Fast Identity Online (FIDO) Authentication is a set of open technical specifications that define user authentication mechanisms that reduce the reliance on passwords. To date, the FIDO Alliance published three sets of specifications:
FIDO protocols are designed from the ground up to protect user privacy. The protocols do not disclose sensitive user data that can be used by different online services to collaborate and track a user across the services. Other sensitive data like biometric prints and PINs never leaves the user’s device to ensure it cannot be intercepted or compromised by an attacker.
To authenticate a user, an application – often referred to as the relying party – uses FIDO-specified client-side APIs to interact with a user’s registered authenticator. For web applications, client-side APIs include WebAuthn implemented by the web browser, which in turn calls on FIDO CTAP to access the authenticator.
To authenticate a user, the relying party passes a cryptographic challenge to the registered authenticator and evaluates the response to determine the authenticity of the secrets stored on the client device and used to produce the response.
“Under the hood” FIDO utilizes asymmetric cryptography to ensure that all sensitive secrets and cryptographic key material remain on the client device at all times and are not transmitted to the authenticating service.
How does FIDO authentication work?
FIDO authentication requires an initial registration step. In cases where the user device supports multiple forms of authentication (i.e. fingerprint scanner, voiceprint recorder, face ID, etc.), the user is asked to choose a FIDO compliant authenticator from the options available on the device that matches the authenticating app’s acceptance policy. The user then unlocks the FIDO authenticator using whatever mechanism is built into the authenticator – e.g. by providing a fingerprint, pressing a button on a second–factor device, or entering PIN.
Once the authenticator is unlocked, the user’s device creates a new and unique public/private cryptographic key pair that will be used for authenticating access. The public key is then sent to the online service and associated with the user’s account. The private key and all other sensitive data related to the chosen authentication method – for example, biometric prints – remain on the local device and never leave it.
Authentication requires the client device to prove possession of the private key to the authenticating service by successfully responding to a cryptographic challenge. The private key can only be used after successfully authenticating using the registered authenticator, for example by swiping a finger on the fingerprint sensor, entering a PIN, speaking into a microphone, inserting a second–factor device, pressing a button, etc. The device then uses the user account identifier provided by the service to select the correct key and cryptographically sign the service’s challenge. The signed challenge is sent back to the service, which verifies it with the stored public key and logs in the user.
FIDO is a large consortium that enjoys broad industry support. The current list of supporters can be viewed on the FIDO Alliance site – https://fidoalliance.org/members/
U2F device is a hardware authenticator that connects to the host computing device via the USB or NFC interfaces and acts as a second factor of authentication to online services.
FIDO ledger is a misnomer. Ledger is a company that manufactures a hardware wallet for cryptocurrencies, which also supports FIDO standards for authentication.
The UAF protocol is designed to enable online services to offer password-less and multi-factor security by allowing users to register their device to the online service and using a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic, entering a PIN, etc.
The U2F protocol is designed to enable online services to augment their traditional password-based authentication with the second factor of authentication that is presented via a USB device or NFC interface.
In FIDO UAF, Authenticator-Specific Module (ASM) is a software-based abstraction layer (middleware of sorts) that decouples the FIDO UAF Clients from the underlying hardware and enables a standard interface to available device interfaces/authenticators (i.e. fingerprint sensor).
• Universal Authentication Framework (UAF), enabling passwordless authentication via a method local to a user’s device
• Universal Second Factor (U2F), enabling the use of a hardware token or other device as a second factor
• User to Authenticator Protocol (CTAP), enabling a FIDO-enabled device to authenticate a user accessing an application via a WebAuthn-enabled web browser on another device