The FIDO ("Fast IDentity Online") Alliance is an open industry association launched in February 2013 whose stated mission is to develop and promote

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an assertion, such as the identity of a computer system user. In contrast with identification, the act of indicati ...

standards that "help reduce the world’s over-reliance on

password A password, sometimes called a passcode (for example in Apple devices), is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of ...

s". FIDO addresses the lack of interoperability among devices that use

strong authentication Strong authentication is a notion with several definitions. Strong (customer) authentication definitions Strong authentication is often confused with two-factor authentication (more generally known as multi-factor authentication), but strong a ...

and reduces the problems users face creating and remembering multiple usernames and passwords. FIDO supports a full range of authentication technologies, including

biometrics Biometrics are body measurements and calculations related to human characteristics. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used to identify i ...

such as

fingerprint A fingerprint is an impression left by the friction ridges of a human finger. The recovery of partial fingerprints from a crime scene is an important method of forensic science. Moisture and grease on a finger result in fingerprints on surfac ...

and iris scanners,

voice The human voice consists of sound made by a human being using the vocal tract, including talking, singing, laughing, crying, screaming, shouting, humming or yelling. The human voice frequency is specifically a part of human sound production in ...

and facial recognition, as well as existing solutions and communications standards, such as

Trusted Platform Module Trusted Platform Module (TPM, also known as ISO/IEC 11889) is an international standard for a secure cryptoprocessor, a dedicated microcontroller designed to secure hardware through integrated cryptographic keys. The term can also refer to a ch ...

s (TPM), USB

security token A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to or in place of a password. It acts like an electronic key to access something. Examples of security tokens inc ...

s, embedded Secure Elements (eSE),

smart card A smart card, chip card, or integrated circuit card (ICC or IC card) is a physical electronic authentication device, used to control access to a resource. It is typically a plastic credit card-sized card with an embedded integrated circuit (IC) c ...

s, and

near field communication Near-field communication (NFC) is a set of communication protocols that enables communication between two electronic devices over a distance of 4 cm (1 in) or less. NFC offers a low-speed connection through a simple setup that can be u ...

(NFC). The USB security token device may be used to authenticate using a simple password (e.g. four-digit

PIN A pin is a device used for fastening objects or material together. Pin or PIN may also refer to: Computers and technology * Personal identification number (PIN), to access a secured system ** PIN pad, a PIN entry device * PIN, a former Dutch ...

) or by pressing a button. The specifications emphasize a device-centric model. Authentication over the wire happens using

public-key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

. The user's device registers the user to a server by registering a public key. To authenticate the user, the device signs a challenge from the server using the private key that it holds. The keys on the device are unlocked by a local user gesture such as a biometric or pressing a button. FIDO provides two types of user experiences depending on which protocol is used. Both protocols define a common interface at the client for whatever local authentication method the user exercises.

Specifications

The following open specifications may be obtained from the FIDO web site. * Universal Authentication Framework (UAF) ** UAF 1.0 Proposed Standard (December 8, 2014) ** UAF 1.1 Proposed Standard (February 2, 2017) ** UAF 1.2 Review Draft (November 28, 2017) *

Universal 2nd Factor Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB) or near-field communication (NFC) devices based on similar security technology found in sm ...

(U2F) ** U2F 1.0 Proposed Standard (October 9, 2014) ** U2F 1.2 Proposed Standard (July 11, 2017) * FIDO 2.0 (FIDO2, contributed to the W3C on November 12, 2015) ** FIDO 2.0 Proposed Standard (September 4, 2015) *

Client to Authenticator Protocol The Client to Authenticator Protocol (CTAP) or X.1278 enables a roaming, user-controlled cryptographic authenticator (such as a smartphone or a hardware security key) to interoperate with a client platform such as a laptop. Standard CTAP is co ...

(CTAP) ** CTAP 2.0 Proposed Standard (September 27, 2017) ** CTAP 2.0 Implementation Draft (February 27, 2018) Evolution_of_FIDO2-WebAuthn

The U2F 1.0 Proposed Standard (October 9, 2014) was the starting point for the specification known as FIDO 2.0 Proposed Standard (September 4, 2015). The latter was formally submitted to the

World Wide Web Consortium The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 and led by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working to ...

(W3C) on November 12, 2015. Subsequently, the first Working Draft of the W3C Web Authentication (

WebAuthn Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). WebAuthn is a core component of the FIDO2 Project under the guidance of the FIDO Alliance. The goal of the project is to standardize an interface fo ...

) standard was published on May 31, 2016. The WebAuthn standard has been revised numerous times since then, becoming a W3C Recommendation on March 4, 2019. Meanwhile the U2F 1.2 Proposed Standard (July 11, 2017) became the starting point for the Client to Authenticator Protocol 2.0 Proposed Standard, which was published on September 27, 2017. FIDO CTAP 2.0 complements W3C WebAuthn, both of which are in scope for the

FIDO2 Project The FIDO2 Project is a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C) whose goal is to create strong authentication for the web. At its core, FIDO2 consists of the W3C Web Authentication (WebAuthn) standard and th ...

Milestones

* (2014-10-09) The U2F 1.0 Proposed Standard was released * (2014-12-08) The UAF 1.0 Proposed Standard was released * (2015-06-30) The FIDO Alliance released two new protocols that support

Bluetooth Bluetooth is a short-range wireless technology standard that is used for exchanging data between fixed and mobile devices over short distances and building personal area networks (PANs). In the most widely used mode, transmission power is limi ...

technology and

(NFC) as transport protocols for U2F * (2015-09-04) The FIDO 2.0 Proposed Standard was released ** FIDO 2.0 Key Attestation Format ** FIDO 2.0 Signature Format ** FIDO 2.0 Web API for Accessing FIDO 2.0 Credentials * (2015-11-12) The FIDO Alliance submitted the FIDO 2.0 Proposed Standard to the

(W3C) * (2016-02-17) The W3C created the

Web Authentication Working Group The Web Authentication Working Group, created by the World Wide Web Consortium (W3C) on February 17, 2016, has for mission, in the Security Activity, to define a client-side API providing strong authentication functionality to Web Applications. O ...

* (2017-02-02) The UAF 1.1 Proposed Standard was released * (2017-07-11) The U2F 1.2 Proposed Standard was released * (2017-09-27) The Client To Authenticator Protocol 2.0 Proposed Standard was released * (2017-11-28) The UAF 1.2 Review Draft was released * (2018-02-27) The Client To Authenticator Protocol 2.0 Implementation Draft was released * (2019–03) W3C’s Web Authentication (WebAuthn) recommendation – a core component of the FIDO Alliance’s FIDO2 set of specifications – became an official web standard, signaling a major step forward in making the web more secure and usable for users around the world.

References

External links

* {{Official website Biometrics Authentication methods Identification Consortia in the United States 2013 establishments in California Mountain View, California 501(c)(6) nonprofit organizations

Specifications

Milestones

See also

References

External links