The FIDO ("Fast IDentity Online") Alliance is an open industry association launched in February 2013 whose stated mission is to develop and promote

authentication Authentication (from ''authentikos'', "real, genuine", from αὐθέντης ''authentes'', "author") is the act of proving an Logical assertion, assertion, such as the Digital identity, identity of a computer system user. In contrast with iden ...

standards that "help reduce the world’s over-reliance on

password A password, sometimes called a passcode, is secret data, typically a string of characters, usually used to confirm a user's identity. Traditionally, passwords were expected to be memorized, but the large number of password-protected services t ...

s". FIDO addresses the lack of interoperability among devices that use strong authentication and reduces the problems users face creating and remembering multiple usernames and passwords. FIDO supports a full range of authentication technologies, including

biometrics Biometrics are body measurements and calculations related to human characteristics and features. Biometric authentication (or realistic authentication) is used in computer science as a form of identification and access control. It is also used t ...

such as

fingerprint A fingerprint is an impression left by the friction ridges of a human finger. The recovery of partial fingerprints from a crime scene is an important method of forensic science. Moisture and grease on a finger result in fingerprints on surfa ...

and iris scanners,

voice The human voice consists of sound made by a human being using the vocal tract, including talking, singing, laughing, crying, screaming, shouting, humming or yelling. The human voice frequency is specifically a part of human sound produ ...

and

facial recognition Facial recognition or face recognition may refer to: *Face detection, often a step done before facial recognition *Face perception, the process by which the human brain understands and interprets the face *Pareidolia, which involves, in part, seein ...

, as well as existing solutions and communications standards, such as

Trusted Platform Module A Trusted Platform Module (TPM) is a secure cryptoprocessor that implements the ISO/IEC 11889 standard. Common uses are verifying that the boot process starts from a trusted combination of hardware and software and storing disk encryption keys. ...

s (TPM),

USB Universal Serial Bus (USB) is an industry standard, developed by USB Implementers Forum (USB-IF), for digital data transmission and power delivery between many types of electronics. It specifies the architecture, in particular the physical ...

security token A security token is a peripheral device used to gain access to an electronically restricted resource. The token is used in addition to, or in place of, a password. Examples of security tokens include wireless key cards used to open locked door ...

s, embedded Secure Elements (eSE),

smart card A smart card (SC), chip card, or integrated circuit card (ICC or IC card), is a card used to control access to a resource. It is typically a plastic credit card-sized card with an Embedded system, embedded integrated circuit (IC) chip. Many smart ...

s, and

near-field communication Near-field communication (NFC) is a set of communication protocols that enables communication between two electronic devices over a distance of or less. NFC offers a low-speed connection through a simple setup that can be used for the boots ...

(NFC). The USB security token device may be used to authenticate using a simple password (e.g. four-digit PIN) or by pressing a button. The specifications emphasize a device-centric model. Authentication over an insecure channel happens using

public-key cryptography Public-key cryptography, or asymmetric cryptography, is the field of cryptographic systems that use pairs of related keys. Each key pair consists of a public key and a corresponding private key. Key pairs are generated with cryptographic alg ...

. The user's device registers the user to a server by registering a public key. To authenticate the user, the device signs a challenge from the server using the private key that it holds. The keys on the device are unlocked by a local user gesture such as a biometric or pressing a button. FIDO provides two types of user experiences depending on which protocol is used. Both protocols define a common interface at the client for whatever local authentication method the user exercises.

Specifications

The following open specifications may be obtained from the FIDO web site. * Universal Authentication Framework (UAF) ** UAF 1.0 Proposed Standard (December 8, 2014) ** UAF 1.1 Proposed Standard (February 2, 2017) ** UAF 1.2 Review Draft (November 28, 2017) *

Universal 2nd Factor Universal 2nd Factor (U2F) is an open standard that strengthens and simplifies two-factor authentication (2FA) using specialized Universal Serial Bus (USB), near-field communication (NFC), or Bluetooth Low Energy (BLE) devices based on similar sec ...

(U2F) ** U2F 1.0 Proposed Standard (October 9, 2014) ** U2F 1.2 Proposed Standard (July 11, 2017) * FIDO 2.0 (FIDO2, contributed to the W3C on November 12, 2015) ** FIDO 2.0 Proposed Standard (September 4, 2015) * Client to Authenticator Protocol (CTAP) ** CTAP 2.0 Proposed Standard (September 27, 2017) ** CTAP 2.0 Implementation Draft (February 27, 2018) Evolution_of_FIDO2-WebAuthn

The U2F 1.0 Proposed Standard (October 9, 2014) was the starting point for the specification known as FIDO 2.0 Proposed Standard (September 4, 2015). The latter was formally submitted to the

World Wide Web Consortium The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 by Tim Berners-Lee, the consortium is made up of member organizations that maintain full-time staff working together in ...

(W3C) on November 12, 2015. Subsequently, the first Working Draft of the W3C Web Authentication (

WebAuthn Web Authentication (WebAuthn) is a web standard published by the World Wide Web Consortium (W3C). Its primary purpose is to build a system of authentication for web-based applications that solves or mitigates the issues of traditional passwo ...

) standard was published on May 31, 2016. The WebAuthn standard has been revised numerous times since then, becoming a W3C Recommendation on March 4, 2019. Meanwhile the U2F 1.2 Proposed Standard (July 11, 2017) became the starting point for the Client to Authenticator Protocol 2.0 Proposed Standard, which was published on September 27, 2017. FIDO CTAP 2.0 complements W3C WebAuthn, both of which are in scope for the ''FIDO2 Project''.

FIDO2

The FIDO2 Project is a joint effort between the FIDO Alliance and the

(W3C) whose goal is to create strong authentication for the web. At its core, FIDO2 consists of the W3C Web Authentication (

) standard and the FIDO Client to Authenticator Protocol 2 (CTAP2). FIDO2 is based upon previous work done by the FIDO Alliance, in particular the

(U2F) authentication standard. Taken together, WebAuthn and CTAP specify a standard

authentication protocol An authentication protocol is a type of computer communications protocol or cryptographic protocol specifically designed for transfer of authentication data between two entities. It allows the receiving entity to authenticate the connecting entity ...

where the protocol endpoints consist of a user-controlled

cryptographic Cryptography, or cryptology (from "hidden, secret"; and ''graphein'', "to write", or '' -logia'', "study", respectively), is the practice and study of techniques for secure communication in the presence of adversarial behavior. More gen ...

authenticator An authenticator is a means used to confirm a user's identity, that is, to perform digital authentication. A person authenticates to a computer system or application by demonstrating that he or she has possession and control of an authenticator. I ...

(such as a smartphone or a hardware security key) and a WebAuthn Relying Party (also called a FIDO2 server). A web

user agent On the Web, a user agent is a software agent responsible for retrieving and facilitating end-user interaction with Web content. This includes all web browsers, such as Google Chrome and Safari A safari (; originally ) is an overland jour ...

(i.e., a web browser) together with a WebAuthn client form an intermediary between the authenticator and the relying party. A single WebAuthn client Device may support multiple WebAuthn clients. For example, a laptop may support multiple clients, one for each conforming user agent running on the laptop. A conforming user agent implements the WebAuthn JavaScript API. As its name implies, the Client to Authenticator Protocol (CTAP) enables a conforming cryptographic authenticator to interoperate with a WebAuthn client. The CTAP specification refers to two protocol versions called CTAP1/U2F and CTAP2. An authenticator that implements one of these protocols is typically referred to as a U2F authenticator or a FIDO2 authenticator, respectively. A FIDO2 authenticator that also implements the CTAP1/U2F protocol is backward compatible with U2F. The invention of using a smartphone as a cryptographic authenticator on a computer network is claimed in US Patent 7,366,913 filed in 2002.

Milestones

* (2014-10-09) The U2F 1.0 Proposed Standard was released * (2014-12-08) The UAF 1.0 Proposed Standard was released * (2015-06-30) The FIDO Alliance released two new protocols that support

Bluetooth Bluetooth is a short-range wireless technology standard that is used for exchanging data between fixed and mobile devices over short distances and building personal area networks (PANs). In the most widely used mode, transmission power is li ...

technology and

near field communication Near-field communication (NFC) is a set of communication protocols that enables communication between two electronic devices over a distance of or less. NFC offers a low-speed connection through a simple setup that can be used for the boots ...

(NFC) as transport protocols for U2F * (2015-09-04) The FIDO 2.0 Proposed Standard was released ** FIDO 2.0 Key Attestation Format ** FIDO 2.0 Signature Format ** FIDO 2.0 Web API for Accessing FIDO 2.0 Credentials * (2015-11-12) The FIDO Alliance submitted the FIDO 2.0 Proposed Standard to the

(W3C) * (2016-02-17) The W3C created the

Web Authentication Working Group The Web Authentication Working Group, created by the World Wide Web Consortium The World Wide Web Consortium (W3C) is the main international standards organization for the World Wide Web. Founded in 1994 by Tim Berners-Lee, the consortium is ...

* (2017-02-02) The UAF 1.1 Proposed Standard was released * (2017-07-11) The U2F 1.2 Proposed Standard was released * (2017-09-27) The Client To Authenticator Protocol 2.0 Proposed Standard was released * (2017-11-28) The UAF 1.2 Review Draft was released * (2018-02-27) The Client To Authenticator Protocol 2.0 Implementation Draft was released * (2019–03) W3C’s Web Authentication (WebAuthn) recommendation – a core component of the FIDO Alliance’s FIDO2 set of specifications – became an official web standard.

FIDO Members

Board level members

Sponsor level members

Government level members

Associate Level Members

References

External links

* {{Official website Biometrics Identification Consortia in the United States 2013 establishments in California Mountain View, California 501(c)(6) nonprofit organizations