Governments around the world are recognizing and deploying FIDO. Clicking on the countries / regions below provides information on how government agencies have deployed FIDO certified solutions for use by employees and/or citizens in government programs (these entries are noted as “deployments”). This page also includes government agencies that have recognized and included references to FIDO standards in policy documents and/or regulations pertaining to online authentication (these entries are noted as “recognitions”). Please check back frequently as this page will be updated as new deployments and recognitions roll out.

A downloadable version that includes more details of FIDO deployments and recognitions, is available by clicking here.

United Kingdom
Users:
Employees
Type:
Recognitions

FIDO Technology: FIDO2
Agency:

National Health Service

Program:

NHS Identity Authentication Service

Description:

NHS Identity currently authenticates against around 1 million care worker identities in its repository; registered and checked to a high level of confidence several new methods of verifying the subject, such as one time passwords, push notifications, knowledge based secrets, biometric touch id, Windows Hello, cryptographic certificates, FIDO2 supported devices and OIDC Smartcards


Users:
Citizens
Type:
Recognitions
Agency:

Cabinet Office, Government Digital Service

Program:

GPG 44 – Using authenticators to protect an online service

Description:

The U.K.’s Government Digital Service published updated guidance, Using authenticators to protect an online service (GPG 44). Following NIST, the term ‘credential’ has been replaced with “authenticator”. Transaction monitoring is noted and “High Quality Authenticators” is defined if it has been independently tested to prove it meets industry standards, such as the Common Criteria guidelines, FIDO or FIPS 140-2.


Users:
Citizens
Type:
Deployments

FIDO Technology: U2F
Agency:

Cabinet Office, Government Digital Service

Program:

GOV.UK (https://www.gov.uk/) Verify

Description:

GOV.UK (https://www.gov.uk/) Verify uses a host of identity providers, including Digidentity which supports U2F, to validate a citizen’s personal data, store that data, and verify the user is who they say they are when they attempt to access government digital services.


Users:
Citizens
Type:
Deployments

FIDO Technology: UAF
Agency:

National Health Service

Program:

NHS mobile app

Description:

NHS App aims to allow the public to fulfil their healthcare needs at the touch of a button. However, a security-conscious, multi-factor authentication login process proved a major ‘speed bump’ for users. The NHS App team worked closely with NHS login, the identity verification system that enables patients to access their digital records and services, to look review potential solutions of providing password-less login for users. They wanted to go with biometric and selected FIDO UAF. They have about 1.5 million users.


Users:
Citizens
Type:
Recognitions
Agency:

Department of Digital, Culture, Media and Sport (DCMS)

Program:

UK digital identity and attributes trust framework alpha

Description:

DCMS is responsible for digital identity policy and strategy for the UK economy. In February 2021, DCMS published the UK digital identity and attributes trust framework alpha for organizations that want to provide or consume digital identity and attribute products and services.


United Kingdom
United States
Users:
Citizens
Type:
Deployments

FIDO Technology: U2F, FIDO2
Agency:

General Services Administration

Program:

Login.gov

Description:

US system for single sign-on across different agency applications. Use of FIDO is one option.


Users:
Employees
Type:
Recognitions

FIDO Technology: U2F, FIDO2
Agency:

National Cybersecurity Center of Excellence

Program:

Mobile Single Sign-On for Public Safety/First Responders

Description:

NIST Cybersecurity Practice Guide demonstrates how commercially available technologies, standards, and best practices implementing SSO, identity federation, and MFA can meet the needs of public safety first responder communities when accessing services from mobile devices.


Users:
Employees Citizens
Type:
Recognitions
Agency:

NIST

Program:

Digital Identity Guidelines: Implementation Resources for SP 800-63-3

Description:

July 2020 publication highlights use of FIDO in meeting AAL2 requirements for single factor cryptographic


Users:
Employees
Type:
Recognitions

FIDO Technology: UAF, U2F
Agency:

Office of Management & Budget

Program:

Implementation of OMB memo M-19-17 – FICAM Policy

Description:

Update policy includes: Innovate capabilities and update Federal Public Key Infrastructure (PKI)27 to provide government with a trust framework and infrastructure to administer digital certificates and other authentication solutions, such as those based on public key cryptography. This includes updating the PKI shared service provider approach to enable strong government oversight of service providers, including procurement and cost controls through GSA acquisition solutions as applicable


Users:
Employees
Type:
Recognitions
Agency:

Drug Enforcement Administration

Program:

Electronic Prescribing of Controlled Substances

Description:

April 2020 Request for Information included questions about FIDO U2F.


Users:
Employees Citizens
Type:
Recognitions
Agency:

NIST

Program:

President’s Executive Order (EO) on Improving the Nation’s Cybersecurity

Description:

NIST’s new guide on “Security Measures for EO-Critical Software Use” focuses on companies that are supplying software to the government.


Users:
Employees Citizens
Type:
Recognitions
Agency:

CISA (Cybersecurity & Infrastructure Security Agency)

Program:

Multi-Factor Authentication Guidance

Description:

Updated MFA guidance flagged FIDO as the “gold standard” of MFA and provided a great description of FIDO, as well as a direct link to the FIDO Alliance website for more information.


Users:
Employees Citizens
Type:
Recognitions

FIDO Technology: FIDO2
Agency:

Office of Management & Budget

Program:

Federal Zero Trust Strategy

Description:

Requires phishing-resistant AuthN in enterprise apps, and that it must be an option in public facing apps. Calls out FIDO2 and WebAuthn as the preferred approach.


United States

Questions on this webpage? Email info@fidoalliance.org