Understanding FIDO Standards: Your Go-To Guide
FIDO is an acronym that comes from the Latin fido, meaning ‘to trust’, which was popularised by Abraham Lincoln—who borrowed it to name his dog. It’s a fitting name for man’s best friend, and just as appropriate in the security world, where trust is key.
A more technical reference, FIDO (Fast IDentity Online), emerged in 2012 and is backed by a range of big tech and finance players like PayPal, Lenovo, Google, Visa, and Microsoft, known collectively as the FIDO Alliance. Based on public key cryptography, FIDO is a set of protocols designed to support authentication of just about any type. This includes fingerprint, biometrics, One-Time Passwords (OTP), Trusted Platform Modules (TPM), USB security tokens, near-field communication (NFC), and Bluetooth for mobile devices—with API support to handle the heavy lifting for developers.
Since arriving on the scene, the FIDO Alliance has published three specifications: Universal 2nd Factor (U2F), Universal Authentication Framework (UAF), and FIDO2, the last of these comprising the Web Authentication (WebAuthn) and Client to Authenticator Protocol 2 (CTAP2).
With all these acronyms flying around, it can be a challenge to keep up with all these differing specifications. We’ve put together this guide to define each FIDO specification and give you the details of their authentication capabilities and differences.
FIDO 1.0: U2F and UAF
In 2014, FIDO published the Universal Authentication Framework (UAF), which was intended to implement passwordless authentication through biometrics. They then added Universal 2nd Factor (U2F), developed by Google and Yubico as a more secure standard for traditional OTP-based two-factor authentication (2FA). U2F included its own client-side protocol, Client to Authenticator Protocol (CTAP), which could be used to authenticate a token via USB, near-field communication (NFC), or Bluetooth.
By doing this, FIDO 1.0 implemented public-key encryption in a way that overcame the inherent vulnerabilities of OTPs sent across insecure networks. Instead of a simple pin, a private/public key pair was created during registration for a service, with the private key secured on the user's token or device, and never transmitted. This meant there was nothing to intercept and steal. All the service provider retained was the public key associated with the user.
Nevertheless, FIDO 1.0 was still two protocols built to do different things and created in the interests of two different players—an industry alliance backed by PayPal (UAF), and Google (U2F). But one big name was missing (Apple), and set about implementing their own biometric authentications, namely Touch ID and later Face ID. The risk was that FIDO would become fragmented, with the user experience dictated by platforms and devices.
On the plus side, UAF had embedded support for biometric authentication inside mobile devices, while U2F was supported natively inside the world's most popular web browser, Chrome. This meant that FIDO authentication wasn't something users had to enable or download—it was an embedded capability, of which many already had access.
FIDO2 and Web Authentication
FIDO2 is a further development of Google and Yubico’s U2F protocol with an expanded version of CTAP, now called CTAP2. While U2F was designed to act as a second factor for passwords, FIDO2’s purpose is to allow authentication to become passwordless. It does this via a new web API called Web Authentication (WebAuthn). This API allows web applications to use public-key encryption and authenticators directly. So where FIDO1.0 still required usernames and passwords, FIDO2 has created the architecture needed to do away with traditional credentials.
WebAuthn with CTAP2 has two important capabilities. First, it's backwards-compatible and complementary to U2F and UAF, so anyone using those technologies can continue to do so even as efforts shift to WebAuthn and CTAP2. Second, WebAuthn has been adopted by the World Wide Web Consortium (W3C), meaning it’s an open web standard, rather than one backed by just a handful of companies.
Browser support for WebAuthn is now also being added to Chrome, Firefox, and Edge. It’s still early days, but wider support looks promising—the W3C adoption makes it likely that Apple’s Safari, for instance, will follow suit.
How will WebAuthn improve on FIDO 1.0 from the user’s point of view? By making authentication universal, easy-to-use, and allowing everyone to move beyond passwords (an authentication that has become a global security weakness). However, challenges remain, such as overcoming a lack of awareness about the need for authentication, and the perception that UAF and U2F were only intended for businesses and power users.
This can be overcome by brands and service providers offering WebAuthn as a default option. The challenge over the next two years will be to get more ordinary web users to switch from passwords to WebAuth—it’s just a matter of trust.
At Okta, we strongly support open authentification standards such as FIDO. Our Adaptive MFA allows organisations to implement passwordless authentication, and we’ve partnered with Yubico to provide U2F keys for enterprises.