- Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
- Operating industry programs to help ensure successful worldwide adoption of the Specifications.
- Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization.
Components of FIDO#
FIDO#FIDO messages outside of the local device are done via REST.
- user must first access a FIDO Relying Party Application or website and complete a Credential Enrollment process before using FIDO
- User is prompted to choose an available FIDO Authenticator that matches the FIDO Relying Party’s acceptance policy.
- User unlocks the FIDO Authenticator (Typically a type of Presence test), a button on a FIDO Authenticator, securely–entered PIN or other method.
- the FIDO Authenticator creates a new Public Key/Private Key pair unique for the local device, FIDO Relying Party and user’s account.
- Public Key is sent to the FIDO Relying Party and associated with the user’s account.
- The Private Key and any information about the local authentication method (such as biometric Templates) never leave the local device.
- Upon a login attempt, FIDO Server creates a random challenge and sends it to the FIDO Client.
- The biometrics and PIN are matched locally by the FIDO Authenticator against the biometrics enrolled for that user; they are never transmitted to the server.
- The user is prompted again to enter his biometrics/PIN.
- If the match attempt is successful:
- unlocks the Private Key from the FIDO Client keystore. The FIDO Client signs the challenge using the user’s Private Key and sends the Digital Signature to the FIDO Server.
- The FIDO Server verifies the Digital Signature using the Public Key received during Credential Enrollment, and the user is permitted to login.
More Information#There might be more information for this subject on one of the following:
- Authentication Protocol
- Best Practices OpenID Connect
- Client To Authenticator Protocol
- FIDO Authenticator
- FIDO Client
- FIDO Relying Party
- FIDO Server
- FIDO Standards
- Fast IDentity Online
- Identity Provider (IDP)
- Neo-Security Stack
- U2F device
- Universal Second Factor
- W3C WebAuthn
- Web Blog_blogentry_030117_1
- Web Blog_blogentry_150617_1
- Why OpenID Connect
- Yubikey NEO