FIDO2 is an open standard that enables users to log into applications without using passwords on both desktop and mobile environments. Instead of passwords, FIDO authentication uses registered devices or FIDO2 security keys to validate user identities.
The FIDO2 specification was developed by the FIDO (Fast IDentity Online) Alliance, which is an open industry consortium formed in 2013. The Alliance’s mission is to develop and promote passwordless authentication standards and protocols.
FIDO2 (sometimes spelled “FIDO 2”) consists of two components:
The Web Authentication API (WebAuthn), which enables applications to authenticate users with possession-based and biometric authentication.
The Client to Authenticator Protocol (CTAP), which enables the client to communicate with a roaming authenticator such as a hardware security key or a smartphone.
What is a FIDO authenticator?
A FIDO authenticator is a piece of hardware possessed by the user that is capable of performing FIDO authentication. Users interact with FIDO authenticators to verify possession and/or confirm their identity. FIDO authenticators are also responsible for generating keypairs during user registration, protecting private key details, and signing digital certificates for attestation.
There are two types of FIDO authenticators: roaming authenticators and platform authenticators.
Roaming authenticator
A roaming authenticator is a device separate from the client device that can perform FIDO authentication. Roaming authenticators connect with client devices over USB, Near-field communication (NFC), or Bluetooth. These authenticators enable users to carry their credentials and use them to authenticate on multiple devices. For this reason, roaming authenticators are also referred to as cross-platform authenticators.
Examples: Tapping a USB security key, authenticating using a smartphone when logging in from a laptop
Platform authenticator
A platform authenticator is built into the user device that acts as the FIDO client. Common implementations of platform authenticators include some form of user biometric authentication backed by hardware chips (e.g. Trusted Platform Module, Trusted Execution Environment) that protect cryptographic keys. When a user authenticates using the same device they are logging in from, platform authenticators are at work.
Examples: Apple Touch ID, Apple Face ID, Windows Hello
How FIDO2 authentication works
The stated aim of FIDO authentication is to shift from “legacy, knowledge-based credentialing” to “modern, possession-based credentialing”. The standard relies on public-key cryptography to achieve this aim. By using a private-public keypair where the private key never leaves the user’s device, FIDO authentication removes the need for shared secrets between a client and a server.
Here’s how FIDO registration works:
Step 1: During account registration, the user is prompted to choose a FIDO authentication mechanism supported by the application.
Step 2: The user approves the FIDO authenticator by performing an action. The action depends on the authenticator. Common actions include touching a fingerprint reader, touching a security key, entering a PIN, or other approved authentication methods.
Step 3: A public-private keypair is created that is unique to the user’s device, the user’s account, and the application.
Step 4: The public key is sent to the application and associated with the user’s account. The private key never leaves the user’s device.Here’s how login using FIDO works:
Step 1: During login, the application challenges the user to log in with the FIDO authenticator used during registration.
Step 2: The user unlocks the authenticator using the same action that they performed during the registration process.
Step 3: The device looks up the private key based on the ID provided by the application. It signs the challenge and sends it back to the application.
Step 4: The application verifies the signed challenge with the stored public key. The user is logged in.
Looking for a way to test your WebAuthn flows? Check out Virtual WebAuthn, a set of Go tools that help developers test WebAuthn flows without needing a browser or an actual authenticator.
FIDO2 vs U2F vs UAF
FIDO2 is the latest standard to be developed by the FIDO Alliance and builds on top of two earlier specifications. Let’s cover the basics of FIDO UAF and FIDO U2F.
Universal Authentication Framework (UAF)
FIDO Universal Authentication Framework (UAF) is an open standard that supports passwordless authentication. FIDO UAF enables online applications to leverage native security features on end user computing devices (like mobile devices and laptops) to perform strong authentication and reduce the reliance on passwords.
FIDO2 is broadly seen as the successor to FIDO UAF.
Universal Second Factor (U2F)
FIDO Universal Second Factor (U2F) is an open standard that supports two-factor authentication. FIDO U2F enables applications to supplement the security of their existing password infrastructure by adding a strong second factor of authentication. U2F defines how to establish communications between FIDO2-enabled browsers / operating systems and a FIDO U2F device (like a YubiKey) to implement multi-factor authentication.
After the release of FIDO2, U2F was renamed and is now known as CTAP1.
Benefits of FIDO authentication
FIDO authentication provides a secure, private, convenient, and scalable way for users to access applications without using passwords.
Security
Since FIDO authentication doesn’t use shared secrets like passwords, no sensitive user information is stored on application servers. This reduces the attack surface and makes applications less attractive targets for attackers.
Removing passwords also prevents bad behaviors like reusing passwords across online accounts and using boilerplate passwords. This in turn stops identity attacks like credential stuffing, phishing, and account takeover.
Convenience
With FIDO authentication, users don’t have to create and remember passwords, use password managers, or go through cumbersome password reset flows. Instead, users authenticate using built-in device capabilities like fingerprint readers or cameras, or by leveraging easy to use FIDO security keys.
FIDO authentication is also convenient for application builders. Developers no longer have to spend time on managing password infrastructure and can instead use those work cycles on building core application capabilities. IT teams save time on password-based help desk requests. Product teams prevent user friction and churn caused due to forgotten passwords.
Privacy
Historically, the mention of fingerprint or iris authentication is sometimes met with concerns about user privacy. However, privacy is one of the cornerstones of FIDO authentication. Biometric data used in FIDO authentication never leaves the user’s device. Moreover, since FIDO key pairs are unique for each application, they cannot be used to track users across sites.
Interoperability and scale
FIDO2 is an open and license-free standard that is meant to be used as widely as possible while also maintaining high security. Any FIDO certified service needs to undergo rigorous testing to ensure that clients, servers, and authenticators are all compatible.
Websites can enable FIDO2 with a JavaScript API call that is widely supported across major browsers and platforms, as well as billions of user devices.
More FIDO2 resources
Interested in learning more about FIDO2 and passwordless authentication?
Check out an overview of the FIDO2 specification and technical details.
Read this whitepaper from the FIDO Alliance on enterprise use cases.
Adding FIDO authentication to your app can be a complex and time-consuming endeavor. Descope helps developers easily add FIDO-certified biometric authentication to their apps with no-code workflows, SDKs, and APIs.
Sign up for Descope and add biometrics to your app with a few lines of code.
