FIDO Deployment in the Enterprise

Journey Map



Learn about FIDO and share knowledge within your organization.

The FIDO Alliance has built a set of free and open authentication standards that encompass phishing resistance, public key cryptography, and privacy. These features are built into FIDO authenticator devices with the goal of reducing or eliminating passwords using second-factor, multi-factor, and password less use cases. With FIDO, the private key is never sent across the internet to the service provider, so there is nothing for hackers to steal.

What to Know:


  • FIDO specifications are FIDO UAF, FIDO U2F, and FIDO2 (WebAuthn and CTAP)
  • Phishing resistance and privacy are built into FIDO protocols
  • FIDO credentials use public key cryptography
  • Private key is never sent across the internet to the service provider


+ more


Identify the most important use cases and evaluate entry points – aim to eliminate threat vectors in remote access, operating systems, and single sign-on provider environments.

Adoption of FIDO authenticators requires a readiness evaluation of enterprise applications, browsers, operating systems, and devices that will interact with FIDO authenticators to help reduce threat vectors. Companies must identify the most important use cases before considering authentication flows, policy enforcement, compliance requirements, roll out and help desk tasks, and other needs.

Things to consider 


  • Application, browsers, operating systems, and devices currently in the organization 
  • Desired authentication flows (passwordless, multi-factor authentication, etc.) 
  • Compliance requirements
  • Self-Service: Onboarding, help desk workflow, and recovery
  • Policy enforcement and options workflow
  • Target passwords via threat vectors: remote access, operating systems, and single sign-on systems



+ more


Talk to your identity/authentication vendors and ask about FIDO or evaluate FIDO vendor solutions

Enterprises should consult their trusted identity and authentication vendors. The goal is to discover implementation options, including FIDO protocol versions, interfaces, and device capabilities that help reduce security exposure. Consider using FIDO cloud services along with positioning strong authentication in your current environment. 


Things to Consider:

  • Options for server deployment, configuration, architecture, and implementation
  • Protocol versions, interfaces, and capabilities of devices in your user base (USB-A, USB-C, gestures, biometrics, and NFC)
  • How to reduce security exposure
  • Enterprise management, maintenance, and FIDO cloud services
  • How to position new strong authentication along with what you already have



+ more


What is the user experience for FIDO registration, deprovisioning, authentication, emergency access, and account recovery?

UX experiences stretch across registration, authentication and other actions. Designers  should tap into strong authentication already in the enterprise including devices (phones) and protocols (CTAP). Backup and recovery are a must along with policies like PIN length and emergency access.

Things to Consider:

  • Leverage FIDO’s natural UX supplied by browsers, and authentication solutions
  • Introduce new strong authentication along with what you already have
  • Consider alternatives, phones and other devices as authenticators
  • Use CTAP to allow enterprises to have certain control over authenticators
  • Key policies: change length of PIN, assign authenticator to users, etc.
  • Include backup authenticators




FIDO UX Guidelines

+ more


Run a pilot to evaluate, educate, and train internal users on the new experience and collect feedback. Collect infrastructure and service requirements.

Manage the scope of your pilot by using existing education/experience training material. Feedback, knowledge collection, and requirements for infrastructure and services are key. Help desk training is important to ease the transition to FIDO.


Things to Consider:

  • Start with a manageable, diverse pilot group
  • Use existing education/experience training material to get everyone on board and work on the transition
  • Collect feedback and segment user populations by knowledge
  • Learn to protect the authenticator from being shared
  • Engage the help desk so they know how FIDO works 
  • Maintain consistency in your policy
  • The pilot step might be iterative as feedback is gathered and experiences are adjusted


Link: provides high-level language and videos to educate your internal stakeholders.

Develop your own education and training material.


+ more


Improve user experience as needed, and rollout solutions starting with a small group.

Test and re-test the experience as you roll out FIDO to small groups. Remember integrations and users need time (and patience). Gauge your implementation readiness and don’t get caught in a loop. Fixate on high assurance and hone processes. Consider a second pilot to segment savvy users and UX validators. 


Things to Consider:

  • Integrations can take time to implement with other apps regarding home-grown
  • Calculate time to implementation
  • Default to high assurance levels and don’t recover to a lesser credential
  • Tighten up processes as you work through deployment 
  • Start with a small group, learn, and refine
  • Consider running 2+ pilots in succession: one with a savvy population, and one to validate UX with a variety of users



+ more


Rollout FIDO to all employees but continue to offer alternative authentication methods.

The password is in peril, but don’t rush to take it out. Keep your existing strong authentication in place to soothe implementers and comfort users. Find and cultivate end-users as allies. Ensure that innovation remains part of the plan.


Things to Consider:

  • Don’t rush to eliminate passwords
  • Introduce new strong authentication alongside what you already have
  • Look toward complete alternatives to passwords to understand how much room there is to innovate
  • Solicit feedback from end users
  • Bring your own authenticator


Cultivate end-users as allies

+ more

Remove PW

Gradually remove password dependencies and any weaker authentication methods.

Go ahead, say it:  “My goal is to eliminate passwords.” Engage the relevant stakeholders involved in your enterprise and ensure that your feedback loop is responsive and committed.


Things to Consider:

  • Commit to passwordless as your target
  • Work with the help desk – the goal is to reduce calls using stronger authentication with less need to reset passwords
  • Return to Step 2 and ensure you reduce threat vectors in remote access, operating systems, single sign-on providers



+ more