Yuriy Ackermann, Sr. Certification Engineer, FIDO Alliance
The FIDO Alliance is pleased to announce the release of the FIDO U2F version 1.2 specification. This update has been published as a “Proposed Standard” and comes after several months of work by FIDO members. The changes include:
- Improvements to JavaScript and MessagePort APIs
- U2F metadata statement support
- Attestation Certificate X.509 Transport extension added
- Silent-authentication mode added
- Various fixes and editorial updates
Silent authenticator support is the highlight feature of this update. It is particularly useful to FIDO-based federated solutions that need silent mode for “bearer token” like authentication modes. The major advantage of FIDO-based solutions is that key material cannot be compromised. Since FIDO protocols are based on digital signatures, and the private key is stored generally in secure enclaves, federated identity schemes can use the authenticator as an unrecoverable bearer token, and not worry about cross-site scripting (XSS) and malware on the client side.
With added support for Metadata Statements, vendors now can register FIDO U2F authenticators with a metadata service. This is particularly useful for service providers who would want to restrict the types of the authenticators they accept. For example, a service provider may only allow FIDO Certified authenticators, or it may be required by regulation to only accept government-approved authenticators supporting particular protocols or certifications, such as FIPS, CSPN, AFSCM and others.
Another interesting feature is FIDO U2F X.509 Transport Extension. This gives service providers a better picture of the types of authenticators the user has, which helps improve the user experience.
Other changes include improved JavaScript API (JSAPI), U2FHID ISO enhancements, and forward compatibility with FIDO2.
For a detailed overview refer to our extended overview blog; “FIDO TechNote: A Detailed Look at FIDO U2F v1.2 ”