The FIDO Alliance currently has three sets of specifications for simpler, stronger authentication: Universal Second Factor (U2F), Universal Authentication Framework (UAF) and Client to Authenticator Protocol (CTAP).
In addition, W3C’s Web Authentication (WebAuthn) specification defines a standard web API that can be built into browsers and related web platform infrastructures to enable support for FIDO Authentication. WebAuthn is a core component of the FIDO2 Project along with CTAP, which enables external devices such as mobile handsets or FIDO Security Keys to serve as authenticators to desktop applications and web services using WebAuthn.
The Alliance is providing support for deployers of the technology through the [email protected] public discussion list.
The latest revisions will always be available on the specifications download page.
The User Experience
FIDO provides two user experiences to address a wide range of use cases and deployment scenarios. FIDO protocols are based on public key cryptography and are strongly resistant to phishing.
Passwordless UX (UAF)
- User carries client device with UAF stack installed
- User presents a local biometric or PIN
- Website can choose whether to retain password
The passwordless FIDO experience is supported by the Universal Authentication Framework (UAF) protocol. In this experience, the user registers their device to the online service by selecting a local authentication mechanism such as swiping a finger, looking at the camera, speaking into the mic, entering a PIN, etc. The UAF protocol allows the service to select which mechanisms are presented to the user.
Once registered, the user simply repeats the local authentication action whenever they need to authenticate to the service. The user no longer needs to enter their password when authenticating from that device. UAF also allows experiences that combine multiple authentication mechanisms such as fingerprint + PIN.
Second Factor UX (U2F)
- User carries U2F device with built-in support in web browsers
- User presents U2F device
- Website can simplify password (e.g. – 4 digit pin)
The second factor FIDO experience is supported by the Universal Second Factor (U2F) protocol. This experience allows online services to augment the security of their existing password infrastructure by adding a strong second factor to user login. The user logs in with a username and password as before. The service can also prompt the user to present a second factor device at any time it chooses. The strong second factor allows the service to simplify its passwords (e.g. 4–digit PIN) without compromising security.
During registration and authentication, the user presents the second factor by simply pressing a button on a USB device or tapping over NFC. The user can use their FIDO U2F device across all online services that support the protocol leveraging built–in support in web browsers.