FIDO

What is FIDO? 

Fast Identity Online (FIDO) is an all-encompassing term typically used to refer to the FIDO Alliance or FIDO authentication standards. The FIDO Alliance is a non-profit organization that develops and promotes authentication standards to “help reduce the world’s over-reliance on passwords.” 

FIDO authentication is a set of open security standards based on public key cryptography, outlining user authentication mechanisms that, if implemented, would eliminate the need for passwords. The overarching principle of FIDO authentication is to store Personally Identifiable Information (PII) locally on a user’s device, thus removing the inherent risk of storing data on external servers, such as the cloud. 

Types of FIDO Authentication

There are four fundamental types of FIDO authentication:

  • FIDO Universal Second Factor (FIDO U2F) – An open standard, known since the release of FIDO2 as CTAP1, promoting the security and usability of multi-factor authentication and leveraging encryption and private keys against a physical device, such as USB or NFC technology, to protect and unlock supported accounts.
  • Client to Authenticator Protocols (CTAP) – A specification describing how applications and operating systems communicate with authentication devices through USB, NFC, or BLE technologies. It refers to two CTAP protocol versions:
    • CTAP1 is the current name for FIDO U2F.
    • CTAP2 defines how FIDO2-enabled browsers, operating systems, and external authenticators communicate with one another to allow passwordless, MFA experience.
  • FIDO Universal Authentication Framework (FIDO UAF) – A standard that defines how users connect to an application or service by leveraging one or more security factors on their device (for example, a mobile phone fingerprint scanner) to use the private key to respond to the challenge issued by the FIDO UAF server.
  • FIDO2 is an extension of FIDO U2F that offers expanded authentication options, including solid single-factor (passwordless), two-factor, and multi-factor authentication.

Components of FIDO authentication

There are two separate components of FIDO authentication you should be aware of:

Passkeys

Passkeys, or multi-device FIDO credentials, aim to replace the traditional password. When a user signs up for a new application or service, it provides them with a passkey stored on the user’s device. When they want to log in to the application or service, the user completes their device and primary authentication method – a fingerprint scanner, for example – to use the passkey and log into their account. Passkeys are a roaming authenticator, meaning users can leverage them across multiple devices, while the device itself is a platform authenticator

Security keys 

FIDO security keys are small devices – such as a USB or smart card – that allow for secure access to applications or websites. When a user signs up with a new application or website, they present the security key to generate a new key pair. The security key shares the public key with the application, but the private key remains hidden. When the user logs in for the first time, the application will offer a challenge that, if matched by the calculated value of their security key, allows them to log in. Security keys are a form of roaming authenticator, but the device they interact with are platform authenticators.

The future of FIDO

FIDO is the future of authentication. The persistent threat of phishing scams and usability issues inherent in traditional password practices makes FIDO authentication an attractive option for organizations looking to protect themselves from identity-based cyber-attacks. While the general consumer needs to be educated further on FIDO authentication, it’s clear that it’s already a viable replacement for the traditional password. 

For more essential cybersecurity definitions, check out our other blogs below:  

21 Essential Cybersecurity Terms You Should Know

40+ Cybersecurity Acronyms & Definitions

Scroll to top