Need a process for centrally managing and auditing digital certificates

Take a deep dive into PKI for passwordless authentication >>

Consider using FIDO for passwordless authentication if you:

  • Are looking for a faster implementation timeline
  • Want to streamline integration with web and mobile apps
  • Are investing in a modern authentication backend that enables management of FIDO keys for multiple applications in a centralized administration console

Take a deep dive into FIDO for passwordless authentication >>

Ultimately, you may not have to choose. The FIDO Alliance has investigated how to incorporate both PKI and FIDO authenticators into an expanded authentication ecosystem with the goal of “enabling greater number of users and applications to be protected using asymmetric encryption.”

Learn how HID can facilitate your path to passwordless authentication >>

This blog is part 1 of HID’s ‘Path to Passwordless’ series. Further explore FIDO authentication in part 2, or PKI authentication in part 3.

Adrian Castillo is passionate about secure identity credentials that enable trusted transactions in physical and virtual environments. Since joining HID in 2008, he has developed credential solutions for end-users, client applications and back-end services. Most of all, he likes to understand the complete chain of components that are involved in the chain of trust.