Overview[1]#

FIDO is Fast IDentity Online, and the Mission of the FIDO Alliance is to change the nature of online authentication by:

• Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
• Operating industry programs to help ensure successful worldwide adoption of the Specifications.
• Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization.

Components of FIDO#

• FIDO Client
• FIDO Authenticator
• FIDO Relying Party
• FIDO Server
• FIDO protocols
• FIDO Standards

FIDO#

FIDO messages outside of the local device are done via REST.

FIDO Credential Enrollment#

• user must first access a FIDO Relying Party Application or website and complete a Credential Enrollment process before using FIDO
• User is prompted to choose an available FIDO Authenticator that matches the FIDO Relying Party’s acceptance policy.
• User unlocks the FIDO Authenticator (Typically a type of Presence test), a button on a FIDO Authenticator, securely–entered PIN or other method.
• the FIDO Authenticator creates a new Public Key/Private Key pair unique for the local device, FIDO Relying Party and user’s account.
• Public Key is sent to the FIDO Relying Party and associated with the user’s account.
• The Private Key and any information about the local authentication method (such as biometric Templates) never leave the local device.

FIDO Authentication#

• Upon a login attempt, FIDO Server creates a random challenge and sends it to the FIDO Client.
• The biometrics and PIN are matched locally by the FIDO Authenticator against the biometrics enrolled for that user; they are never transmitted to the server.
• The user is prompted again to enter his biometrics/PIN.
• If the match attempt is successful:
  • unlocks the Private Key from the FIDO Client keystore. The FIDO Client signs the challenge using the user’s Private Key and sends the Digital Signature to the FIDO Server.
  • The FIDO Server verifies the Digital Signature using the Public Key received during Credential Enrollment, and the user is permitted to login.

More Information#

There might be more information for this subject on one of the following:

• Authentication Protocol
• Best Practices OpenID Connect
• FIDO
• FIDO Authenticator
• FIDO Client
• FIDO Relying Party
• FIDO Server
• FIDO Standards
• FIDO2
• Fast IDentity Online
• Identity Provider (IDP)
• Neo-Security Stack
• U2F
• U2F device
• Universal Second Factor
• Web Authentication API
• Web Blog_blogentry_030117_1
• Web Blog_blogentry_150617_1
• WebAuthn Attestation
• Why OpenID Connect
• Yubico
• Yubikey NEO

---

• [#1] - FIDO® Suite - based on information obtained 2017-04-04
• [#2] - The latest versions of the FIDO Alliance specifications - based on information obtained 2018-06-02-