Term of the Moment

AI use cases


Look Up Another Term


Redirected from: Universal Authentication Framework

Definition: FIDO


(1) For email, see FidoNet.

(2) (Fast IDentity Online) A technology from the FIDO Alliance that authenticates a user logging into a website or online service. Introduced in 2013, FIDO is called a "passwordless" system. Instead of username and password, FIDO users sign in with a "passkey," and the same passkey can be used all the time. This is exactly the opposite of the "never use same password" advice.

This Is Me and I can Prove It
The passkey may be a simple numeric PIN or a biometric such as a fingerprint, or both may be used, However, passkeys only begin the process. The passkey identifies the user but the digital signature authenticates the user (see below). See password.




FIDO Uses Private/Public Key Pairs
Following the diagram above, when users open an account online, their device generates a public/private key pair, and the public key is sent to the website. Private keys are never transmitted to, or stored on, the website server. At login, after the passkey authentication identifies the user, the website sends the client a random string of data to serve as a challenge.

The client "signs" (encrypts) the challenge with the user's private key and sends this "digital signature" back to the website for verification. The server decrypts the challenge with the public key and compares it to the challenge that was sent. If they match, the user is verified.

Digital signatures are used to authenticate data because they are signed with the private key, and any entity with the freely available public key can decrypt the signature. If decrypted successfully, it is then an incontestable fact that the content comes from the owner of the key pair (see digital signature). See public key cryptography and FIDO protocols.







Internal and External Authenticators
FIDO authenticators generate the keys and handle the login process thereafter. The keys are stored in the devices security chip. If an external authenticator is used such as the USB and smart card examples above, users can log in on any computer. (Images courtesy of Yubico and CRYPTNOX SA.)




There Is Major Support
Influential companies are adding FIDO support to their logins, but a totally passwordless future will take time to implement. Having private keys means backing them up, especially if external authenticators are used. Most importantly, most all major websites must support FIDO to make it truly worthwhile. For protocol details, see FIDO protocols. See password manager.