FAQ

About FIDO and 1.0 Final Specifications

What is the significance of the December 9th, 2014 publication of 1.0 final specifications?

From its inception, the FIDO Alliance has stated intentions to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. In less than two years from its inception, the Alliance delivered the final 1.0 specifications on December 9th, 2014 that enable that vision. This is an important milestone on the road to ubiquitous simpler, stronger authentication.

The Alliance has focused on the needs of users who suffer today from having more passwords than they can manage, and of enterprises, who suffer from data breaches and high password support costs. From there, we’ve defined technical standards that make authentication simpler, and stronger. Not only have we published these standards in draft form in early 2014 for review and comment, but we have started to see mass-scale deployments based on those early draft versions of the specifications. With version 1.0 of both UAF and U2F specifications sets now in final form, we are enabling much broader commercialization and deployment of the technology in 2015.

Anyone who has been watching and waiting for the specification development process to complete can now move forward with confidence and deploy stable, interoperable, standards-based FIDO authentication.

What can I do with FIDO technologies right now?

FIDO authentication technologies are deployed in hundreds of millions of devices today with increasing numbers of equipped devices expected through 2015. FIDO authentication is already enabled through early deployments from PayPal, Samsung, Nok Nok Labs, Synaptics, Alipay, Google, PlugUp and Yubico. Anyone with a FIDO authenticator can start authenticating wherever FIDO authentication is supported, such as through the Chrome browser and Google Accounts as announced in October 2014: Strengthening 2-Step Verification with Security Key.

How did the FIDO Alliance get started?

The FIDO Alliance started from a conversation in late 2009, introduced by Ramesh Kesanupalli who was then the CTO at Validity Sensors (a fingerprint sensor manufacturer, since acquired by Synaptics). Kesanupalli asked Michael Barrett, PayPal CISO at the time, if he was interested in fingerprint-enabling paypal.com. Barrett replied that he was, but only if it could be achieved via open standards. As there were no relevant standards that could be used, Kesanupalli then involved Taher Elgamal (the inventor of SSL), and discussions moved from there. The full history of FIDO Alliance is available here.

Who is a part of the FIDO Alliance?

The FIDO Alliance publicly launched early in 2013 with six member companies. Since then the Alliance added an average of 10 companies per month, and today there are more than 150 member companies worldwide — please see the member list here.

Is the FIDO Alliance a non-profit organization? What is the scope?

The FIDO (Fast IDentity Online) Alliance is a 501(c)6 non-profit organization incorporated in mid-2012 to develop standards that address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. To learn
more about the FIDO Alliance governance and structure please refer to the About page and the Membership Details page.

What’s the best way to follow FIDO’s progress?

The FIDO Alliance website provides comprehensive information about the Alliance, its specifications, FIDO Ready™ products, community resources and general progress. You can also sign up to receive updates and invitations to future events, many of which are open to the public. You can also follow @FIDOalliance on Twitter and/or search for Twitter activity using #FIDOnline.

As of December 9th, the Alliance is providing support for deployers of the technology by operating the new fido-dev@fidoalliance.org public discussion list that anyone can subscribe to. For organizations interested in detailed progress and influencing outcomes, the best way to get involved is to join the Alliance.

Why should my company consider joining the FIDO Alliance?

There are significant benefits to member organizations, based on whether they are looking to deploy FIDO authentication, or to produce FIDO compliant software or hardware to enhance authentication for your customers. If your company would like to contribute to the development and adoption of the FIDO standards, please consider joining the alliance.

What’s the process for joining the FIDO Alliance?

Please see the required steps on the FIDO Alliance membership web page.

Standards

Why are standards important?

Open industry standards assure that existing and future products and offerings are compatible and that anyone can evaluate the technology. Users can depend on their FIDO devices working wherever FIDO authentication is supported. Service providers and enterprises can accommodate various devices and services without having to make new investments or reverting to proprietary configurations.

Similar to the development of WiFi, Bluetooth, NFC, and other standards, FIDO is developing a new set of industry protocols. Any device manufacturer, software developer and/or online service provider can build support for FIDO protocols into their existing products and services to make online authentication simpler and stronger for their users. With the goal of standardization, the FIDO ecosystem can grow and scale by means of the “net effect”, where any new implementation of the standards will be able to immediately interoperate with any other implementation without the need for any pre-established arrangement between device developer and service provider.

What’s the difference between U2F and UAF? Why two separate standards?

U2F (Universal 2nd Factor) is a FIDO protocol that strengthens password authentication by adding a physical token. UAF (Universal Authentication Framework) is a FIDO protocol that provides strong authentication without passwords, by using biometrics and other modalities to authenticate users to their local device, then enabling the device to authenticate to the online services (biometrics, if used, never leave the device). The two standards have evolved in parallel and share basic FIDO principles such as user privacy protection and standard public key cryptography. In future versions, we expect the two standards to further evolve and harmonize.

How can I be sure that the product I’m buying conforms to FIDO standards?

The FIDO Alliance Certification Working Group is responsible for testing products for conformance to FIDO specifications and interoperability between those implementations. We already have an interoperability program known as FIDO Ready™ and in early 2015 that program will add formal conformance testing for FIDO products implementing the final 1.0 specifications.

Has FIDO made implementation rights available to anyone?

FIDO Alliance members have all committed to the promise contained within our Membership Agreement to not assert their patents against any other member implementation of FIDO 1.0 final specifications (referred to as “Proposed Standard” in our Membership Agreement). Anyone interested in deploying a FIDO compliant solution can do so without joining the Alliance if they use FIDO Ready™ products to enable that deployment.

Is one FIDO token/dongle/device better than another? How can I choose which to buy?

FIDO specifications are device-agnostic and support a full range of authentication technologies, including U2F tokens and biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as PIN or pattern-protected microSD cards. FIDO specifications will also enable existing solutions and communications standards, such as Trusted Platform Module (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, Bluetooth Low Energy (BLE), and Near Field Communication (NFC). Because FIDO specifications are open, they are designed to be extensible and to accommodate future innovation, as well as protect existing investments.

FIDO specifications allow users a broad range of choice in devices that meet their needs or preferences, as well as those of service providers, online merchants, or enterprises where users must authenticate.

Will the FIDO 1.0 specs enable anyone to begin using the specs to develop and offer FIDO certified products?

FIDO 1.0 specs are public and available for anyone to read and analyze. But only FIDO Alliance Members benefit from “the promise” to not assert patent rights against other members’ implementations (see the FIDO Alliance Membership Agreement for details). Anyone may join the FIDO Alliance; we encourage even very small companies with a very low cost to join at the entry level. Members at all levels not only benefit from the mutual non-assert protection, but also participate with FIDO Alliance members, activities and developments; Associates have more limited participation benefits. All are invited to join the FIDO Alliance and participate.

What does FIDO Ready mean? And FIDO Certified?

FIDO Ready™ is an interoperability testing and trademark program that was put in place in February 2014. A number of products have been tested and qualified as being FIDO Ready. FIDO Alliance is currently working on a FIDO Certified program that will include interoperability and conformance testing in early 2015, and will be adding optional security certification for authenticators thereafter.

What has changed since the draft release of the specifications in February?

For FIDO U2F, the changes can be summarized as: 1) Switch to USB HID as the transport from WinUSB; 2) Updates to the webAPI syntax; 3) Addition of AppID checking to allow app/URL key sharing.

For FIDO UAF, a high-level summary is: 1) Detail-level evolution and refinement; 2) Addition of Metadata Service specification; 3) Addition of AppID checking to allow app/URL key sharing.

Security and Privacy

How does U2F make a user safer?

U2F strengthens the authentication process by adding a second factor in addition to using a username/password (something you know). The user is prompted to insert and touch their personal U2F device (something you have). A hacker would need to steal both your credentials and your U2F device in order to compromise an account or application log-in.

How does UAF with a biometric authenticator make a user safer? Could anyone steal my biometric information from a device or online service?

Unlike current password systems which have proven vulnerable to mass-scale attacks and fraud, FIDO UAF authentication credentials are never shared or stored in centralized databases. FIDO credentials are known and maintained only by the user’s own device. There are no secrets stored with the online service provider, only the public keys paired to the user’s device where the private keys are stored, so nothing to harm the user if that service provider is breached (unlike the password situation). Biometics used in FIDO authentication never leave the device.

While it’s not impossible for a determined criminal to steal a FIDO device and hack it to obtain the user’s credentials, consider the challenges to do so, even in a laboratory-controlled environment. A would-be attacker must perform two completely different types of attacks in order to complete a single, not scalable, one-off device spoof. Consider the example of spoofing a fingerprint sensor equipped FIDO device. First, the attacker must obtain a perfectly formed, complete latent print that is also enrolled on the target user’s device. Then, the attacker must gain access to the user’s device, in order to control only that one device. The single spoof, even if accomplished, doesn’t approach the potential harm done by today’s typical mass-scale attack, which can result in harvesting millions and hundreds of millions of users’ credentials. The password ecosystem has afforded attackers with great return on investment with relatively limited risk; the FIDO ecosystem is far more difficult, expensive, and risky for attackers to profit from.

Can’t someone break into my account if they steal my device?

No. In order to break into an account, the criminal would need not only the user’s device that was registered as a FIDO Authenticator to the account, but also the ability to defeat the user identification challenge used by the Authenticator to protect the private keys (the username & password for the U2F token or ability to pass the biometric challenge in a UAF biometric scenario). This makes it extremely difficult to break into a FIDO enabled account. Besides, all current (and we recommend all future) deployments provide users with the ability to report a lost or stolen device and have its FIDO Authenticator removed from their account.

Does FIDO get any of my personal information?

No. The FIDO Alliance only specifies standards for strong authentication and tests implementations for compliance to those standards; the Alliance does not provide services or equip devices or sites. Device manufacturers, online service providers, enterprises and developers use the FIDO specifications to build products, provide services, and enable sites and browsers with FIDO authentication. Under FIDO specifications, the user’s credentials must remain on the user’s device, and they are never shared with a provider or service.

How can I be sure that FIDO technologies are safe? I’ve read so much about hacking, database breaches, and the like.

FIDO authentication is designed to protect users against many of today’s cyber-attacks and vulnerabilities. The FIDO model is based on the premise that user credentials never leave the user’s device. In addition to providing privacy for the user, this model also eliminates scalable cyber-attacks targeting user credentials. With FIDO, there is no centralized database of user credentials that can be breached.

If I use the same device with multiple websites, can one site know that I use it with another site?

No, this type of information exchange is prevented with FIDO. Each device/website pairing requires a separate registration and a separate cryptographic key pair. Once registered, a user can easily authenticate to multiple sites from the same device, yet each site has no knowledge of the user interactions with other sites. FIDO does not introduce any new tracking mechanism that could be used to correlate user activity online.

How do you protect against root kits and malware attacks on the embedded fingerprint sensor?

A variety of hardware and software security technologies such as Trusted Execution Environment and Secure Elements can be implemented on mobile devices to protect against malware and root kits attacks.

How does FIDO work?

Will FIDO devices work when I don’t have Internet connectivity?

The purpose of the FIDO model is to provide a secure and simple authentication experience for online services. The authentication involves a user with a device connecting to a service over a network.

Can I use the same FIDO device with multiple websites? Can I use multiple FIDO devices with the same website?

Yes, you can use multiple websites from one FIDO device. Each device/website pairing requires a separate registration and a separate cryptographic key pair. Once registered, a user can easily authenticate to multiple sites from the same device, yet each site has no knowledge of the user interactions with other sites.

If a user acquires a new device or wants to use multiple FIDO devices, the user needs only register each of the devices at the sites where he wants to use them. Once a device is registered at a site, it will be recognized whenever the user needs to authenticate at that site. When a user visits a site with a new device that hasn’t been registered, and thus isn’t automatically recognized, the user will be prompted to register the new FIDO device to enable FIDO authentication with the new device at that site.

Would FIDO work for an enterprise/intranet environment?

Yes, FIDO authentication can be deployed in an enterprise environment. It provides enterprises with significant benefits such reduced cost of strong authentication deployment and support.

How does Security Key work on the Chrome browser; describe the steps to make it work.

Please see instructions here.

What is the complete fingerprint enrollment process on a Samsung device?

For Samsung Galaxy S5, please see this process.

What are the steps to use the PayPal application from a Galaxy S5 or other Samsung device with a fingerprint sensor?

Please see instructions here.

What do you have to do to enable FIDO authentication on your device?

Generally, you would have to follow instructions given by your online service provider. Please see examples of FIDO U2F instructions and FIDO UAF instructions.

Certification

How do I get started?

Start by making sure your implementation passes the conformance tests(registration required). After you’ve validated your implementation, register for an Interoperability event and you’re on your way to certifying your product.

Will there be a FIDO Certified logo?

Yes. There will be a recognizable FIDO Certified logo for vendors to include with their web sites, product materials, packaging, etc.

Is there a Trademark License Agreement (TMLA) requirement for logo use?

Use of the FIDO Certified logo will require signing a TMLA. There is a streamlined process for Relying Parties that wish to use the certification logo on their websites, which includes a “clickless” license agreement.

What happens to the FIDO Ready™ logo?

FIDO Ready™ was the testing program put in place before the FIDO 1.0 specifications were finalized, and the program has since been formalized as the FIDO Certified™ program. Products submitted today are tested against the 1.0 specifications, and upon passing, receive the FIDO Certified mark. Thus FIDO Certified testing ensures compliance to FIDO 1.0 specifications, while FIDO Ready testing ensured compliance to draft specifications.

While the FIDO Certified program replaces the FIDO Ready program, products that earned the FIDO Ready mark may continue to use the mark according to the terms of the applicable trademark license agreement. To use the new FIDO Certified mark, the products must be re-tested under the new FIDO Certified program.

How will the certification program evolve in the future?

The FIDO Alliance will be introducing security lab testing and certification for authenticators later this year. Other forms of validation testing may be introduced in the future, depending on the business requirements of online service providers.

How long is a product certified, and is recertification required when protocols change?

A product is certified indefinitely as long as the code base of its FIDO implementation doesn’t change in any substantial way. Certification can only be terminated in rare instances, such as determining that an implementation improperly passed test tools or interoperability events. Certification only applies to a specific specification and implementation class (i.e. “UAF
Authenticator”). If new major version of specifications are released (as determined by the FIDO Certification Working Group) and an implementation would like to claim conformance with
that specification, new certification will be required.

Are there separate submission fees for FIDO UAF testing and FIDO U2F testing?

Yes. Implementations must request certification (and pay the certification fees) for each implementation class they are seeking to certify. For example, if an 
implementation certifies for both a FIDO UAF Server and a U2F Server, that implementation must follow the certification process for both (and pay the certification fees for both). The
implementation would ultimately receive two certifications. The primary difference between UAF testing and U2F testing is the different test tools and the different interoperability events.

For those interested in the UAF program, an additional Vendor ID fee of $3000 is required.

What is a Vendor ID and why do I need one for UAF testing?

The UAF authenticator specification defines an AAID field that is half Vendor ID and half Device ID used to uniquely identify each authenticator. The Vendor ID is a unique identifier
assigned by FIDO to each company implementing a UAF authenticator. The other half of the AAID field, the Device ID, is assigned to the authenticator by the implementing company.

Our company just built a new product but we haven’t gotten it certified yet. Can we say that it is FIDO Certified while we are working on achieving our certification?

No. Only products that have passed through FIDO Certification program and have been granted a certification number can claim to be FIDO Certified.

What are the costs associated with certification?

FIDO members can certify an implementation of UAF server, client or authenticator; or U2F server or authenticator for $5,000. Derivatives (implementations that are the same code embedded into a different product) can be registered for $500 each. Non­member rates are $6,500 for certifications and $750 for derivatives. These fees cover the trademark licensing, interoperability event, test tool usage and support, and documentation processing.

How is the testing done?

Certification is starts with self­assessment of specification conformance through the use of FIDO Alliance provided test tools, followed by interoperability testing with at least 3 test partners at FIDO Alliance proctored test events. At this time, there is no lab aspect to the certification program.

Can you describe the testing process?

There are four major testing steps:

 

  1. Conformance self­validation; which uses test tools to ensure that an
    implementation is conformant to the specification.
  2. Interoperability testing; where implementers gather to test their implementations together
  3. Certification registration; where the implementation is submitted to FIDO for certification
  4. Optional trademark agreement; enabling the FIDO certification mark to be used with a product or service.

What does it mean to “pass”?

The implementation must satisfy two main criteria. That it is conformant to the FIDO specification (to the best of our ability to determine that) and that it is known to interoperate with other implementations. This should provide both businesses and consumers with confidence that a FIDO Certified implementation delivers the FIDO values of stronger, simpler, authentication

What does it mean to “not pass”?

Most likely that an implementation has some bugs to work through before being considered an exemplar of FIDO.

How often do testing events occur?

Interoperability events occur at least every 90 days, but may occur more frequently based on implementer demand.

How does the FIDO Alliance certify derivative products?

Derivative certification was created to streamline the certification process for implementers that have a large volume of certifications that are essentially all based off of the same implementation. In this case, implementers may certify one implementation and the rest may be registered as “derivatives” of that base certification. Derivatives don’t require running test tools or attending interoperability events to achieve certification, but the implementation cannot change in any substantial way from the original certification earned via our test tools and interoperability testing.

Must I certify a product in order to market it?

No. But a product must be certified to claim to be FIDO Certified and use the FIDO Certified logo.

What is the audit process for products in the market?

The FIDO Alliance staff will audit on a monthly basis the usage of FIDO Certified logos and published claims of certification. Auditing of actual implementations will be driven by market feedback.

SubscribeGet the latest news & updates