FIDO authentication uses standard public key cryptography techniques to provide phishing-resistant authentication. During registration with an online service, the user’s client device creates a new cryptographic key pair that is bound to the web service domain. The device retains the private key and registers the public key with the online service. These cryptographic key pairs, called passkeys, are unique to every online service. Unlike passwords, passkeys are resistant to phishing, are always strong, and are designed so that there are no shared secrets.
How Authentication Works with FIDO
With FIDO, the user’s device must prove possession of the private key by signing a challenge for sign-in to be completed. This can only occur once the user verifies the sign-in locally on their device, via quick and easy entry of a biometric, local PIN or touch of a FIDO security key. Sign-in is completed via a challenge-response from the user device and the online service; the service does not see or ever store the private key.
FIDO is designed from the ground up to protect user privacy and prevent phishing. Every passkey is unique and bound to the online service domain. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.
Enrollment and Sign-in with FIDO
Enrolling a Passkey with an Online Service
- User is prompted to create a passkey
- User verifies the passkey creation via local authentication method such as biometrics, local PIN or touching their FIDO security key
- User’s device creates a new public/private key pair (passkey) unique for the local device, online service and user’s account.
- Public key is sent to the online service and associated with the user’s account. Any information about the local authentication method (such as biometric measurements or templates) never leave the local device.
Using a Passkey for Subsequent Sign-in
- User is prompted to sign in with a passkey
- User verifies the sign in with passkey via local authentication method such as biometrics, local PIN or touching their FIDO security key
- Device uses the user’s account identifier provided by the service to select the correct key and sign the service’s challenge.
- Client device sends the signed challenge back to the service, which verifies it with the stored public key and signs-in the user