Overview[1]#
FIDO is Fast IDentity Online, and the Mission of the FIDO Alliance
- Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users.
- Operating industry programs to help ensure successful worldwide adoption of the Specifications.
- Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization.
Components of FIDO#
FIDO#
FIDO messages outside of the local device are done via REST.FIDO Credential Enrollment#
- user must first access a FIDO Relying Party Application or website and complete a Credential Enrollment process before using FIDO
- User is prompted to choose an available FIDO Authenticator that matches the FIDO Relying Party’s acceptance policy.
- User unlocks the FIDO Authenticator (Typically a type of Presence test), a button on a FIDO Authenticator, securely–entered PIN or other method.
- the FIDO Authenticator creates a new Public Key/Private Key pair unique for the local device, FIDO Relying Party and user’s account.
- Public Key is sent to the FIDO Relying Party and associated with the user’s account.
- The Private Key and any information about the local authentication method (such as biometric Templates) never leave the local device.
FIDO Authentication#
- Upon a login attempt, FIDO Server creates a random challenge and sends it to the FIDO Client.
- The biometrics and PIN are matched locally by the FIDO Authenticator against the biometrics enrolled for that user; they are never transmitted to the server.
- The user is prompted again to enter his biometrics/PIN.
- If the match attempt is successful:
- unlocks the Private Key from the FIDO Client keystore. The FIDO Client signs the challenge using the user’s Private Key and sends the Digital Signature to the FIDO Server.
- The FIDO Server verifies the Digital Signature using the Public Key received during Credential Enrollment, and the user is permitted to login.
More Information#
There might be more information for this subject on one of the following:- Authentication Protocol
- Best Practices OpenID Connect
- FIDO
- FIDO Alliance
- FIDO Authenticator
- FIDO Client
- FIDO Relying Party
- FIDO Server
- FIDO Standards
- FIDO2
- Fast IDentity Online
- Identity Provider (IDP)
- Microsoft Passport
- Neo-Security Stack
- U2F
- U2F device
- Universal Second Factor
- Web Authentication API
- Web Blog_blogentry_030117_1
- Web Blog_blogentry_150617_1
- WebAuthN
- WebAuthn Attestation
- WebAuthn Attestation Statement Format Identifier
- WebAuthn Extension Identifiers
- Why OpenID Connect
- Yubico
- Yubikey NEO
- [#1] - FIDO® Suite
- based on information obtained 2017-04-04
- [#2] - The latest versions of the FIDO Alliance specifications
- based on information obtained 2018-06-02-