FIDO Authentication

Note: All information taken from https://fidoalliance.org/ website

      

         The FIDO Alliance developed FIDO Authentication standards based on public key cryptography for authentication that is more secure than passwords and SMS OTPs, simpler for consumers to use, and easier for service providers to deploy and manage. FIDO Authentication enables password-only logins to be replaced with secure and fast login experiences across websites and apps.

FIDO Authentication is the Answer to the World's Password Problem

• Passwords are the root cause of over 80% of data breaches
• Users have more than 90 online accounts
• Up to 51% of passwords are reused
• 1/3 of online purchases abandoned due to forgotten passwords
• $70: average help desk labor cost for a single password reset

How People Use FIDO

• FINGERPRINT
• VOICE
• SECURITY KEY 
• FACIAL RECOGNITION

How FIDO Works

         The FIDO protocols use standard public key cryptography techniques to provide stronger authentication. During registration with an online service, the user’s client device creates a new key pair. It retains the private key and registers the public key with the online service. Authentication is done by the client device proving possession of the private key to the service by signing a challenge. The client’s private keys can be used only after they are unlocked locally on the device by the user. The local unlock is accomplished by a user–friendly and secure action such as swiping a finger, entering a PIN, speaking into a microphone, inserting a second–factor device or pressing a button. 

       

          The FIDO protocols are designed from the ground up to protect user privacy. The protocols do not provide information that can be used by different online services to collaborate and track a user across the services. Biometric information, if used, never leaves the user’s device.

FIDO Registration

• User is prompted to choose an available FIDO authenticator that matches the online service’s acceptance policy. 
• User unlocks the FIDO authenticator using a fingerprint reader, a button on a second–factor device, securely–entered PIN or other method. 
• User’s device creates a new public/private key pair unique for the local device, online service and user’s account. 
• Public key is sent to the online service and associated with the user’s account. The private key and any information about the local authentication method (such as biometric measurements or templates) never leave the local device. 

FIDO Login

• Online service challenges the user to login with a previously registered device that matches the service’s acceptance policy. 
• User unlocks the FIDO authenticator using the same method as at Registration time.
• Device uses the user’s account identifier provided by the service to select the correct key and sign the service’s challenge. 
• Client device sends the signed challenge back to the service, which verifies it with the stored public key and logs in the user.

Specifications Overview

The FIDO Alliance has published three sets of specifications for simpler, stronger authentication: 

• FIDO Universal Second Factor (FIDO U2F) 
• FIDO Universal Authentication Framework (FIDO UAF) 
• The Client to Authenticator Protocols (CTAP).