Specifications Overview

The FIDO Alliance has two sets of specifications, U2F and UAF.  These specifications are now considered final.  The Alliance is providing support for deployers of the technology by operating the new fido-dev@fidoalliance.org public discussion list.

For the latest revisions will always be available on the specifications download page

The User Experience

FIDO provides two user experiences to address a wide range of use cases and deployment scenarios. FIDO protocols are based on public key cryptography and are strongly resistant to phishing.

Passwordless UX (UAF)

  • User carries client device with UAF stack installed
  • User presents a local biometric or PIN
  • Website can choose whether to retain password

The passwordless FIDO experience is supported by the Universal Authentication Framework (UAF) protocol. In this experience, the user registers their device to the online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic, entering a PIN, etc. The UAF protocol allows the service to select which mechanisms are presented to the user.

Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service. The user no longer needs to enter their password when authenticating from that device. UAF also allows experiences that combine multiple authentication mechanisms such as fingerprint + PIN. 

Second Factor UX (U2F)

  • User carries U2F device with built-in support in web browsers
  • User presents U2F device
  • Website can simplify password (e.g. - 4 digit pin)

The second factor FIDO experience is supported by the Universal Second Factor (U2F) protocol. This experience allows online services to augment the security of their existing password infrastructure by adding a strong second factor to user login. The user logs in with a username and password as before. The service can also prompt the user to present a second factor device at any time it chooses. The strong second factor allows the service to simplify its passwords (e.g. 4–digit PIN) without compromising security.

During registration and authentication, the user presents the second factor by simply pressing a button on a USB device or tapping over NFC. The user can use their FIDO U2F device across all online services that support the protocol leveraging built–in support in web browsers.

How FIDO Works

The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user's client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client's private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button.

The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user's device.

FIDO Registration

Registration

Registration:

  1. User is prompted to choose an available FIDO authenticator that matches the online service's acceptance policy.
  2. User unlocks the FIDO authenticator using a fingerprint reader, a button on a second–factor device, securely–entered PIN or other method.
  3. User's device creates a new public/private key pair unique for the local device, online service and user's account.
  4. Public key is sent to the online service and associated with the user's account. The private key and any information about the local authentication method (such as biometric measurements or templates) never leave the local device.

 

FIDO Login

Login

Login:

  1. Online service challenges the user to login with a previously registered device that matches the service's acceptance policy.
  2. User unlocks the FIDO authenticator using the same method as at Registration time.
  3. Device uses the user's account identifier provided by the service to select the correct key and sign the service's challenge.
  4. Client device sends the signed challenge back to the service, which verifies it with the stored public key and logs in the user.

 

What Makes FIDO Different?

The core ideas driving FIDO are (1) ease of use, (2) privacy and security, and (3) standardization. For implementing authentication beyond a password (and perhaps an OTP), companies have traditionally been faced with an entire stack of proprietary clients and protocols.

FIDO changes this by standardizing the client and protocol layers. This ignites a thriving ecosystem of client authentication methods such as biometrics, PINs and second–factors that can be used with a variety of online services in an interoperable manner.

FIDO Standardization

Standardization

 

Online Crypto Protocol Standardization

FIDO standardizes the authentication protocol used between the client and the online service. The protocol is based on standard public key cryptography — the client registers a public key with the online service at initial setup. Later, when authenticating, the service verifies that the client owns the private key by asking it to sign a challenge. The protocol is designed to ensure user privacy and security in the current day state of the internet.

Client Standardization for Local Authentication

FIDO standards define a common interface at the client for the local authentication method that the user exercises. The client can be pre–installed on the operating system or web browser. Different authentication methods such as secure PIN, biometrics (face, voice, iris, fingerprint recognition, etc.) and second–factor devices can be "plugged in" via this standardized interface into the client.

Pluggable Local Auth