The FIDO authentication protocols are designed to allow robust authentication while providing a superior user experience and protecting user privacy. They incorporate the following principles:
The protocols rely on strong cryptographic techniques to authenticate a user device to online services.
Secrets are stored only on that device and are never exposed to the cloud computing. This design principle is the cornerstone of the FIDO protocols, Universal Second Factor (U2F) and Universal Authentication Framework (UAF) (described in Sections 3.3.3 and 3.3.4). Both protocols improve security while providing satisfactory usability. U2F strengthens password authentication by adding a requirement for a simple-to-use token, the presence of which constitutes a second Authentication Factor. UAF can eliminate the password requirement by using biometrics or another Authentication Factor to authenticate the user to the local device. That same authenticator can be used across multiple online services.
The FIDO specifications also include several requirements that put user friendliness in focus, without jeopardizing user privacy. Unique site-specific credentials authenticate each user to each individual website, thus preventing tracking a user across online services. The architecture is designed in a way that user’s passwords, biometrics or Private Keys are securely kept in the user’s local device.