About FIDO and 1.0 Final Specifications
What is the significance of the December 9th, 2014 publication of 1.0 final specifications?
From its inception, the FIDO Alliance has stated intentions to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. In less than two years from its inception, the Alliance delivered the final 1.0 specifications on December 9th, 2014 that enable that vision. This is an important milestone on the road to ubiquitous simpler, stronger authentication.
The Alliance has focused on the needs of users who suffer today from having more passwords than they can manage, and of enterprises, who suffer from data breaches and high password support costs. From there, we’ve defined technical standards that make authentication simpler, and stronger. Not only have we published these standards in draft form in early 2014 for review and comment, but we have started to see mass-scale deployments based on those early draft versions of the specifications. With version 1.0 of both UAF and U2F specifications sets now in final form, we are enabling much broader commercialization and deployment of the technology in 2015.
Anyone who has been watching and waiting for the specification development process to complete can now move forward with confidence and deploy stable, interoperable, standards-based FIDO authentication.
What can I do with FIDO technologies right now?
FIDO authentication technologies are deployed in hundreds of millions of devices today with increasing numbers of equipped devices expected through 2015. FIDO authentication is already enabled through early deployments from PayPal, Samsung, Nok Nok Labs, Synaptics, Alipay, Google, PlugUp and Yubico. Anyone with a FIDO authenticator can start authenticating wherever FIDO authentication is supported, such as through the Chrome browser and Google Accounts as announced in October 2014: Strengthening 2-Step Verification with Security Key.
How did the FIDO Alliance get started?
The FIDO Alliance started from a conversation in late 2009, introduced by Ramesh Kesanupalli who was then the CTO at Validity Sensors (a fingerprint sensor manufacturer, since acquired by Synaptics). Kesanupalli asked Michael Barrett, PayPal CISO at the time, if he was interested in fingerprint-enabling paypal.com. Barrett replied that he was, but only if it could be achieved via open standards. As there were no relevant standards that could be used, Kesanupalli then involved Taher Elgamal (the inventor of SSL), and discussions moved from there. The full history of FIDO Alliance is available here.
Who is a part of the FIDO Alliance?
The FIDO Alliance publicly launched early in 2013 with six member companies. Since then the Alliance added an average of 10 companies per month, and today there are more than 150 member companies worldwide — please see the member list here.
Is the FIDO Alliance a non-profit organization? What is the scope?
The FIDO (Fast IDentity Online) Alliance is a 501(c)6 non-profit organization incorporated in mid-2012 to develop standards that address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. To learn
more about the FIDO Alliance governance and structure please refer to the About page and the Membership Details page.
What’s the best way to follow FIDO’s progress?
The FIDO Alliance website provides comprehensive information about the Alliance, its specifications, FIDO Ready™ products, community resources and general progress. You can also sign up to receive updates and invitations to future events, many of which are open to the public. You can also follow @FIDOalliance on Twitter and/or search for Twitter activity using #FIDOnline.
As of December 9th, the Alliance is providing support for deployers of the technology by operating the new email@example.com public discussion list that anyone can subscribe to. For organizations interested in detailed progress and influencing outcomes, the best way to get involved is to join the Alliance.
Why should my company consider joining the FIDO Alliance?
There are significant benefits to member organizations, based on whether they are looking to deploy FIDO authentication, or to produce FIDO compliant software or hardware to enhance authentication for your customers. If your company would like to contribute to the development and adoption of the FIDO standards, please consider joining the alliance.
What’s the process for joining the FIDO Alliance?
Please see the required steps on the FIDO Alliance membership web page.
Why are standards important?
Open industry standards assure that existing and future products and offerings are compatible and that anyone can evaluate the technology. Users can depend on their FIDO devices working wherever FIDO authentication is supported. Service providers and enterprises can accommodate various devices and services without having to make new investments or reverting to proprietary configurations.
Similar to the development of WiFi, Bluetooth, NFC, and other standards, FIDO is developing a new set of industry protocols. Any device manufacturer, software developer and/or online service provider can build support for FIDO protocols into their existing products and services to make online authentication simpler and stronger for their users. With the goal of standardization, the FIDO ecosystem can grow and scale by means of the “net effect”, where any new implementation of the standards will be able to immediately interoperate with any other implementation without the need for any pre-established arrangement between device developer and service provider.
What’s the difference between U2F and UAF? Why two separate standards?
How can I be sure that the product I’m buying conforms to FIDO standards?
Has FIDO made implementation rights available to anyone?
Is one FIDO token/dongle/device better than another? How can I choose which to buy?
FIDO specifications are device-agnostic and support a full range of authentication technologies, including U2F tokens and biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as PIN or pattern-protected microSD cards. FIDO specifications will also enable existing solutions and communications standards, such as Trusted Platform Module (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, Bluetooth Low Energy (BLE), and Near Field Communication (NFC). Because FIDO specifications are open, they are designed to be extensible and to accommodate future innovation, as well as protect existing investments.
FIDO specifications allow users a broad range of choice in devices that meet their needs or preferences, as well as those of service providers, online merchants, or enterprises where users must authenticate.
Will the FIDO 1.0 specs enable anyone to begin using the specs to develop and offer FIDO certified products?
What does FIDO Ready mean? And FIDO Certified?
What has changed since the draft release of the specifications in February?
For FIDO U2F, the changes can be summarized as: 1) Switch to USB HID as the transport from WinUSB; 2) Updates to the webAPI syntax; 3) Addition of AppID checking to allow app/URL key sharing.
For FIDO UAF, a high-level summary is: 1) Detail-level evolution and refinement; 2) Addition of Metadata Service specification; 3) Addition of AppID checking to allow app/URL key sharing.
Security and Privacy
How does U2F make a user safer?
How does UAF with a biometric authenticator make a user safer? Could anyone steal my biometric information from a device or online service?
Unlike current password systems which have proven vulnerable to mass-scale attacks and fraud, FIDO UAF authentication credentials are never shared or stored in centralized databases. FIDO credentials are known and maintained only by the user’s own device. There are no secrets stored with the online service provider, only the public keys paired to the user’s device where the private keys are stored, so nothing to harm the user if that service provider is breached (unlike the password situation). Biometics used in FIDO authentication never leave the device.
While it’s not impossible for a determined criminal to steal a FIDO device and hack it to obtain the user’s credentials, consider the challenges to do so, even in a laboratory-controlled environment. A would-be attacker must perform two completely different types of attacks in order to complete a single, not scalable, one-off device spoof. Consider the example of spoofing a fingerprint sensor equipped FIDO device. First, the attacker must obtain a perfectly formed, complete latent print that is also enrolled on the target user’s device. Then, the attacker must gain access to the user’s device, in order to control only that one device. The single spoof, even if accomplished, doesn’t approach the potential harm done by today’s typical mass-scale attack, which can result in harvesting millions and hundreds of millions of users’ credentials. The password ecosystem has afforded attackers with great return on investment with relatively limited risk; the FIDO ecosystem is far more difficult, expensive, and risky for attackers to profit from.
Can’t someone break into my account if they steal my device?
Does FIDO get any of my personal information?
How can I be sure that FIDO technologies are safe? I’ve read so much about hacking, database breaches, and the like.
If I use the same device with multiple websites, can one site know that I use it with another site?
How do you protect against root kits and malware attacks on the embedded fingerprint sensor?
How does FIDO work?
Will FIDO devices work when I don’t have Internet connectivity?
Can I use the same FIDO device with multiple websites? Can I use multiple FIDO devices with the same website?
Yes, you can use multiple websites from one FIDO device. Each device/website pairing requires a separate registration and a separate cryptographic key pair. Once registered, a user can easily authenticate to multiple sites from the same device, yet each site has no knowledge of the user interactions with other sites.
If a user acquires a new device or wants to use multiple FIDO devices, the user needs only register each of the devices at the sites where he wants to use them. Once a device is registered at a site, it will be recognized whenever the user needs to authenticate at that site. When a user visits a site with a new device that hasn’t been registered, and thus isn’t automatically recognized, the user will be prompted to register the new FIDO device to enable FIDO authentication with the new device at that site.
Would FIDO work for an enterprise/intranet environment?
How does Security Key work on the Chrome browser; describe the steps to make it work.
What is the complete fingerprint enrollment process on a Samsung device?
What are the steps to use the PayPal application from a Galaxy S5 or other Samsung device with a fingerprint sensor?
What do you have to do to enable FIDO authentication on your device?
How do I get started?
Will there be a FIDO Certified logo?
Yes. There will be a recognizable FIDO Certified logo for vendors to include with their web sites, product materials, packaging, etc.
Is there a Trademark License Agreement (TMLA) requirement for logo use?
Use of the FIDO Certified logo will require signing a TMLA. There is a streamlined process for Relying Parties that wish to use the certification logo on their websites, which includes a “clickless” license agreement.
What happens to the FIDO Ready™ logo?
FIDO Ready™ was the testing program put in place before the FIDO 1.0 specifications were finalized, and the program has since been formalized as the FIDO Certified™ program. Products submitted today are tested against the 1.0 specifications, and upon passing, receive the FIDO Certified mark. Thus FIDO Certified testing ensures compliance to FIDO 1.0 specifications, while FIDO Ready testing ensured compliance to draft specifications.
While the FIDO Certified program replaces the FIDO Ready program, products that earned the FIDO Ready mark may continue to use the mark according to the terms of the applicable trademark license agreement. To use the new FIDO Certified mark, the products must be re-tested under the new FIDO Certified program.
How will the certification program evolve in the future?
The FIDO Alliance will be introducing security lab testing and certification for authenticators later this year. Other forms of validation testing may be introduced in the future, depending on the business requirements of online service providers.
How long is a product certified, and is recertification required when protocols change?
A product is certified indefinitely as long as the code base of its FIDO implementation doesn’t change in any substantial way. Certification can only be terminated in rare instances, such as determining that an implementation improperly passed test tools or interoperability events. Certification only applies to a specific specification and implementation class (i.e. “UAF
Authenticator”). If new major version of specifications are released (as determined by the FIDO Certification Working Group) and an implementation would like to claim conformance with
that specification, new certification will be required.
Are there separate submission fees for FIDO UAF testing and FIDO U2F testing?
Yes. Implementations must request certification (and pay the certification fees) for each implementation class they are seeking to certify. For example, if an
implementation certifies for both a FIDO UAF Server and a U2F Server, that implementation must follow the certification process for both (and pay the certification fees for both). The
implementation would ultimately receive two certifications. The primary difference between UAF testing and U2F testing is the different test tools and the different interoperability events.
For those interested in the UAF program, an additional Vendor ID fee of $3000 is required.
What is a Vendor ID and why do I need one for UAF testing?
The UAF authenticator specification defines an AAID field that is half Vendor ID and half Device ID used to uniquely identify each authenticator. The Vendor ID is a unique identifier
assigned by FIDO to each company implementing a UAF authenticator. The other half of the AAID field, the Device ID, is assigned to the authenticator by the implementing company.
Our company just built a new product but we haven’t gotten it certified yet. Can we say that it is FIDO Certified while we are working on achieving our certification?
No. Only products that have passed through FIDO Certification program and have been granted a certification number can claim to be FIDO Certified.
What are the costs associated with certification?
FIDO members can certify an implementation of UAF server, client or authenticator; or U2F server or authenticator for $5,000. Derivatives (implementations that are the same code embedded into a different product) can be registered for $500 each. Nonmember rates are $6,500 for certifications and $750 for derivatives. These fees cover the trademark licensing, interoperability event, test tool usage and support, and documentation processing.
How is the testing done?
Certification is starts with selfassessment of specification conformance through the use of FIDO Alliance provided test tools, followed by interoperability testing with at least 3 test partners at FIDO Alliance proctored test events. At this time, there is no lab aspect to the certification program.
Can you describe the testing process?
There are four major testing steps:
- Conformance selfvalidation; which uses test tools to ensure that an
implementation is conformant to the specification.
- Interoperability testing; where implementers gather to test their implementations together
- Certification registration; where the implementation is submitted to FIDO for certification
- Optional trademark agreement; enabling the FIDO certification mark to be used with a product or service.
What does it mean to “pass”?
The implementation must satisfy two main criteria. That it is conformant to the FIDO specification (to the best of our ability to determine that) and that it is known to interoperate with other implementations. This should provide both businesses and consumers with confidence that a FIDO Certified implementation delivers the FIDO values of stronger, simpler, authentication
What does it mean to “not pass”?
Most likely that an implementation has some bugs to work through before being considered an exemplar of FIDO.
How often do testing events occur?
Interoperability events occur at least every 90 days, but may occur more frequently based on implementer demand.
How does the FIDO Alliance certify derivative products?
Derivative certification was created to streamline the certification process for implementers that have a large volume of certifications that are essentially all based off of the same implementation. In this case, implementers may certify one implementation and the rest may be registered as “derivatives” of that base certification. Derivatives don’t require running test tools or attending interoperability events to achieve certification, but the implementation cannot change in any substantial way from the original certification earned via our test tools and interoperability testing.
Must I certify a product in order to market it?
No. But a product must be certified to claim to be FIDO Certified and use the FIDO Certified logo.
What is the audit process for products in the market?
The FIDO Alliance staff will audit on a monthly basis the usage of FIDO Certified logos and published claims of certification. Auditing of actual implementations will be driven by market feedback.