FIDO and FIDO2 – a Primer

FIDO, which stands for Fast Identity Online, is an open standard and set of specifications that aim to provide secure and user-friendly authentication methods for online services and applications. It is an industry alliance formed by major technology companies, including Google, Microsoft, and others.

FIDO

FIDO, which stands for Fast Identity Online, is an open standard and set of specifications that aim to provide secure and user-friendly authentication methods for online services and applications. It is an industry alliance formed by major technology companies, including Google, Microsoft, and others.

The primary goal of FIDO is to address the limitations and vulnerabilities of traditional password-based authentication systems. It introduces a standardized framework for strong authentication that is both secure and convenient for users. The FIDO specifications enable the use of various authentication methods, such as biometrics (fingerprint, iris scan, face recognition) and hardware-based security keys, for verifying a user’s identity.

The FIDO architecture consists of three main components:

• User Devices: These are the devices used by individuals to authenticate themselves. They can include smartphones, tablets, laptops, or dedicated hardware security keys. User devices securely store private keys and handle the authentication process.
• FIDO Servers: These are the servers responsible for authenticating users based on the FIDO specifications. They interact with the user devices during the authentication process and verify the user’s identity.
• Online Services: These are the applications or services that users want to access. They integrate the FIDO specifications and interact with the FIDO servers to authenticate users securely.

When a user wants to authenticate using FIDO, the process typically involves the following steps:

• Registration: During the initial setup, the user’s device generates a pair of public and private keys. The private key is securely stored on the device, while the public key is registered with the online service.
• Authentication: When the user attempts to access an online service, the service sends a challenge to the user’s device. The device uses the private key to sign the challenge and sends the signed response back to the service
• Verification: The online service verifies the signed response using the previously registered public key. If the verification is successful, the user is granted access to the service.

The advantage of FIDO is that it eliminates the need for users to remember and manage multiple passwords while significantly improving security. Since the private keys are stored securely on the user’s device, even if the service’s database is compromised, the attacker would not have access to the user’s authentication credentials.

FIDO has gained widespread industry support and adoption, with many online services and platforms implementing FIDO-based authentication methods to enhance security and user experience.

FIDO2

FIDO2 is an extension of the FIDO Alliance’s original FIDO specifications, specifically FIDO UAF (Universal Authentication Framework) and FIDO U2F (Universal Second Factor). FIDO2 builds upon these earlier standards to provide even stronger authentication capabilities and broader compatibility.

FIDO2 consists of two main components:

• Web Authentication (WebAuthn): WebAuthn is a web standard developed by the World Wide Web Consortium (W3C) in collaboration with the FIDO Alliance. It allows web applications to integrate FIDO-based authentication directly into web browsers, eliminating the need for browser plugins or additional software.

With WebAuthn, users can leverage FIDO2-compliant devices, such as hardware security keys or built-in biometric sensors, to authenticate themselves to web services. WebAuthn supports various authentication methods, including biometrics, USB/NFC security keys, and platform authenticators (e.g., fingerprint sensors on smartphones).

• Client to Authenticator Protocol (CTAP): CTAP is the protocol used for communication between client devices (e.g., computers, smartphones) and authenticators (e.g., hardware security keys). CTAP allows devices to communicate with authenticators over different interfaces, such as USB, NFC, or Bluetooth.

By combining WebAuthn and CTAP, FIDO2 enables passwordless or strong multi-factor authentication for online services. Users can authenticate themselves using a FIDO2-enabled device, eliminating the reliance on traditional passwords and providing a more secure and user-friendly authentication experience.

The benefits of FIDO2 include:

• Strong Security: FIDO2 leverages public-key cryptography, ensuring secure and tamper-resistant authentication. It protects against common threats such as phishing, replay attacks, and credential theft.
• Passwordless Experience: FIDO2 enables users to authenticate without passwords, reducing the risk associated with weak or reused passwords. Users can simply use their FIDO2 device or biometrics to authenticate.
• Cross-Platform Compatibility: FIDO2 is designed to work across various platforms, including desktops, laptops, mobile devices, and web browsers. This interoperability allows for consistent authentication experiences across different devices and platforms.

FIDO2 has gained significant adoption by major technology companies and platforms, making it easier for developers to implement secure and convenient authentication methods. It represents a significant step forward in improving online security while reducing reliance on passwords.

FIDO Logo: “FIDO® is a registered trademark of FIDO Alliance, Inc.”