Industry consortium working on authentication mechanisms From Wikipedia, the free encyclopedia
This article is about the consortium promoting authentication. For the store-and-forward bulletin-board networking service, see FidoNet.
The FIDO ("Fast IDentity Online") Alliance is an open industry association launched in February 2013 whose stated mission is to develop and promote authentication standards that "help reduce the world’s over-reliance on passwords".[1] FIDO addresses the lack of interoperability among devices that use strong authentication and reduces the problems users face creating and remembering multiple usernames and passwords.
FIDO supports a full range of authentication technologies, including biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as existing solutions and communications standards, such as Trusted Platform Modules (TPM), USBsecurity tokens, embedded Secure Elements (eSE), smart cards, and near-field communication (NFC).[2] The USB security token device may be used to authenticate using a simple password (e.g. four-digit PIN) or by pressing a button. The specifications emphasize a device-centric model. Authentication over an insecure channel happens using public-key cryptography. The user's device registers the user to a server by registering a public key. To authenticate the user, the device signs a challenge from the server using the private key that it holds. The keys on the device are unlocked by a local user gesture such as a biometric or pressing a button.
FIDO provides two types of user experiences depending on which protocol is used.[2] Both protocols define a common interface at the client for whatever local authentication method the user exercises.
The following open specifications may be obtained from the FIDO web site.[3]
The U2F1.0 Proposed Standard (October9, 2014) was the starting point for the specification known as FIDO2.0 Proposed Standard (September4, 2015). The latter was formally submitted to the World Wide Web Consortium (W3C) on November12, 2015.[5] Subsequently, the first Working Draft of the W3C Web Authentication (WebAuthn) standard was published on May31, 2016. The WebAuthn standard has been revised numerous times since then, becoming a W3C Recommendation on March4, 2019.
Meanwhile the U2F1.2 Proposed Standard (July11, 2017) became the starting point for the Client to Authenticator Protocol2.0 Proposed Standard, which was published on September27, 2017. FIDO CTAP2.0 complements W3C WebAuthn, both of which are in scope for the FIDO2 Project.
Taken together, WebAuthn and CTAP specify a standard authentication protocol[7] where the protocol endpoints consist of a user-controlled cryptographicauthenticator (such as a smartphone or a hardware security key) and a WebAuthn Relying Party (also called a FIDO2 server). A web user agent (i.e., a web browser) together with a WebAuthn client form an intermediary between the authenticator and the relying party. A single WebAuthn client Device may support multiple WebAuthn clients. For example, a laptop may support multiple clients, one for each conforming user agent running on the laptop. A conforming user agent implements the WebAuthn JavaScript API.
As its name implies, the Client to Authenticator Protocol (CTAP) enables a conforming cryptographic authenticator to interoperate with a WebAuthn client. The CTAP specification refers to two protocol versions called CTAP1/U2F and CTAP2.[8] An authenticator that implements one of these protocols is typically referred to as a U2F authenticator or a FIDO2 authenticator, respectively. A FIDO2 authenticator that also implements the CTAP1/U2F protocol is backward compatible with U2F.
The invention of using a smartphone as a cryptographic authenticator on a computer network is claimed in US Patent 7,366,913 filed in 2002.
(2014-10-09) The U2F1.0 Proposed Standard was released
(2014-12-08) The UAF1.0 Proposed Standard was released[9][10]
(2015-06-30) The FIDO Alliance released two new protocols that support Bluetooth technology and near field communication (NFC) as transport protocols for U2F[11]
(2015-09-04) The FIDO2.0 Proposed Standard was released
(2017-02-02) The UAF1.1 Proposed Standard was released
(2017-07-11) The U2F1.2 Proposed Standard was released
(2017-09-27) The Client To Authenticator Protocol2.0 Proposed Standard was released
(2017-11-28) The UAF1.2 Review Draft was released
(2018-02-27) The Client To Authenticator Protocol2.0 Implementation Draft was released
(2019–03) W3C’s Web Authentication (WebAuthn) recommendation – a core component of the FIDO Alliance’s FIDO2 set of specifications – became an official web standard. [13]