<meta charset="UTF-8">
<meta name="robots" content="noindex,nofollow" />
<link rel="shortcut icon" type="image/x-icon" href="/wiki/images/favicon.ico" />
<link rel="icon" type="image/x-icon" href="/wiki/images/favicon.ico" />

<pre>
!!! Overview[1]
[{$pagename}] is [Fast IDentity Online], and the Mission of the [FIDO Alliance|https://fidoalliance.org/|target='_blank'] is to change the nature of online authentication by:

* Developing technical [specifications] that define an open, scalable, interoperable set of mechanisms that reduce the reliance on [passwords] to [authenticate] users.
* Operating industry programs to help ensure successful worldwide adoption of the Specifications.
* Submitting mature technical Specification(s) to recognized standards development organization(s) for formal standardization.

!! Components of [{$pagename}]
* [FIDO Client]
* [FIDO Authenticator]
* [FIDO Relying Party]
* [FIDO Server]
* [FIDO protocols]
* [FIDO Standards]

!! [{$pagename}]
[{$pagename}] [messages] outside of the [local device] are done via [REST].


!! [{$pagename}] [Credential Enrollment]
* [user] must first access a [FIDO Relying Party] [Application] or [website] and complete a [Credential Enrollment] process before using [FIDO]
* [User] is prompted to choose an available [FIDO Authenticator] that matches the [FIDO Relying Party]’s acceptance policy.
* User unlocks the [FIDO Authenticator] (Typically a type of [Presence] test), a button on a [FIDO Authenticator], securely–entered [PIN] or other method.
* the [FIDO Authenticator] creates a new [Public Key]/[Private Key] pair unique for the [local device], [FIDO Relying Party] and [user]’s account.
* [Public Key] is sent to the [FIDO Relying Party] and associated with the [user]’s account. 
* The [Private Key] and any information about the local [authentication] method (such as [biometric Templates]) never leave the [local device].

!! [{$pagename}] [Authentication]
* Upon a login attempt, [FIDO Server] creates a random challenge and sends it to the [FIDO Client]. 
* The biometrics and PIN are matched locally by the [FIDO Authenticator] against the biometrics enrolled for that user; they are never transmitted to the server. 
* The user is prompted again to enter his biometrics/PIN. 
* If the match attempt is successful:
** unlocks the [Private Key] from the [FIDO Client] keystore. The [FIDO Client] signs the challenge using the user’s [Private Key] and sends the [Digital Signature] to the [FIDO Server]. 
** The [FIDO Server] verifies the [Digital Signature] using the [Public Key] received during [Credential Enrollment], and the user is permitted to login.

!! More Information
There might be more information for this subject on one of the following:
[{ReferringPagesPlugin before='*' after='\n' }]
----
* [#1] - [FIDO® Suite|https://www.aware.com/biometrics/fido-suite/|target='_blank'] - based on information obtained 2017-04-04
* [#2] - [The latest versions of the FIDO Alliance specifications|https://fidoalliance.org/download/|target='_blank'] - based on information obtained 2018-06-02- 










</pre>