What is FIDO?
FIDO Authentication, developed by the FIDO Alliance,
is a global authentication standard based on public key cryptography.
- With FIDO Authentication, users sign in with phishing resistant credentials, called passkeys.
- Passkeys can be synced across devices or bound to a platform or security key and enable password-only logins to be replaced with secure and fast login experiences across websites and apps.
About FIDO Alliance
Board Level Members
The FIDO Alliance is an open industry association with a focused mission : authentication standards to reduce the world’s over-reliance on passwords that promotes the development, use of, and compliance with standards for authentication and device authorization.
The FIDO Alliance works to fulfill its mission by:
- Developing technical specifications that define an open, scalable, interoperable set of mechanisms that reduce the reliance on passwords to authenticate users
- Operating industry certification programs to help ensure successful worldwide adoption of the specifications
- Submitting mature technical specification(s) to recognized standards development organization(s) for formal standardization
How FIDO Works
Registration
- User is prompted to choose an available FIDO authenticator that matches the online service’s acceptance policy.
- User unlocks the FIDO authenticator using a fingerprint reader, a button on a second–factor device, securely–entered PIN or other method.
- User’s device creates a new public/private key pair unique for the local device, online service and user’s account.
- Public key is sent to the online service and associated with the user’s account. The private key and any information about the local authentication method (such as biometric measurements or templates) never leave the local device.
Login
- Online service challenges the user to login with a previously registered device that matches the service’s acceptance policy.
- User unlocks the FIDO authenticator using the same method as at Registration time.
- Device uses the user’s account identifier provided by the service to select the correct key and sign the service’s challenge.
- Client device sends the signed challenge back to the service, which verifies it with the stored public key and logs in the user.