FIDO2 Authentication Standard
FIDO2 refers to the combination of the FIDO Alliance’s specification for Client-to-Authenticator Protocols (CTAP) and the World Wide Web Consortium’s (W3C) Web Authentication (WebAuthn) specification, which together enable users to authenticate to online services from both mobile and desktop environments using an on-device or external authenticator.
WebAuthn defines a standard web API that is implemented by web browsers to enable web applications to use FIDO Authentication. Using WebAuthn, web browsers can invoke the CTAP interface to interact with the authenticators that are embedded in or connected to the host.
CTAP implements a standard interface to hardware authenticators embedded into the host device – for example, a fingerprint sensor – or connected to the host via USB, Bluetooth (BLE) or NFC. CTAP includes two sub-specs – CTAP1 and CTAP2. CTAP2 allows the use of external authenticators (FIDO Security Keys, mobile devices) for authentication on FIDO2-enabled browsers and operating systems over USB, NFC, or BLE for a passwordless, second-factor, or multi-factor authentication experience. CTAP1 enables authentication using existing FIDO U2F devices (such as FIDO Security Keys) on FIDO2-enabled browsers and operating systems over USB, NFC, or BLE for a second-factor experience.
Using WebAuthn and CTAP, FIDO2 supports passwordless, second-factor, and multi-factor user authentication using embedded authenticators (such as biometrics or PINs) or external authenticators (such as FIDO Security Keys, mobile devices, wearables, etc.).
To better understand FIDO2, it is worthwhile explaining FIDO and its other specifications:
FIDO (“Fast IDentity Online”) Alliance is an open industry association launched in February 2013 whose mission is to develop and promote authentication standards that help reduce the world’s over-reliance on passwords. To date, the FIDO Alliance published three sets of specifications in an effort to standardize user authentication:
- FIDO Universal Second Factor (FIDO U2F) provides a standard means for interfacing a second-factor hardware authenticator. This interface is mainly used by Web browsers to allow Web applications to interface with a user’s hardware authenticator. With the release of FIDO2, U2F has been relabeled as CTAP1.
- Client to Authenticator Protocols (CTAP) enables users to authenticate to a Web or native application using an authenticator embedded in the host computer or connected to the host computer. They provide a standardized interface to the authenticator.
- FIDO Universal Authentication Framework (FIDO UAF) defines a framework for users to register their device (i.e. laptop, desktop, mobile) to the online service and select one of the local authentication mechanisms available on the device to authenticate. The online service then selects which locally available authentication mechanism it will accept. For example, users can register their mobile device and select its embedded fingerprint sensor as the means for authenticating to the online service. Other common authentication mechanisms include looking at the camera, speaking into the mic, or entering a PIN. Once registered and accepted by the online service, users can authenticate to the online service using the local authentication action registered instead of using the more traditional username and password options.
FIDO2 is an open authentication standard that consists of the WebAuthn, and the FIDO2 Client to Authentication Protocol using an out-of-band Universal Second Factor (U2F) authentication device or Universal Authentication Factor (UAF)
FIDO is a large consortium that enjoys broad industry support. The current list of supporters can be viewed on the FIDO Alliance site – https://fidoalliance.org/members/
• Universal Authentication Framework (UAF), enabling passwordless authentication via a method local to a user’s device
• Universal Second Factor (U2F), enabling the use of a hardware token or other device as a second factor
• User to Authenticator Protocol (CTAP), enabling a FIDO-enabled device to authenticate a user accessing an application via a WebAuthn-enabled web browser on another device
FIDO2 is the result of the combined efforts of the FIDO alliance and W3C.
The alliance created CTAP protocol as a complementary specification to W3C’s WebAuthn, where the first describes the local device authentication requirements and the latter enables using it for logging into a web service. Together these two specifications standardize web authentication and make it work across many different clients, servers and authentication devices.