What is FIDO Authentication?

FIDO (Fast IDentity Online) authentication is an authentication standard that uses public key cryptography to create a login experience that’s more secure, phishing-resistant and convenient than passwords.

In the past, many online services relied solely on passwords for authentication. However, passwords have some inherent weaknesses, such as weak or guessable passwords leading to attacks like phishing and dictionary attacks.

To address these problems, a group of tech companies created the FIDO Alliance in 2012. Over the years, the Alliance has developed and evolved a set of passwordless authentication protocols that aim to make traditional authentication methods obsolete.

Instead of passwords, FIDO authentication relies on passkeys, which are cryptographic credentials securely stored on a user's device. These passkeys provide a seamless way to authenticate users on websites and services.

On passkey-enabled websites, users don't need to manually "enter" anything to sign in. Instead, they can simply present a biometric (like a fingerprint or face recognition) or use a hardware key to log in with their passkey. Behind the scenes, a rigorous cryptographic exchange takes place to verify the user's identity, but the user doesn't need to worry about the technical nitty-gritty.

This approach offers several advantages over passwords. Since passkeys are stored on the user's device, and not on a web server, they are less susceptible to data breaches. Additionally, passkeys are interoperable, which means that a single passkey can be used across all of the user's devices.

For example, a user can use the same passkey to authenticate on a website, from their phone, laptop or tablet.

FIDO (Fast IDentity Online) is an overarching term that includes many protocol specifications, including FIDO 1.0, FIDO2, FIDO UAF and FIDO U2F. To understand the difference between FIDO and FIDO2, it’s important to grasp the evolution of FIDO authentication.

The original FIDO protocol, aka FIDO 1.0, was the first iteration of the FIDO authentication standard. Released in 2014, it focused on replacing traditional passwords with biometrics and hardware tokens. It featured both FIDO UAF (Universal Authentication Framework) and FIDO U2F (Universal Second Factor).

The FIDO UAF specifications aimed to revolutionize the way organizations, service providers and governments managed authentication. However, they lacked standardization, making it difficult to apply them across web applications, browsers and servers.

In 2016, the World Wide Web Consortium (W3C) and the FIDO Alliance started collaborating to standardize FIDO authentication. This led to the launch of FIDO2 in 2018, which offered a more comprehensive and standardized approach to passwordless authentication. Many famous browsers, including Firefox and Chrome implemented the standard, which helped to drive its adoption.

FIDO2 has two main components: WebAuthn and CTAP (Client to Authenticator Protocol). Collectively, WebAuthn and CTAP deliver a cryptographically secure, convenient and interoperable login experience.

In short, the main differences between FIDO 1.0 and FIDO2 are standardization, scope, interoperability and adoption. FIDO2 is a more comprehensive and standardized protocol that is supported by all leading browsers and operating systems, including Android, IOS, MacOS and Windows.

FIDO authentication typically involves two stages - user registration and authentication. Let’s break down the steps involved in both stages:

Registration

1. The user visits a passkey-enabled website and selects “passkey authentication”.
2. The website prompts the user to provide a biometric (facial or fingerprint scan) or insert a physical security key to create the passkey.
3. The operating system on the user’s device creates a pair of public and private keys. The private key is stored as a passkey on the user’s device.
4. The public key is sent to the server.

Authentication

1. The user visits a website and selects “passkey authentication”.
2. The website asks the user to select the device which contains the relevant passkey.
3. Once the user chooses the passkey, they are prompted to either perform a fingerprint/facial scan or enter a security key, depending on what they chose during registration.
4. The website verifies the passkey using the public key generated during registration.
5. The user is granted access to the website.

MFA (Multifactor authentication) is an authentication scheme that requires more than one factor to validate a user. For example, a password and a retina scan, or a password and a code from an authenticator application.

FIDO authentication implements MFA in a single, user-friendly step. As far as the user is concerned, they only have to scan their fingerprint or insert a hardware key to log in. However, the actual authentication workflow involves two factors: the passkey signature validation and the biometric verification.

Passwordless authentication is an authentication paradigm that does not require users to enter a password during login. Instead, users authenticate using a more secure and convenient alternative, such as a security key, a biometric or a token.

FIDO authentication is a type of passwordless authentication because it completely eradicates the need to use passwords for verification.

A FIDO security key is a small, physical device used during FIDO authentication. FIDO security keys use public key cryptography to authenticate users.

When a user wants to log in to a website, they insert the security key into their computer. The security key then generates a random number and signs it with the user’s private key. The website verifies the signature using the user’s registered public key.

Security keys keep the user's sensitive credentials (passkey) safely locked away on the physical device. This means that even if a website's server is compromised, the user's passkey remains safe.

FIDO security keys also improve the overall user experience. Users don’t have to remember a list of lengthy and complex passwords. They simply have to insert the security key to log in to all their favorite applications.

A FIDO U2F security key is a physical device that is used as a second factor for user authentication. U2F security keys are based on the original FIDO U2F specifications, which focused on adding a secure secondary factor to password/pin-based authentication.

U2F security keys are different from the modern FIDO security keys that we discussed in the last section. To understand their differences, it’s important to compare U2F and FIDO2.

FIDO2 (also referred to as FIDO) is an advanced version of U2F that focuses on providing a robust, passwordless login experience. Both U2F and FIDO2 offer the same level of cryptographic security. However, FIDO2 introduces WebAuthn and CTAP, two protocols that enable cross-device and cross-platform passwordless authentication.

The main distinction between FIDO2 and U2F keys lies in their original purposes. U2F was initially designed as a secondary factor for password-based logins, while FIDO2 was created to support (single and multi-factor) passwordless authentication.