To activate a FIDO2 credential (e.g., on a security key) users can employ gestures such as the use of PINs, biometrics, or button-pushing. Once the user is authenticated, the specifications enable the authenticator device (which could also be a host computer in its own right) to communicate information about the authentication event to other devices or systems using challenge/response protocols based on Asymmetric Key Cryptography.
Core FIDO2 specifications #
- FIDO Client To Authenticator Protocol (CTAP)
- FIDO Web API (WebAuthN)
- FIDO Attestation: Defines attestation formats used to validate FIDO Authenticators, uses of FIDO 2.0 credentials, and associated user verification methods. FIDO attestation could be mapped as authentication context to federation servers or other conditional/adaptive authentication systems.
FIDO2 and related specifications#FIDO2 also leverages some related specifications:
- Federation Protocol Profiles: These profiles (most still to be developed) will define how particular federation protocols can request and employ FIDO2 authentication and Token Bindings. An OpenID Connect FIDO profile is planned. Other profiles, such as a SAML 2.0 profile, are also possible.
- Token Binding over HTTP
- Token Binding Protocol
This landing page provides links to all FIDO2 specifications as well as the preceding FIDO UAF and U2F specs.
More Information#There might be more information for this subject on one of the following:
- Client To Authenticator Protocol
- FIDO Alliance
- Microsoft Passport
- Web Authentication API
- WebAuthn Attestation
- Windows Hello
- [#1] - FIDO2 Moves Forward with Passwordless Authentication - based on information obtained 2018-06-02-
- [#2] - The latest versions of the FIDO Alliance specifications - based on information obtained 2018-06-02-