How did the FIDO Alliance get started?
The FIDO Alliance started from a conversation in late 2009, introduced by Ramesh Kesanupalli who was then the CTO at Validity Sensors (a fingerprint sensor manufacturer, since acquired by Synaptics). Kesanupalli asked Michael Barrett, PayPal CISO at the time, if he was interested in fingerprint-enabling paypal.com. Barrett replied that he was, but only if it could be achieved via open standards. As there were no relevant standards that could be used, Kesanupalli then involved Taher Elgamal (the inventor of SSL), and discussions moved from there. The full history of FIDO Alliance is available here.
Who is a part of the FIDO Alliance?
The FIDO Alliance publicly launched early in 2013 with six member companies. Since then the Alliance has grown to include over 250 members worldwide — please see the member list here.
Is the FIDO Alliance a non-profit organization? What is the scope?
The FIDO (Fast IDentity Online) Alliance is a 501(c)6 non-profit organization incorporated in mid-2012 to develop standards that address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. To learn
more about the FIDO Alliance governance and structure please refer to the About FIDO page and the Membership Details page.
What’s the best way to follow FIDO’s progress?
The FIDO Alliance website provides comprehensive information about the Alliance, its specifications, FIDO Certified products, a knowledge base of resources and best practices and general progress. You can also sign up to receive updates and invitations to future events, many of which are open to the public. You can also follow @FIDOalliance on Twitter and/or on LinkedIn.
The Alliance provides support for deployers of the technology by operating the new [email protected] public discussion list that anyone can subscribe to. For organizations interested in detailed progress and influencing outcomes, the best way to get involved is to join the Alliance.
What’s the process for joining the FIDO Alliance?
Please see the required steps on the FIDO Alliance membership web page.
Why should my company consider joining the FIDO Alliance?
There are significant benefits to taking part in FIDO Alliance as a member, whether your company is a vendor looking to bring FIDO-based solutions to market, or if your organization is a service provider seeking to understand the most effective ways to deploy FIDO Authentication to your customers and/or employees. You can learn more here.
Why are standards important?
Open industry standards assure that existing and future products and offerings are compatible and that anyone can evaluate the technology. Users can depend on their FIDO devices working wherever FIDO authentication is supported. Service providers and enterprises can accommodate various devices and services without having to make new investments or reverting to proprietary configurations.
Similar to the development of WiFi, Bluetooth, NFC, and other standards, FIDO is developing a new set of industry protocols. Any device manufacturer, software developer and/or online service provider can build support for FIDO protocols into their existing products and services to make online authentication simpler and stronger for their users. With the goal of standardization, the FIDO ecosystem can grow and scale by means of the “net effect”, where any new implementation of the standards will be able to immediately interoperate with any other implementation without the need for any pre-established arrangement between device developer and service provider.
How can I be sure that the product I’m buying conforms to FIDO standards?
The FIDO Alliance Certification Working Group is responsible for testing products for conformance to FIDO specifications and interoperability between those implementations. You can learn more about the FIDO® Certified program here.
Has FIDO made implementation rights available to anyone?
FIDO Alliance members have all committed to the promise contained within our Membership Agreement to not assert their patents against any other member implementation of FIDO 1.0 final specifications (referred to as “Proposed Standard” in our Membership Agreement). Anyone interested in deploying a FIDO compliant solution can do so without joining the Alliance, and they are strongly encouraged to use FIDO Certified products to enable that deployment.
Is one FIDO token/dongle/device better than another? How can I choose which to buy?
FIDO specifications are device-agnostic and support a full range of authentication technologies, including FIDO Security Keys and biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as PIN or pattern-protected microSD cards. FIDO specifications will also enable existing solutions and communications standards, such as Trusted Platform Module (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, Bluetooth Low Energy (BLE), and Near Field Communication (NFC). Because FIDO specifications are open, they are designed to be extensible and to accommodate future innovation, as well as protect existing investments.
FIDO specifications allow users a broad range of choice in devices that meet their needs or preferences, as well as those of service providers, online merchants, or enterprises where users must authenticate.
Do the FIDO specifications enable anyone to begin using the specs to develop and offer FIDO certified products?
FIDO’s specifications are public and available for anyone to read and analyze. But only FIDO Alliance Members benefit from “the promise” to not assert patent rights against other members’ implementations (see the FIDO Alliance Membership Agreement for details). Anyone may join the FIDO Alliance; we encourage even very small companies with a very low cost to join at the entry level. Members at all levels not only benefit from the mutual non-assert protection, but also participate with FIDO Alliance members, activities and developments; Associates have more limited participation benefits. All are invited to join the FIDO Alliance and participate.
Security and Privacy
Can’t someone break into an account if they steal a device?
No. In order to break into an account, the criminal would need not only the user’s device that was registered as a FIDO Authenticator to the account, but also the ability to defeat the user identification challenge used by the Authenticator to protect the private keys. This makes it extremely difficult to break into a FIDO enabled account. Besides, all current (and we recommend all future) deployments provide users with the ability to report a lost or stolen device and have its FIDO Authenticator removed from their account.
Does FIDO get any of my personal information?
No. FIDO Alliance only specifies standards for strong authentication and tests implementations for compliance to those standards; the Alliance does not provide services or equip devices or sites. Device manufacturers, online service providers, enterprises and developers use the FIDO specifications to build products, provide services, and enable sites and browsers with FIDO authentication. Under FIDO specifications, the user’s credentials must remain on the user’s device, and they are never shared with a provider or service.
If I use the same device with multiple websites, can one site know that I use it with another site?
No, this type of information exchange is prevented with FIDO Authentication. Each device/website pairing requires a separate registration and a separate cryptographic key pair. Once registered, a user can easily authenticate to multiple sites from the same device, yet each site has no knowledge of the user interactions with other sites. FIDO does not introduce any new tracking mechanism that could be used to correlate user activity online.
How do you protect against root kits and malware attacks on the embedded fingerprint sensor?
The FIDO Alliance recently launched the Authenticator Certification Program. This program introduces Authenticator Security Requirements to the FIDO Certification Program specifically for authenticators. Each authenticator that is certified under the FIDO Certification program is validated to meet specific security assurance level depending on the level of security the vendor is seeking. The higher the level, the greater the security assurance. More information about this program can be found here: https://fidoalliance.org/certification/authenticator-certification-levels/.
How does FIDO work?
Will FIDO devices work when I don’t have Internet connectivity?
The purpose of the FIDO model is to provide a secure and simple authentication experience for online services. The authentication involves a user with a device connecting to a service over a network.
Can I use the same FIDO device with multiple websites? Can I use multiple FIDO devices with the same website?
Yes, you can use multiple websites from one FIDO device. Each device/website pairing requires a separate registration and a separate cryptographic key pair. Once registered, a user can easily authenticate to multiple sites from the same device, yet each site has no knowledge of the user interactions with other sites.
If a user acquires a new device or wants to use multiple FIDO devices, the user needs only register each of the devices at the sites where he wants to use them. Once a device is registered at a site, it will be recognized whenever the user needs to authenticate at that site. When a user visits a site with a new device that hasn’t been registered, and thus isn’t automatically recognized, the user will be prompted to register the new FIDO device to enable FIDO authentication with the new device at that site.
Would FIDO work for an enterprise/intranet environment?
Yes, FIDO authentication can be deployed in an enterprise environment. It provides enterprises with significant benefits such as reduced cost of strong authentication deployment and support. There is an active Enterprise Deployment Working Group within the Alliance that produces white papers on best practices. This guidance can be located within the FIDO Knowledge Base. In the Knowledge Base, you can also learn how Google deployed FIDO across their 85,000 employees resulting in no known successful phishing attacks.
What is the FIDO Alliance Metadata Service?
The FIDO Alliance Metadata Service (MDS) is a web-based tool where FIDO authenticator vendors can publish metadata statements for FIDO servers to download. This provides organizations deploying FIDO servers with a centralized and trusted source of information about FIDO authenticators.
More extensive FAQs related to the FIDO Alliance Metadata Service are available here.
How do I get started?
Start by making sure your implementation passes the conformance tests (registration required). After you’ve validated your implementation, register for an Interoperability event and you’re on your way to certifying your product.
Will there be a FIDO Certified logo?
Yes. There is a recognizable FIDO Certified logo for vendors to include with their web sites, product materials, packaging, etc.
Is there a Trademark License Agreement (TMLA) requirement for logo use?
Use of the FIDO Certified logo will require signing a TMLA. There is a streamlined process for Relying Parties that wish to use the certification logo on their websites, which includes a “clickless” license agreement.
How long is a product certified, and is recertification required when protocols change?
A product is certified indefinitely as long as the code base of its FIDO implementation doesn’t change in any substantial way. Certification can only be terminated in rare instances, such as determining that an implementation improperly passed test tools or interoperability events. Certification only applies to a specific specification and implementation class (i.e. “UAF
Authenticator”). If new major version of specifications are released (as determined by the FIDO Certification Working Group) and an implementation would like to claim conformance with that specification, new certification will be required.
What is a Vendor ID and who needs one?
The UAF authenticator specification defines an AAID field that is half Vendor ID and half Device ID used to uniquely identify each authenticator. The Vendor ID is a unique identifier assigned by FIDO to each company implementing a UAF authenticator. The other half of the AAID field, the Device ID, is assigned to the authenticator by the implementing company. Only UAF Authenticators require a Vendor ID.
Can I become FIDO Certified if I am not a FIDO Alliance Member?
Yes. Non-members are welcome to certify their implementations.
What are the costs associated with certification?
FIDO members can certify an implementation of UAF server, client or authenticator; or U2F server or authenticator for $5,000 per certification. Derivatives (implementations that are the same code embedded into a different product) can be registered for $500 each. Non-member rates are $6,500 for certifications and $750 for derivatives. These fees cover the trademark licensing, interoperability event, test tool usage and support, and documentation processing.
How often do testing events occur?
Interoperability events occur at least every 90 days, but may occur more frequently based on implementer demand.
How does the FIDO Alliance certify derivative products?
Derivative certification was created to streamline the certification process for implementers that have a large volume of certifications that are essentially all based off of the same implementation. In this case, implementers may certify one implementation and the rest may be registered as “derivatives” of that base certification. Derivatives don’t require attending interoperability events to achieve certification, but they do require that the derivative implementation run and pass conformance testing. The implementation cannot change in any substantial way from the original certification earned via our test tools and interoperability testing. If there are changes to the implementation, then it will need to go through the FIDO Impact Analysis to determine if the implementation requires a Delta Certification or Recertification.
Must I certify a product in order to market it?
No. But a product must be certified to claim to be FIDO Certified and use the FIDO Certified logo.
What is the audit process for products in the market?
The FIDO Alliance staff will audit on a monthly basis the usage of FIDO Certified logos and published claims of certification. Auditing of actual implementations will be driven by market feedback. Should any concerns arise, feedback can be submitted through the Certified Logo Violation form.
What is the Certificate number format of the FIDO Alliance issued Certificates?
The FIDO Alliance issued Certificates have the following numerical format:
SSS – Specification number (UAF or U2F)
X – Specification number
Y – Specification minor number
Z – Specification revision number
A – Specification errata number
YYYY – Year issued
MM – Month issued
DD – Day issued
#### – The number of the certificate issued today
Our company just built a new product but we haven’t gotten it certified yet. Can we say that it is FIDO Certified while we are working on achieving our certification?
No. Only products that have passed through FIDO Certification program and have been granted a certification number can claim to be FIDO Certified.