The Passkey Pledge

There are significant benefits to taking part in FIDO Alliance as a member, whether your company is a vendor looking to bring FIDO-based solutions to market, or if your organization is a service provider seeking to understand the most effective ways to deploy FIDO Authentication to your customers and/or employees. You can learn more here.

Please see the required steps on the FIDO Alliance membership web page.

FIDO takes a “lightweight” approach to asymmetric public-key cryptography, which offers service providers a way to extend the security benefits of public-key cryptography to a wider array of applications, domains, and devices – especially where traditional PKI has proven difficult or impossible. FIDO is not a replacement for PKI but rather complements it, enabling a greater number of users and applications to be protected using asymmetric encryption. This is especially important in situations where the alternative has been a username and password.

The FIDO Alliance developed its FIDO2 specifications with the W3C to enable FIDO Authentication capabilities to be built into a wider array of devices, platforms, and web browsers. FIDO is currently supported in Google Chrome, Mozilla Firefox, Microsoft Edge, and Apple Safari (MacOS), iOS web browsers, as well as Windows 10 and Android platforms.

Many leading organizations around the world have deployed FIDO Authentication to their employees and users, reducing their security risks and improving user experience. Check out our homepage under “who’s using FIDO” for a sample.

The FIDO Alliance has published three sets of specifications for simpler, stronger authentication – FIDO U2F, FIDO UAF and FIDO2 – in order to provide for the widest range of use cases and deployment scenarios:

From its inception, the FIDO Alliance stated intentions to change the nature of authentication by developing specifications that define an open, scalable, interoperable set of mechanisms that supplant reliance on passwords to securely authenticate users of online services. Two years after its inception, the Alliance delivered the final 1.0 specifications on December 2014 to enable that vision. This was an important milestone on the industry’s road to ubiquitous simpler, stronger authentication, and many deployments brought FIDO Authentication to users around the globe. To further add support for FIDO Authentication across devices and platforms, FIDO Alliance published its second set of specifications, FIDO2, in March 2019. See “Why did the FIDO Alliance see the need for FIDO2?” for more information.

The FIDO Alliance has published three sets of specifications for simpler, stronger authentication: FIDO Universal Second Factor (FIDO U2F), FIDO Universal Authentication Framework (FIDO UAF) and the Client to Authenticator Protocols (CTAP). CTAP is complementary to the W3C’s Web Authentication (WebAuthn) specification; together, they are known as FIDO2.

The FIDO Alliance website provides comprehensive information about the Alliance, its specifications, FIDO Certified products, a knowledge base of resources and best practices and general progress. You can also sign up to receive updates and invitations to future events, many of which are open to the public. You can also follow @FIDOalliance on Twitter and/or on LinkedIn.

The FIDO (Fast IDentity Online) Alliance is a 501(c)6 non-profit organization incorporated in mid-2012 to develop standards that address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. To learn more about the FIDO Alliance governance and structure, please refer to the About FIDO page and the Membership Details page.

FIDO’s specifications are public and available for anyone to read and analyze. But only FIDO Alliance Members benefit from “the promise” to not assert patent rights against other members’ implementations (see the FIDO Alliance Membership Agreement for details). Anyone may join the FIDO Alliance; we encourage even very small companies with a very low cost to join at the entry level. Members at all levels not only benefit from the mutual non-assert protection but also participate with FIDO Alliance members, activities, and developments; Associates have more limited participation benefits (https://fidoalliance.org/members/membership-benefits/). All are invited to join the FIDO Alliance and participate.

FIDO specifications are device-agnostic and support a full range of authentication technologies, including FIDO Security Keys and biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as PIN or pattern-protected microSD cards. FIDO specifications will also enable existing solutions and communications standards, such as Trusted Platform Module (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, Bluetooth Low Energy (BLE), and Near Field Communication (NFC). Because FIDO specifications are open, they are designed to be extensible and to accommodate future innovation, as well as protect existing investments.

FIDO Alliance members have all committed to the promise contained within our Membership Agreement to not assert their patents against any other member implementation of FIDO 1.0 final specifications (referred to as “Proposed Standard” in our Membership Agreement). Anyone interested in deploying a FIDO compliant solution can do so without joining the Alliance, and they are strongly encouraged to use FIDO Certified products to enable that deployment.

The FIDO Alliance Certification Working Group is responsible for testing products for conformance to FIDO specifications and interoperability between those implementations. You can learn more about the FIDO® Certified program here.

Open industry standards assure that existing and future products and offerings are compatible and that anyone can evaluate the technology. Users can depend on their FIDO devices working wherever FIDO authentication is supported. Service providers and enterprises can accommodate various devices and services without having to make new investments or reverting to proprietary configurations.

No. In order to break into an account, the criminal would need not only the user’s device that was registered as a FIDO Authenticator to the account but also the ability to defeat the user identification challenge used by the Authenticator to protect the private keys – such as a username and PIN or a biometric. This makes it extremely difficult to break into a FIDO-enabled account.

When used in FIDO Authentication, user biometric data never leaves the device and is never stored on a central server where it could be stolen in a breach. FIDO’s on-device model for authentication eliminates the risk of a remote attack. If a would-be attacker had access to the user’s actual device, a successful spoof would be quite difficult. First, the attacker must obtain a perfectly formed, complete latent print that is also enrolled on the target user’s device. Then, the attacker must gain access to the user’s device in order to control only that one device. The single spoof, even if accomplished, doesn’t approach the potential harm done by today’s typical mass-scale attack, which can result in harvesting millions and hundreds of millions of users’ credentials.

Unlike current password-based authentication models that have proven vulnerable to mass-scale attacks and fraud, FIDO authentication credentials are never shared or stored in centralized databases. FIDO credentials are known and maintained only by the user’s own device. All that is ever stored by the service provider are the public keys paired to the user’s device where the private keys are stored. For additional security and privacy, biometrics used in FIDO Authentication never leave the device. This security model eliminates the risks of phishing, all forms of password theft and replay attacks. A would-be attacker would need the user’s physical device to even attempt a hack (see below, “can’t someone break into an account if they steal a device?” for more information). The password ecosystem has afforded attackers with great return on investment with relatively limited risk; the FIDO ecosystem is far more difficult, expensive and risky for attackers to profit from.

The FIDO Alliance recently launched the Authenticator Certification Program. This program introduces Authenticator Security Requirements to the FIDO Certification Program specifically for authenticators. Each authenticator that is certified under the FIDO Certification program is validated to meet specific security assurance levels depending on the level of security the vendor is seeking. The higher the level, the greater the security assurance. More information about this program can be found here: https://fidoalliance.org/certification/authenticator-certification-levels/.

No, this type of information exchange is prevented with FIDO Authentication. Each device/website pairing requires separate registration and a separate cryptographic key pair. Once registered, a user can easily authenticate to multiple sites from the same device, yet each site has no knowledge of the user interactions with other sites. FIDO does not introduce any new tracking mechanism that could be used to correlate user activity online.

No. FIDO Alliance only specifies standards for strong authentication and tests implementations for compliance to those standards; the Alliance does not provide services or equip devices or sites. Device manufacturers, online service providers, enterprises, and developers use the FIDO specifications to build products, provide services, and enable sites and browsers with FIDO authentication. Under FIDO specifications, the user’s credentials must remain on the user’s device, and they are never shared with a provider or service.

The IDWG and IoT TWG are now open to industry participants. Participation in FIDO Alliance working groups is open to all board and sponsor level members of the FIDO Alliance. For more information on joining the Alliance, visit https://fidoalliance.org/members/membership-benefits.

The IoT TWG will provide a comprehensive authentication framework for IoT devices in keeping with the fundamental mission of the Alliance – passwordless authentication. The IoT TWG will develop use cases, target architectures and specifications covering: IoT device attestation/authentication profiles to enable interoperability between service providers and IoT devices; automated onboarding, and binding of applications and/or users to IoT devices; and IoT device authentication and provisioning via smart routers and IoT hubs.

The FIDO Alliance has identified newer remote, possession-based techniques including biometric “selfie” matching and government-issued identity document authentication as having the potential to greatly improve the quality of identity assurance for new account onboarding and account recovery. The IDWG will define criteria for this type of remote identity verification, as well as others, and develop a certification program and educational materials to support the adoption of that criteria.

The Alliance has formed two new working groups: the Identity Verification and Binding Working Group (IDWG) and the IoT Technical Working Group (IoT TWG) to establish guidelines and certification criteria in these areas. The FIDO Alliance will continue to focus on development and adoption of its user authentication standards and related programs and use them as a foundation for this expanded work, with contributions from current members and new industry participants.

Identity verification and IoT security are both adjacent to the FIDO Alliance core focus on user authentication. For accounts protected by FIDO Authentication, identity verification for the account recovery process when a FIDO device is lost or stolen becomes critical to maintaining the integrity of the user’s account. With IoT devices, typical industry practices is to ship them with default password credentials and manual onboarding, which leaves them open to attack. The security gaps in both of these areas can most effectively addressed through industry collaboration and standardization rather than siloed, proprietary approaches.

Ultimately, the Alliance is striving to increase the efficacy and market adoption of FIDO Authentication by addressing adjacent technology areas that leave security vulnerabilities on the web. There is a gap between the high assurance provided by FIDO Authentication standards and the lower assurance methods used in identity verification for account recovery and IoT authentication. The Alliance aims to strengthen identity verification assurance to support better account recovery and automate secure device onboarding to remove password use from IoT.

The Alliance announced new work areas to develop standards and certification programs in identity verification and the Internet of Things (IoT).

FIDO Alliance’s work is just beginning. The specifications and certification programs are continuing to evolve, and our deployment work is taking on even greater importance. Additionally, the Alliance has just launched new work areas in IoT and identity verification, which leverage the Alliance’s broad coalition of leading organizations from around the world to help standardize technologies adjacent to user authentication. For more information on these work areas, read https://fidoalliance.org/fido-alliance-announces-id-and-iot-initiatives/.

FIDO Alliance provides interoperability testing and certification for servers, clients, and authenticators adhering to FIDO2 specifications. Additionally, the Alliance has introduced a new Universal Server certification for servers that interoperate with all FIDO Authenticator types (UAF, U2F, CTAP). As a best practice, the FIDO Alliance recommends online services and enterprises deploy a Universal Server to ensure support for all FIDO Certified Authenticators.

Not at all. FIDO U2F capabilities have merged into FIDO2’s CTAP2 protocol, and FIDO U2F security keys will continue to work with services that support U2F authentication as well as those that have support FIDO2 authentication.

The specifications under FIDO2 support existing passwordless FIDO UAF and FIDO U2F use cases and specifications and expand the availability of FIDO Authentication. Users that already have external FIDO-compliant devices, such as FIDO U2F security keys, will be able to continue to use these devices with web applications that support WebAuthn. Existing FIDO UAF devices can still be used with pre-existing services as well as new service offerings based on the FIDO UAF protocols.

Current adoption status is available here.

FIDO2 standards are published and available for implementation today. WebAuthn reached W3C’s final Recommendation status in March 2019 and is an official web standard. CTAP is a final FIDO Alliance specification.

FIDO Alliance partnered with W3C to standardize FIDO Authentication for the entire web platform so the FIDO ecosystem could grow by an entire community of web browsers and web application servers supporting the standard. W3C is where the web community produces their standards, so it was more practical to work in that forum.

A good rule of thumb is to remember this simple equation:

FIDO2 = W3C WebAuthn + CTAP

This is the full story of FIDO2’s development:

After the release of the FIDO UAF and FIDO U2F specifications, FIDO Alliance focused on making FIDO Authentication more accessible to users worldwide. The Alliance developed three technical specifications that defined one web-based API, enabling FIDO Authentication to be built directly into browsers and platforms. These specifications were submitted to the W3C, the international standards organization for the World Wide Web, in November of 2015. FIDO Alliance member companies worked within the W3C’s Web Authentication Working Group to finalize the API, which became known as WebAuthn. WebAuthn was officially recognized as a W3C web standard in March 2019.

In the same time period, the FIDO Alliance created and finalized a complementary specification to WebAuthn: the Client to Authenticator Protocol (CTAP). CTAP makes WebAuthn even more accessible to users by allowing them to use the devices they already own, such as their mobile phone, security key or Windows 10 PC to authenticate to WebAuthn-enabled browsers and platforms.

Together, WebAuthn and CTAP are called FIDO2. The FIDO Alliance manages and maintains the certification program to ensure interoperability of all the FIDO2 implementations in the market – clients, servers and authentication devices.

The FIDO Alliance goal has always been ubiquitous strong authentication across the web. That means building support for FIDO Authentication into every device that people use every day. The Alliance made notable progress with its initial FIDO U2F and FIDO UAF specifications, especially on mobile platforms. FIDO2 expands the reach of FIDO Authentication by making it a built-in feature across browsers and web platforms, which is a significant step toward the Alliance’s overall goal.

FIDO2 is the official name for the complete set of FIDO’s latest standards.

FIDO2 includes two specifications:

FIDO2 is the overarching term for FIDO Alliance’s newest set of strong authentication standards. FIDO2 includes two specifications: W3C’s Web Authentication (WebAuthn) and FIDO Alliance’s Client to Authenticator Protocol (CTAP).

Yes, you can use multiple websites from one FIDO device. Each device/website pairing requires a separate registration and a separate cryptographic key pair. Once registered, a user can easily authenticate to multiple sites from the same device, yet each site has no knowledge of the user interactions with other sites.

If a user acquires a new device or wants to use multiple FIDO devices, the user needs only register each of the devices at the sites where he wants to use them. Once a device is registered at a site, it will be recognized whenever the user needs to authenticate at that site. When a user visits a site with a new device that hasn’t been registered, and thus isn’t automatically recognized, the user will be prompted to register the new FIDO device to enable FIDO authentication with the new device at that site.

The purpose of the FIDO model is to provide a secure and simple authentication experience for online services. The authentication involves a user with a device connecting to a service over a network.

The FIDO Alliance Certificate number format is: AA-NNNNN-SSSSS, where AA is the Program Identifier, NNNNN is the Certification number, and SSSSS is the Product Identifier. The Program Identifier corresponds to the certification program under which the Certificate was issued.

The FIDO Alliance staff will audit on a monthly basis the usage of FIDO Certified logos and published claims of certification. Auditing of actual implementations will be driven by market feedback. Should any concerns arise, feedback can be submitted through the Certified Logo Violation form.

No. But a product must be certified to claim to be FIDO Certified and use the FIDO Certified logo.

Derivative certification was created to streamline the certification process for implementers that have a large volume of certifications that are essentially all based on the same implementation. In this case, implementers may certify one implementation and the rest may be registered as “derivatives” of that base certification. Derivatives don’t require attending interoperability events to achieve certification, but they do require that the derivative implementation run and pass conformance testing. The implementation cannot change in any substantial way from the original certification earned via our test tools and interoperability testing. If there are changes to the implementation, then it will need to go through the FIDO Impact Analysis to determine if the implementation requires a Delta Certification or Recertification.

Interoperability events occur at least every 90 days, but may occur more frequently based on implementer demand.

Fees are per implementation certified and must be paid before a Certificate will be issued.

For an overview of the FIDO Certification Fees per program, please go to the Certification Fees page.

Yes. Non-members are welcome to certify their implementations.

The UAF authenticator specification defines an AAID field that is half Vendor ID and half Device ID used to uniquely identify each authenticator. The Vendor ID is a unique identifier assigned by FIDO to each company implementing a UAF authenticator. The other half of the AAID field, the Device ID, is assigned to the authenticator by the implementing company. Only UAF Authenticators require a Vendor ID.

A product is certified indefinitely as long as the code base of its FIDO implementation doesn’t change in any substantial way. Certification can only be terminated in rare instances, such as determining that an implementation improperly passed test tools or interoperability events. Certification only applies to a specific specification and implementation class (i.e. “UAF Authenticator”). If new major versions of specifications are released (as determined by the FIDO Certification Working Group) and an implementation would like to claim conformance with that specification, new certification will be required.

Use of the FIDO Certified logo will require signing a TMLA. There is a streamlined process for Relying Parties that wish to use the certification logo on their websites, which includes a “clickless” license agreement.

Yes. There is a recognizable FIDO Certified logo for vendors to include with their websites, product materials, packaging, etc.

Start by making sure your implementation passes the conformance tests (registration required). After you’ve validated your implementation, register for an Interoperability event and you’re on your way to certifying your product.

The FIDO Alliance Metadata Service (MDS) is a web-based tool where FIDO authenticator vendors can publish metadata statements for FIDO servers to download. This provides organizations deploying FIDO servers with a centralized and trusted source of information about FIDO authenticators.

Vendor companies looking to bring FIDO-based solutions to market and/or organization service providers seeking to understand the most effective ways to deploy FIDO Authentication will benefit the most from participating in FIDO Alliance working groups.

By taking part in FIDO Alliance’s technical working groups, members have the ability to shape and have early visibility into FIDO’s technical output – which can help accelerate product and service development. Participating in the working groups will also enable your team to get peer-based feedback to aid with your own implementations, while also creating an opportunity to have your company’s vision reflected in deployment guidelines and recommendations.

There are four major testing steps:

Certification starts with self-assessment of specification conformance through the use of FIDO Alliance provided test tools, followed by interoperability testing with at least three test partners at FIDO Alliance-proctored test events. At this time, there is no lab aspect to the certification program, but the Certification Working Group is currently reviewing requirements to develop and implement a Functional Lab Accreditation program. See the Getting Started web page to learn more.

Yes. Implementations must request certification (and pay the certification fees) for each implementation class they are seeking to certify. For example, if an implementation certifies for both a FIDO UAF Server and a FIDO2 Server, that implementation must follow the certification process for both (and pay the certification fees for both). The implementation would ultimately receive two certifications. The primary difference between testing for different specifications is they have different test tools and the different interoperability events.

No. Only products that have passed through FIDO Certification program and have been granted a certification number can claim to be FIDO Certified.

The FIDO Alliance issued Certificates have the following numerical format:

SSSXYZAYYYYMMDD####

SSS – Specification number (UAF or U2F)

X – Specification number

Y – Specification minor number

Z – Specification revision number

A – Specification errata number

YYYY – Year issued

MM – Month issued

DD – Day issued

#### – The number of the certificate issued today

The FIDO Alliance staff will audit on a monthly basis the usage of FIDO Certified logos and published claims of certification. Auditing of actual implementations will be driven by market feedback. Should any concerns arise, feedback can be submitted through the Certified Logo Violation form.

No. But a product must be certified to claim to be FIDO Certified and use the FIDO Certified logo.

Derivative certification was created to streamline the certification process for implementers that have a large volume of certifications that are essentially all based on the same implementation. In this case, implementers may certify one implementation and the rest may be registered as “derivatives” of that base certification. Derivatives don’t require attending interoperability events to achieve certification, but they do require that the derivative implementation run and pass conformance testing. The implementation cannot change in any substantial way from the original certification earned via our test tools and interoperability testing. If there are changes to the implementation, then it will need to go through the FIDO Impact Analysis to determine if the implementation requires a Delta Certification or Recertification.

Interoperability events occur at least every 90 days, but may occur more frequently based on implementer demand.

Fees are per implementation certified and must be paid before a Certificate will be issued.

Yes. Non-members are welcome to certify their implementations.

The UAF authenticator specification defines an AAID field that is half Vendor ID and half Device ID used to uniquely identify each authenticator. The Vendor ID is a unique identifier assigned by FIDO to each company implementing a UAF authenticator. The other half of the AAID field, the Device ID, is assigned to the authenticator by the implementing company. Only UAF Authenticators require a Vendor ID.

A product is certified indefinitely as long as the code base of its FIDO implementation doesn’t change in any substantial way. Certification can only be terminated in rare instances, such as determining that an implementation improperly passed test tools or interoperability events. Certification only applies to a specific specification and implementation class (i.e. “UAF Authenticator”). If new major versions of specifications are released (as determined by the FIDO Certification Working Group) and an implementation would like to claim conformance with that specification, new certification will be required.

Use of the FIDO Certified logo will require signing a TMLA. There is a streamlined process for Relying Parties that wish to use the certification logo on their websites, which includes a “clickless” license agreement.

Yes. There is a recognizable FIDO Certified logo for vendors to include with their websites, product materials, packaging, etc.

Start by making sure your implementation passes the conformance tests (registration required). After you’ve validated your implementation, register for an Interoperability event and you’re on your way to certifying your product.

The FIDO Alliance Metadata Service (MDS) is a web-based tool where FIDO authenticator vendors can publish metadata statements for FIDO servers to download. This provides organizations deploying FIDO servers with a centralized and trusted source of information about FIDO authenticators.

Vendor companies looking to bring FIDO-based solutions to market and/or organization service providers seeking to understand the most effective ways to deploy FIDO Authentication will benefit the most from participating in FIDO Alliance working groups.