Standard FAQ Test

Why are standards important?

Open industry standards assure that existing and future products and offerings are compatible and that anyone can evaluate the technology. Users can depend on their FIDO devices working wherever FIDO authentication is supported. Service providers and enterprises can accommodate various devices and services without having to make new investments or reverting to proprietary configurations.

Similar to the development of WiFi, Bluetooth, NFC, and other standards, FIDO is developing a new set of industry protocols. Any device manufacturer, software developer and/or online service provider can build support for FIDO protocols into their existing products and services to make online authentication simpler and stronger for their users. With the goal of standardization, the FIDO ecosystem can grow and scale by means of the “net effect”, where any new implementation of the standards will be able to immediately interoperate with any other implementation without the need for any pre-established arrangement between device developer and service provider.

What’s the difference between U2F and UAF? Why two separate standards?

U2F (Universal 2nd Factor) is a FIDO protocol that strengthens password authentication by adding a physical token. UAF (Universal Authentication Framework) is a FIDO protocol that provides strong authentication without passwords, by using biometrics and other modalities to authenticate users to their local device, then enabling the device to authenticate to the online services (biometrics, if used, never leave the device). The two standards have evolved in parallel and share basic FIDO principles such as user privacy protection and standard public key cryptography. In future versions, we expect the two standards to further evolve and harmonize.

How can I be sure that the product I’m buying conforms to FIDO standards?

The FIDO Alliance Certification Working Group is responsible for testing products for conformance to FIDO specifications and interoperability between those implementations. We already have an interoperability program known as FIDO Ready™ and in early 2015 that program will add formal conformance testing for FIDO products implementing the final 1.0 specifications.

Has FIDO made implementation rights available to anyone?

FIDO Alliance members have all committed to the promise contained within our Membership Agreement to not assert their patents against any other member implementation of FIDO 1.0 final specifications (referred to as “Proposed Standard” in our Membership Agreement). Anyone interested in deploying a FIDO compliant solution can do so without joining the Alliance if they use FIDO Ready™ products to enable that deployment.

Is one FIDO token/dongle/device better than another? How can I choose which to buy?

FIDO specifications are device-agnostic and support a full range of authentication technologies, including U2F tokens and biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as PIN or pattern-protected microSD cards. FIDO specifications will also enable existing solutions and communications standards, such as Trusted Platform Module (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, Bluetooth Low Energy (BLE), and Near Field Communication (NFC). Because FIDO specifications are open, they are designed to be extensible and to accommodate future innovation, as well as protect existing investments.

FIDO specifications allow users a broad range of choice in devices that meet their needs or preferences, as well as those of service providers, online merchants, or enterprises where users must authenticate.

Will the FIDO 1.0 specs enable anyone to begin using the specs to develop and offer FIDO certified products?

FIDO 1.0 specs are public and available for anyone to read and analyze. But only FIDO Alliance Members benefit from “the promise” to not assert patent rights against other members’ implementations (see the FIDO Alliance Membership Agreement for details). Anyone may join the FIDO Alliance; we encourage even very small companies with a very low cost to join at the entry level. Members at all levels not only benefit from the mutual non-assert protection, but also participate with FIDO Alliance members, activities and developments; Associates have more limited participation benefits. All are invited to join the FIDO Alliance and participate.

What does FIDO Ready mean? And FIDO Certified?

FIDO Ready™ is an interoperability testing and trademark program that was put in place in February 2014. A number of products have been tested and qualified as being FIDO Ready. FIDO Alliance is currently working on a FIDO Certified program that will include interoperability and conformance testing in early 2015, and will be adding optional security certification for authenticators thereafter.

What has changed since the draft release of the specifications in February?

For FIDO U2F, the changes can be summarized as: 1) Switch to USB HID as the transport from WinUSB; 2) Updates to the webAPI syntax; 3) Addition of AppID checking to allow app/URL key sharing.

For FIDO UAF, a high-level summary is: 1) Detail-level evolution and refinement; 2) Addition of Metadata Service specification; 3) Addition of AppID checking to allow app/URL key sharing.

Do I need to wait until FIDO 2.0 is finished?

No. Enterprises and consumers are solving real security issues today with FIDO strong authentication as outdated password systems are modernized. Tens of millions of FIDO-based devices are now in use to protect accounts with strong, cryptographic-based authentication at major relying parties such as Google, PayPal, NTT DOCOMO, INC., Bank of America, Dropbox, and GitHub. In addition, there are 72 FIDO Certified products available in the market. The FIDO Alliance's strategy has always hinged on the idea that every device you purchase will come with FIDO standards support built-in, the FIDO 2.0 work is very well aligned to that strategy.

What is the goal of FIDO 2.0?

FIDO 2.0 is being designed to achieve ubiquitous platform-enablement for FIDO standards, resulting in an ecosystem with “out of the box” support for simpler, stronger FIDO authentication on all devices.

What is the use case that FIDO 2.0 addresses?

FIDO 2.0 addresses both FIDO’s password-less and second-factor experiences and adds device-to-device capabilities along with ubiquitous platform support including standards-based strong authentication across all Web browsers and related Web platform infrastructure.

What was sent to the W3C?

A set of three technical specifications to define a standard Web-based API. There is the API for accessing FIDO credentials and two specs that are necessary to interpret and use responses from the API. Upon completion by the W3C, the FIDO Alliance will support the adoption of this published Web API through the established FIDO Certification Program.

What are the other pieces still at FIDO?

All the FIDO 1.X work and the External Authenticator Protocol of the FIDO 2.0 specification remain in the FIDO Alliance technical working groups.