General Questions

How did the FIDO Alliance get started?

The FIDO Alliance started from a conversation in late 2009, introduced by Ramesh Kesanupalli who was then the CTO at Validity Sensors (a fingerprint sensor manufacturer, since acquired by Synaptics). Kesanupalli asked Michael Barrett, PayPal CISO at the time, if he was interested in fingerprint-enabling paypal.com. Barrett replied that he was, but only if it could be achieved via open standards. As there were no relevant standards that could be used, Kesanupalli then involved Taher Elgamal (the inventor of SSL), and discussions moved from there. The full history of FIDO Alliance is available here.

Who is a part of the FIDO Alliance?

The FIDO Alliance publicly launched early in 2013 with six member companies. Since then the Alliance has grown to include over 250 members worldwide — please see the member list here.

When were the FIDO specifications first published, and where do they stand today?

From its inception, the FIDO Alliance had stated intentions to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. In less than two years from its inception, the Alliance delivered the final 1.0 specifications on December 9th, 2014 that enable that vision. This was an important milestone on the industry's road to ubiquitous simpler, stronger authentication.

The Alliance has focused on the needs of users who suffer today from having more passwords than they can manage, and of enterprises, who suffer from data breaches and high password support costs. Since that first release of the FIDO specifications, FIDO has gone on to expand both the UAF and U2F specifications in their 1.1 updates and we've started to see large-scale deployments by leading enterprises and service providers around the world.

Where are there FIDO solutions on the market today?

FIDO authentication technologies are deployed in hundreds of millions of devices today with, total potential reach to over 1.5 billion user accounts. FIDO authentication is already enabled through early deployments from PayPal, Samsung, Nok Nok Labs, Synaptics, Github, Google, DropBox, NTT DOCOMO, and many more. Anyone with a FIDO U2F authenticator or FIDO® Certified device can start authenticating wherever FIDO authentication is supported, such as through the Chrome browser and Google Accounts as announced in October 2014: Strengthening 2-Step Verification with Security Key. 

Is the FIDO Alliance a non-profit organization? What is the scope?

The FIDO (Fast IDentity Online) Alliance is a 501(c)6 non-profit organization incorporated in mid-2012 to develop standards that address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. To learn
more about the FIDO Alliance governance and structure please refer to the About page and the Membership Details page.

What’s the best way to follow FIDO’s progress?

The FIDO Alliance website provides comprehensive information about the Alliance, its specifications, FIDO Certified products, community resources and general progress. You can also sign up to receive updates and invitations to future events, many of which are open to the public. You can also follow @FIDOalliance on Twitter and/or on LinkedIn.

As of December 9th, the Alliance is providing support for deployers of the technology by operating the new fido-dev@fidoalliance.org public discussion list that anyone can subscribe to. For organizations interested in detailed progress and influencing outcomes, the best way to get involved is to join the Alliance.

What’s the process for joining the FIDO Alliance?

Please see the required steps on the FIDO Alliance membership web page.

Why should my company consider joining the FIDO Alliance?

There are significant benefits to member organizations, based on whether they are looking to deploy FIDO authentication, or to produce FIDO compliant software or hardware to enhance authentication for your customers. If your company would like to contribute to the development and adoption of the FIDO standards, please consider joining the alliance.


Why are standards important?

Open industry standards assure that existing and future products and offerings are compatible and that anyone can evaluate the technology. Users can depend on their FIDO devices working wherever FIDO authentication is supported. Service providers and enterprises can accommodate various devices and services without having to make new investments or reverting to proprietary configurations.

Similar to the development of WiFi, Bluetooth, NFC, and other standards, FIDO is developing a new set of industry protocols. Any device manufacturer, software developer and/or online service provider can build support for FIDO protocols into their existing products and services to make online authentication simpler and stronger for their users. With the goal of standardization, the FIDO ecosystem can grow and scale by means of the “net effect”, where any new implementation of the standards will be able to immediately interoperate with any other implementation without the need for any pre-established arrangement between device developer and service provider.

What’s the difference between U2F and UAF? Why two separate standards?

U2F (Universal 2nd Factor) is a FIDO protocol that strengthens password authentication by adding a physical token. UAF (Universal Authentication Framework) is a FIDO protocol that provides strong authentication without passwords, by using biometrics and other modalities to authenticate users to their local device, then enabling the device to authenticate to the online services (biometrics, if used, never leave the device). The two standards have evolved in parallel and share basic FIDO principles such as user privacy protection and standard public key cryptography. In future versions, we expect the two standards to further evolve and harmonize.

How can I be sure that the product I’m buying conforms to FIDO standards?

The FIDO Alliance Certification Working Group is responsible for testing products for conformance to FIDO specifications and interoperability between those implementations. You can learn more about the FIDO® Certified program here.

Has FIDO made implementation rights available to anyone?

FIDO Alliance members have all committed to the promise contained within our Membership Agreement to not assert their patents against any other member implementation of FIDO 1.0 final specifications (referred to as “Proposed Standard” in our Membership Agreement). Anyone interested in deploying a FIDO compliant solution can do so without joining the Alliance, and they are strongly encouraged to use FIDO Certified products to enable that deployment.

Is one FIDO token/dongle/device better than another? How can I choose which to buy?

FIDO specifications are device-agnostic and support a full range of authentication technologies, including U2F tokens and biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as PIN or pattern-protected microSD cards. FIDO specifications will also enable existing solutions and communications standards, such as Trusted Platform Module (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, Bluetooth Low Energy (BLE), and Near Field Communication (NFC). Because FIDO specifications are open, they are designed to be extensible and to accommodate future innovation, as well as protect existing investments.

FIDO specifications allow users a broad range of choice in devices that meet their needs or preferences, as well as those of service providers, online merchants, or enterprises where users must authenticate.

Do the FIDO specifications enable anyone to begin using the specs to develop and offer FIDO certified products?

FIDO's specifications are public and available for anyone to read and analyze. But only FIDO Alliance Members benefit from “the promise” to not assert patent rights against other members’ implementations (see the FIDO Alliance Membership Agreement for details). Anyone may join the FIDO Alliance; we encourage even very small companies with a very low cost to join at the entry level. Members at all levels not only benefit from the mutual non-assert protection, but also participate with FIDO Alliance members, activities and developments; Associates have more limited participation benefits. All are invited to join the FIDO Alliance and participate.

Do I need to wait until the FIDO 2 project is finished?

No. Enterprises and consumers are solving real security issues today with FIDO strong authentication as outdated password systems are modernized. Tens of millions of FIDO-based devices are now in use to protect accounts with strong, cryptographic-based authentication at major relying parties such as Google, PayPal, NTT DOCOMO, INC., Bank of America, Dropbox, and GitHub. In addition, there are 72 FIDO Certified products available in the market. The FIDO Alliance's strategy has always hinged on the idea that every device you purchase will come with FIDO standards support built-in, the FIDO 2.0 work is very well aligned to that strategy.

What is the goal of FIDO 2?

The FIDO 2 project is working to achieve ubiquitous platform-enablement for FIDO standards, resulting in an ecosystem with “out of the box” support for simpler, stronger FIDO authentication on all devices.

What is the use case that the FIDO 2 project addresses?

The FIDO 2 project addresses both FIDO’s password-less and second-factor experiences and adds device-to-device capabilities along with ubiquitous platform support including standards-based strong authentication across all Web browsers and related Web platform infrastructure.

What was sent to the W3C?

A set of three technical specifications to define a standard Web-based API. There is the API for accessing FIDO credentials and two specs that are necessary to interpret and use responses from the API. Upon completion by the W3C, the FIDO Alliance will support the adoption of this published Web API through the established FIDO Certification Program.

What are the other pieces still at FIDO?

All the FIDO 1.X work and the Client to Authenticator Protocol of the FIDO 2 project remain in the FIDO Alliance technical working groups.

Security and Privacy

How does FIDO Authentication via U2F make a user safer?

FIDO U2F strengthens the authentication process by adding a second factor in addition to using a username/password (something you know). The user is prompted to insert and touch their personal U2F device (something you have). A hacker would need to steal both your credentials and your U2F device in order to compromise an account or application log-in.

How does Authentication via UAF with a biometric authenticator make a user safer? Could anyone steal my biometric information from a device or online service?

Unlike current password systems which have proven vulnerable to mass-scale attacks and fraud, FIDO UAF authentication credentials are never shared or stored in centralized databases. FIDO credentials are known and maintained only by the user’s own device. There are no secrets stored with the online service provider, only the public keys paired to the user’s device where the private keys are stored, so nothing to harm the user if that service provider is breached (unlike the password situation). Biometics used in FIDO authentication never leave the device.

While it’s not impossible for a determined criminal to steal a FIDO device and hack it to obtain the user’s credentials, consider the challenges to do so, even in a laboratory-controlled environment. A would-be attacker must perform two completely different types of attacks in order to complete a single, not scalable, one-off device spoof. Consider the example of spoofing a fingerprint sensor equipped FIDO device. First, the attacker must obtain a perfectly formed, complete latent print that is also enrolled on the target user’s device. Then, the attacker must gain access to the user’s device, in order to control only that one device. The single spoof, even if accomplished, doesn’t approach the potential harm done by today’s typical mass-scale attack, which can result in harvesting millions and hundreds of millions of users’ credentials. The password ecosystem has afforded attackers with great return on investment with relatively limited risk; the FIDO ecosystem is far more difficult, expensive, and risky for attackers to profit from.

Can’t someone break into my account if they steal my device?

No. In order to break into an account, the criminal would need not only the user’s device that was registered as a FIDO Authenticator to the account, but also the ability to defeat the user identification challenge used by the Authenticator to protect the private keys (the username & password for the U2F token or ability to pass the biometric challenge in a UAF biometric scenario). This makes it extremely difficult to break into a FIDO enabled account. Besides, all current (and we recommend all future) deployments provide users with the ability to report a lost or stolen device and have its FIDO Authenticator removed from their account.

Does FIDO get any of my personal information?

No. The FIDO Alliance only specifies standards for strong authentication and tests implementations for compliance to those standards; the Alliance does not provide services or equip devices or sites. Device manufacturers, online service providers, enterprises and developers use the FIDO specifications to build products, provide services, and enable sites and browsers with FIDO authentication. Under FIDO specifications, the user’s credentials must remain on the user’s device, and they are never shared with a provider or service.

How can I be sure that FIDO technologies are safe?

FIDO authentication is designed to protect users against many of today’s cyber-attacks and vulnerabilities. The FIDO model is based on the premise that user credentials never leave the user’s device. In addition to providing privacy for the user, this model also eliminates scalable cyber-attacks targeting user credentials. With FIDO, there is no centralized database of user credentials that can be breached.

If I use the same device with multiple websites, can one site know that I use it with another site?

No, this type of information exchange is prevented with FIDO Authentication. Each device/website pairing requires a separate registration and a separate cryptographic key pair. Once registered, a user can easily authenticate to multiple sites from the same device, yet each site has no knowledge of the user interactions with other sites. FIDO does not introduce any new tracking mechanism that could be used to correlate user activity online.

How do you protect against root kits and malware attacks on the embedded fingerprint sensor?

A variety of hardware and software security technologies such as Trusted Execution Environment and Secure Elements can be implemented on mobile devices to protect against malware and root kits attacks.

How does FIDO work?

Will FIDO devices work when I don’t have Internet connectivity?

The purpose of the FIDO model is to provide a secure and simple authentication experience for online services. The authentication involves a user with a device connecting to a service over a network.

Can I use the same FIDO device with multiple websites? Can I use multiple FIDO devices with the same website?

Yes, you can use multiple websites from one FIDO device. Each device/website pairing requires a separate registration and a separate cryptographic key pair. Once registered, a user can easily authenticate to multiple sites from the same device, yet each site has no knowledge of the user interactions with other sites.

If a user acquires a new device or wants to use multiple FIDO devices, the user needs only register each of the devices at the sites where he wants to use them. Once a device is registered at a site, it will be recognized whenever the user needs to authenticate at that site. When a user visits a site with a new device that hasn’t been registered, and thus isn’t automatically recognized, the user will be prompted to register the new FIDO device to enable FIDO authentication with the new device at that site.

Would FIDO work for an enterprise/intranet environment?

Yes, FIDO authentication can be deployed in an enterprise environment. It provides enterprises with significant benefits such reduced cost of strong authentication deployment and support.  Learn more about how Google found benefit from deploying FIDO Authentication here.

How can one use a FIDO U2F authenticator in the Chrome browser?

Please see instructions here.

What do you have to do to enable FIDO authentication on your device?

Generally, you would have to follow instructions given by your online service provider. Please see examples of FIDO U2F instructions and FIDO UAF instructions.

Metadata Service

What is the FIDO Alliance MetaData Service?

The FIDO Alliance MetaData Service (MDS) is a web-based tool where FIDO authenticator vendors can publish metadata statements for FIDO servers to download. This provides organizations deploying FIDO servers with a centralized and trusted source of information about FIDO authenticators. The MDS service presently supports FIDO UAF. The FIDO Alliance intends to develop an analogous service for products compliant with the FIDO U2F protocol.

Why should manufacturers use the service?

The service database provides a trusted location (URL) where manufacturers can publish metadata about their authenticators making it easy for relying parties to have the latest information about a device.

Why should relying parties deploying FIDO servers use the service?

The universe of FIDO UAF authenticators is dynamic. Vendors are frequently releasing new authenticators or updating existing ones. In addition, vulnerabilities may be discovered in existing authenticators, requiring that their use be limited or phased out. FIDO UAF servers can validate the integrity of authenticators and devices by periodically downloading a digitally signed metadata Table of Contents (TOC) file containing URLs used to verify individual metadata statements.

Must a product be FIDO Certified in order to be included in the database?

No. However, the manufacturer must be a company who has registered with the FIDO Alliance and obtained a valid FIDO Alliance vendor ID. There is a field in the metadata that indicates whether or not the product is FIDO Certified because some relying parties may prefer products that are FIDO Certified.

Who can access the FIDO Alliance MetaData Service?

In order to publish metadata statements, a company must register with the FIDO Alliance and obtain a vendor ID. There are no restrictions on accessing the metadata.

Is there a fee for the FIDO Alliance MetaData Service?


Where should I go to get started?


How do I get started?

Start by making sure your implementation passes the conformance tests (registration required). After you’ve validated your implementation, register for an Interoperability event and you’re on your way to certifying your product.

Will there be a FIDO Certified logo?

Yes. There is a recognizable FIDO Certified logo for vendors to include with their web sites, product materials, packaging, etc.

Is there a Trademark License Agreement (TMLA) requirement for logo use?

Use of the FIDO Certified logo will require signing a TMLA. There is a streamlined process for Relying Parties that wish to use the certification logo on their websites, which includes a “clickless” license agreement.

How will the certification program evolve in the future?

The FIDO Alliance will be introducing security lab testing within the next few months. Other forms of validation testing may be introduced in the future, depending on the business requirements of online service providers.

How long is a product certified, and is recertification required when protocols change?

A product is certified indefinitely as long as the code base of its FIDO implementation doesn’t change in any substantial way. Certification can only be terminated in rare instances, such as determining that an implementation improperly passed test tools or interoperability events. Certification only applies to a specific specification and implementation class (i.e. “UAF
Authenticator”). If new major version of specifications are released (as determined by the FIDO Certification Working Group) and an implementation would like to claim conformance with
that specification, new certification will be required.

Are there separate submission fees for FIDO UAF testing and FIDO U2F testing?

Yes. Implementations must request certification (and pay the certification fees) for each implementation class they are seeking to certify. For example, if an 
implementation certifies for both a FIDO UAF Server and a U2F Server, that implementation must follow the certification process for both (and pay the certification fees for both). The
implementation would ultimately receive two certifications. The primary difference between UAF testing and U2F testing is the different test tools and the different interoperability events.

For those interested in the UAF program, an additional Vendor ID fee of $3000 is required for UAF Authenticators only.

What is a Vendor ID and who needs one?

The UAF authenticator specification defines an AAID field that is half Vendor ID and half Device ID used to uniquely identify each authenticator. The Vendor ID is a unique identifier assigned by FIDO to each company implementing a UAF authenticator. The other half of the AAID field, the Device ID, is assigned to the authenticator by the implementing company.  Only UAF Authenticators require a Vendor ID.

Can I become FIDO Certified if I am not a FIDO Alliance Member?

Yes.  Non-members are welcome to certify their implementations. 

What are the costs associated with certification?

FIDO members can certify an implementation of UAF server, client or authenticator; or U2F server or authenticator for $5,000 per certification. Derivatives (implementations that are the same code embedded into a different product) can be registered for $500 each. Non-member rates are $6,500 for certifications and $750 for derivatives. These fees cover the trademark licensing, interoperability event, test tool usage and support, and documentation processing.

How is the testing done?

Certification is starts with self-assessment of specification conformance through the use of FIDO Alliance provided test tools, followed by interoperability testing with at least 3 test partners at FIDO Alliance proctored test events. At this time, there is no lab aspect to the certification program.

Can you describe the testing process?

There are four major testing steps:

  1. Conformance self-validation; which uses test tools to ensure that an
    implementation is conformant to the specification.
  2. Interoperability testing; where implementers gather to test their implementations together
  3. Certification registration; where the implementation is submitted to FIDO for certification
  4. Optional trademark agreement; enabling the FIDO certification mark to be used with a product or service.

What does it mean to “pass”?

The implementation must satisfy two main criteria. That it is conformant to the FIDO specification (to the best of our ability to determine that) and that it is known to interoperate with other implementations. This should provide both businesses and consumers with confidence that a FIDO Certified implementation delivers the FIDO values of stronger, simpler, authentication

What does it mean to “not pass”?

Most likely that an implementation has some bugs to work through before being considered an exemplar of FIDO.

How often do testing events occur?

Interoperability events occur at least every 90 days, but may occur more frequently based on implementer demand.

How does the FIDO Alliance certify derivative products?

Derivative certification was created to streamline the certification process for implementers that have a large volume of certifications that are essentially all based off of the same implementation. In this case, implementers may certify one implementation and the rest may be registered as “derivatives” of that base certification. Derivatives don’t require running test tools or attending interoperability events to achieve certification, but the implementation cannot change in any substantial way from the original certification earned via our test tools and interoperability testing.

Must I certify a product in order to market it?

No. But a product must be certified to claim to be FIDO Certified and use the FIDO Certified logo.

What is the audit process for products in the market?

The FIDO Alliance staff will audit on a monthly basis the usage of FIDO Certified logos and published claims of certification. Auditing of actual implementations will be driven by market feedback. Should any concerns arise, feedback can be submitted through the Certified Logo Violation form.

What is the Certificate number format of the FIDO Alliance issued Certificates?

The FIDO Alliance issued Certificates have the following numerical format:


SSS - Specification number (UAF or U2F)

X - Specification number

Y - Specification minor number

Z - Specification revision number

A - Specification errata number

YYYY - Year issued

MM - Month issued

DD - Day issued

#### - The number of the certificate issued today


Our company just built a new product but we haven’t gotten it certified yet. Can we say that it is FIDO Certified while we are working on achieving our certification?

No. Only products that have passed through FIDO Certification program and have been granted a certification number can claim to be FIDO Certified.

Are there separate submission fees for FIDO UAF certification and FIDO U2F certification?

Yes. Implementations must request certification (and pay the certification fees) for each implementation class they are seeking to certify. For example, if an implementation certifies for both a FIDO UAF Server and a U2F Server, that implementation must follow the certification process for both (and pay the certification fees for both). The implementation would ultimately receive two certifications. The primary difference between UAF testing and U2F testing is the different test tools and the different interoperability testing procedures.

For those interested in the UAF program, an additional Vendor ID fee of $3000 is required for UAF Authenticators only.