What is FIDO authentication?
FIDO, which stands for Fast IDentity Online, is a set of authentication standards aimed at strengthening the user login process to online services. The standards are developed by the FIDO Alliance and promote faster, more secure authentication processes with the overall goal of eliminating password-based logins altogether.
The first set of FIDO standards were released in 2014 where members of the FIDO Alliance included Google, PayPal, NXP and Infineon. Latterly the membership has grown to include Apple, Amazon, ARM, Intel, MasterCard, Microsoft, Samsung and Visa to name just a few.
In This Post
How Does FIDO Authentication Work?
FIDO uses public-key cryptography to underpin its security. When a user registers with an online service, such as a website or web application, the user’s FIDO device generates a new keypair. The public key is shared with the online service while the private key is kept secure in the device and is never revealed. At subsequent logins the online service issues a challenge which the FIDO device signs internally using the private key. The signature is then returned to the online service where it can be verified using the stored public key.
Crucially, the device will only perform the signing operation after the user has confirmed their presence. This can be accomplished by one of several methods including pressing a button on the device or scanning their fingerprint (in the case of a biometric key). This requirement is to prevent malware from using an attached FIDO key without the user’s knowledge. By requiring the user to perform an action they are asserting that they are present and they want the authentication to proceed. This is referred to as "user presence detection".
Discover: View our range of FIDO Security Keys
FIDO 1.0 (U2F and UAF)
The first generation of FIDO specifications described two protocols, namely Universal 2nd Factor (U2F) and the Universal Authentication Framework (UAF).
FIDO U2F
FIDO U2F describes the "second factor experience". This is where the user possesses a separate FIDO-compliant device such as a USB security key which they must use to login in addition to their password. This supplemental method of authentication mitigates against phishing attacks by requiring the user to present something they have, the FIDO security key, in addition to something they know like their password. This is two-factor authentication (2FA) that relies on a separate dedicated hardware device.
U2F defined the client-side protocol used to communicate with the FIDO security key called the Client to Authenticator Protocol (CTAP). This protocol was designed to operate over USB, near-field communication (NFC), or Bluetooth.
FIDO UAF
FIDO UAF on the other hand was designed to provide a passwordless experience. In UAF the user registers their UAF-enabled device (eg, their smartphone) with an online service and selects a local authentication method supported by that device, primarily a biometric method such as fingerprint or facial recognition. The user is then able to access the online service from that device in future, authenticate locally using that device and without the need to enter a password.
FIDO2 (WebAuthn and CTAP2)
While FIDO 1.0 was basically two separate protocols, FIDO 2.0 (or just simply, FIDO2) is an effort to combine features of U2F and UAF and bring strong authentication into the mainstream. It is doing this through global standardization by the World Wide Web Consortium (W3C) and integration into compliant web browsers including Chrome, Firefox, and Microsoft Edge.
FIDO2 is made up of two parts:
- A Javascript API which is being standardized by the W3C called Web Authentication , or WebAuthn . This API is implemented in W3C-compliant web browsers to allow web applications to make direct use of FIDO authenticators.
- CTAP2 - an expanded version of the Client-to-Authenticator protocol.
By making FIDO authentication easy for users through simple, clean integration into online services FIDO2 aims to make strong-authentication ubiquitous and eventually eliminate the traditional password-based login altogether.