FIDO2: Moving the World Beyond Passwords
The FIDO2 Project is a set of interlocking initiatives that together create a FIDO Authentication standard for the web and greatly expands the FIDO ecosystem. FIDO2 is comprised of the W3C’s Web Authentication specification (WebAuthn) and FIDO’s corresponding Client-to-Authenticator Protocol (CTAP), which collectively will enable users to leverage common devices to easily authenticate to online services — in both mobile and desktop environments.
WebAuthn defines a standard web API that can be built into browsers and related web platform infrastructure to enable online services to use FIDO Authentication. CTAP enables external devices such as mobile handsets or FIDO Security Keys to work with WebAuthn and serve as authenticators to desktop applications and web services.
Multiple major web browsers including Chrome, Firefox and Microsoft Edge have implemented the standards; Android, Windows 10 and related Microsoft technologies also will have built-in support for FIDO Authentication.
The completion of the FIDO2 standardization efforts and the commitment of leading browser vendors to its implementation, opens a new era of ubiquitous, hardware-backed FIDO Authentication protection for everyone using the internet.
Enterprises and online service providers looking to protect themselves and their customers from the risks associated with passwords — including phishing, man-in-the-middle and attacks using stolen credentials — can soon deploy standards-based strong authentication that works through the browser. Deploying FIDO Authentication enables online services to provide choice to users from an interoperable ecosystem of devices people use every day like mobile phones and security keys.
The new specifications complement existing passwordless FIDO UAF and second-factor FIDO U2F use cases and specifications and expand the availability of FIDO Authentication. Users that already have external FIDO-compliant devices, such as FIDO U2F Security Keys, will be able to continue to use these devices with web applications that support WebAuthn. Existing FIDO UAF devices can still be used with pre-existing services as well as new service offerings based on the FIDO UAF protocols.
FIDO Alliance has launched interoperability testing and certification for servers, clients and authenticators adhering to FIDO2 specifications. Additionally, the Alliance has introduced a new Universal Server certification for servers that interoperate with all FIDO authenticator types (FIDO UAF, FIDO U2F, WebAuthn, CTAP). As a best practice, the FIDO Alliance recommends online services and enterprises deploy a Universal Server to ensure support for all FIDO Certified authenticators.
Web Authn + CTAP Flow
Collaborating to Drive an Industry Answer
Security on the web has long been a problem which has interfered with the many positive contributions the web makes to society. While there are many web security problems and we can’t fix them all, relying on passwords is one of the weakest links. With WebAuthn’s multi-factor solutions we are eliminating this weak link. WebAuthn will change the way that people access the web.
Google Chrome is dedicated to building a better web, and allowing developers to interact with secure keystores in a structured way helps us continue this mission. As a founding member of the U2F and FIDO2 working groups within FIDO, we’re excited for the launch of these standards and look forward to our continued collaboration.”
“Providing a password alternative that works across devices, apps, browsers, and websites delivers on our commitment to a future without passwords. We are excited to announce that we will add support for WebAuthn API, currently in the approval process stage, and W3C, in Microsoft Edge thanks to our work with the FIDO Alliance.”
With Web Authentication, we’re giving people using Firefox the opportunity to add another layer of security to their browsing experience. Giving people greater control over how they manage their security online and making the internet safer is central to Mozilla’s mission to keep the web open and accessible to all.
Member Perspectives on FIDO2
“As an active contributor and board member of FIDO, Daon is eager for the launch of FIDO2 to offer new authentication options to our global customers and their users, through our IdentityX platform. These new standards are another key component in enabling Daon to fulfill its mission of eliminating passwords through biometrics and empowering people across any channel to transact in a trusted manner.”
— Conor White, President (Americas), Daon
“Providing security keys to enable simpler yet stronger authentication across all platforms for users worldwide is our primary focus. With this major standards milestone announced by FIDO Alliance and W3C, we are excited to support for the next generation of ubiquitous, hardware-backed FIDO Authentication.”
— Tibi Zhang, Managing Director of International Business, Feitian Technologies
“One of the key challenges enterprises face today is the ability to mitigate risk while simplifying the login experience for end users at the same time. In supporting FIDO2, Gemalto looks forward to helping organizations rationalize their authentication schemes to effectively manage risk. This can be done by applying the appropriate level of authentication method to diverse use cases, while at the same time making it easy and convenient for end users to securely access multiple enterprise resources.”
— Francois Lasnier, Senior Vice President, Identity and Access Management at Gemalto
“Nok Nok Labs has seen significant momentum and adoption for FIDO based passwordless authentication for anyone using a mobile application; now with the added FIDO2 standard and the W3C WebAuthn specification, we will be able to provide passwordless, privacy-centric, phishing-resistant, secure authentication through Web browsers on your PCs, and mobile devices. I want to thank the browser community for uniting with us to bring about an interoperable, standards based authentication solution for service providers to implement that is easy-to use and secure for consumers.”
— Ramesh Kesanupalli Co-Founder – The Fido Alliance and Founder – Nok Nok Labs Inc.
“As a board member of the FIDO Alliance and chair of the FIDO Enterprise Adoption Group, RSA strongly believes there is a role for FIDO in our customers’ secure access transformations. We are committed to supporting the new FIDO2 standard in RSA SecurID Access and believe it will be an important component in RSA’s unique ability to provide our customers with a range of secure and convenient authentication options to help mitigate identity risk.”
— Salah Machani, Director of Technology, RSA and FIDO Alliance Board member and Enterprise Adoption Sub-Group Chair
“Raonsecure is excited to move beyond mobile with FIDO2. Working with the Intel Online Connect platform to bring FIDO authentication to PCs, we are pleased to make it easier for enterprises and individuals to use stronger and more convenient online authentication than ever before, on whatever device they are using.”
— Soonhyung Lee, CEO, Raonsecure
“OneSpan is proud to be part of FIDO’s initiative to standardize the authentication industry. As a leading provider of authentication, risk, fraud and mobile security solutions for half of the top 100 global banks, and as a FIDO Alliance Board member and active participant in the FIDO2 working group, OneSpan has embraced the FIDO and FIDO2 standards within our solutions to ensure customers and consumers can easily and securely authenticate to online services.”
— Roger Wigenstam, Vice President of Product Management, OneSpan and FIDO Alliance Board Member
“Yubico co-created the core and revolutionary invention behind FIDO U2F — one single second-factor security key that works with any number of services, without drivers or client software needed, and without shared secrets between services. FIDO2 is a natural evolution of U2F, delivering trusted, passwordless authentication for the modern and distributed workforce.”
— Stina Ehrensvard, CEO and Founder, Yubico