The document discusses technical specifications for device authentication provided by FIDO. It describes issues with traditional password authentication and how FIDO addresses these through standards that separate user verification from authentication. FIDO uses public key cryptography and relies on authenticators that can be integrated into devices to enable strong, passwordless authentication across multiple websites and applications.

1. 1
TECHNICAL
SPECIFICATIONS
OVERVIEW
REVISED SEPTEMBER 22ND 2017
All Rights Reserved | FIDO Alliance | Copyright 2017

2. All Rights Reserved | FIDO Alliance | Copyright 20172
HOW SECURE IS AUTHENTICATION?

3. All Rights Reserved | FIDO Alliance | Copyright 20173
CLOUD AUTHENTICATION
DeviceSomething Authentication
Risk Analytics
Internet

4. All Rights Reserved | FIDO Alliance | Copyright 20174
PASSWORD ISSUES
DeviceSomething Authentication
Internet
Password could be stolen
from the server
1Password might be entered
into untrusted App / Web-
site (“phishing”)
2
Too many passwords to
remember
(>re-use / cart Abandonment)
3
Inconvenient to type
password on phone
4

5. All Rights Reserved | FIDO Alliance | Copyright 20175
CLASSIFYING THREATS
Attacks not focused on the client system, e.g. steal data from servers for
impersonation, phishing pwds, or MITM attacks
Remotely attacking
lots of user devices
steal data for
impersonation
Remotely attacking
lots of user devices
misuse them for
impersonation
Remotely attacking
lots of user devices
misuse authenticated
sessions
Physically attacking user devices
steal data for impersonation
Physically attacking user devices
misuse them for impersonation
1
2 3 4
5 6
Physical attacks
possible on lost or
stolen devices
(3% in the US in 2013)
Scalable attacks

6. All Rights Reserved | FIDO Alliance | Copyright 20176
HOW DOES FIDO WORK?

7. All Rights Reserved | FIDO Alliance | Copyright 20177
HOW DOES FIDO WORK?
DeviceUser verification FIDO Authentication
Authenticator

8. All Rights Reserved | FIDO Alliance | Copyright 20178
HOW DOES FIDO WORK?
AuthenticatorUser verification FIDO Authentication
Require user gesture before
private key can be used
Challenge
(Signed) Response
Private key
dedicated to one
app Public key

9. All Rights Reserved | FIDO Alliance | Copyright 20179
HOW DOES FIDO WORK?
AuthenticatorUser verification FIDO Authentication
… …SE

10. All Rights Reserved | FIDO Alliance | Copyright 201710
HOW DOES FIDO WORK?
AuthenticatorUser verification FIDO Authentication
Same Authenticator
as registered before?
Same User as
enrolled before?
Can recognize the user (i.e.
user verification), but doesn’t
know its identity attributes.

11. All Rights Reserved | FIDO Alliance | Copyright 201711
HOW DOES FIDO WORK?
AuthenticatorUser verification FIDO Authentication
Same Authenticator
as registered before?
Same User as
enrolled before?
Can recognize the user (i.e.
user verification), but doesn’t
know its identity attributes.
Identity binding to be
done outside FIDO: This
this “John Doe with
customer ID X”.

12. All Rights Reserved | FIDO Alliance | Copyright 201712
HOW DOES FIDO WORK?
AuthenticatorUser verification FIDO Authentication
… …SE
How is the key protected
(TPM, SE, TEE, …)?
Which user verification
method is used?

13. All Rights Reserved | FIDO Alliance | Copyright 201713
ATTESTATION + METADATA
Private
attestation key
Signed Attestation Object
Metadata
Understand Authenticator
security characteristic by
looking into Metadata from
mds.fidoalliance.org
FIDO Registration
Verify using trust anchor
included in Metadata

14. All Rights Reserved | FIDO Alliance | Copyright 201714
FIDO AUTHENTICATOR CONCEPT
FIDO Authenticator
User
Verification /
Presence
Attestation Key
Authentication Key(s)
Injected at
manufacturing,
doesn’t change
Generated at
runtime (on
Registration)
Optional
Components
Transaction
Confirmation
Display

15. All Rights Reserved | FIDO Alliance | Copyright 201715
CLIENT SIDE BIOMETRICS
Trusted Execution Environment (TEE)
FIDO Authenticator as Trusted Application (TA)
User Verification / Presence
Attestation Key
Authentication Key(s)
Store at Enrollment
Compare at Authentication
Unlock after comparison

16. All Rights Reserved | FIDO Alliance | Copyright 201716
FIDO USE CASES
Passwordless Experience (UAF Standards)
Authenticated Online
3
Biometric User Verification*
21
?
Authentication Challenge Authenticated Online
3
Second Factor Challenge Insert Dongle* / Press Button
Second Factor Experience (U2F Standards)
*There are other types of authenticators
21

17. All Rights Reserved | FIDO Alliance | Copyright 201717
FIDO REGISTRATION
accountInfo, challenge, [cOpts]
rpId, ai, hash(clientData), cryptoP, [exts]
verify user
generate:
key kpub
key kpriv
credential c
c,kpub,clientData,ac,cdh,rpId,cntr,AAGUID[,exts],
signature(tbs)
c,kpub,clientData,ac,tbs, s
store:
key kpub
c
s
Authenticator
select Authenticator according to cOpts;
determine rpId, get tlsData;
clientData := {challenge, origin, rpId, hAlg, tlsData}
cOpts: crypto params, credential black list,
extensions
cdh
ai
tbs
ac: attestation certificate chain

18. All Rights Reserved | FIDO Alliance | Copyright 201718
FIDO AUTHENTICATION
Authenticator Relying Party
rpId, [c,] hash(clientData)
select Authenticator according to policy;
check rpId, get tlsData (i.e. channel id, etc.);
lookup key handle h;
clientData := {challenge, rpId, tlsData}
clientData,cntr,[exts],signature(cdh,cntr,exts)
clientData, cntr, exts, s
lookup kpub
from DB
check:
exts +
signature
using
key kpub
s
cdh
challenge, [aOpts]
verify user
find
key kpriv
cntr++;
process exts

19. All Rights Reserved | FIDO Alliance | Copyright 201719
FIDO BUILDING BLOCKS
(External)
Authenticator
FIDO USER DEVICE
FIDO Client
(Bound)
Authenticator
ASM
RP App FIDO Authentication
RP App Server
FIDO Server
Metadata

20. All Rights Reserved | FIDO Alliance | Copyright 201720
THE ROAD AHEAD
FIDO 2 PROJECT:
WEBAUTHN AND CTAP

21. All Rights Reserved | FIDO Alliance | Copyright 201721
WEB AUTHENTICATION
Supported In:
A new JavaScript API
that enables FIDO Authentication
in web browsers

22. All Rights Reserved | FIDO Alliance | Copyright 201722
RELYING PARTY APPLICATION
Browser “Application”:
A normal website - HTML, CSS,
JavaScript
Website, Inc. [US] https://www.acme.com
acme.com X

23. All Rights Reserved | FIDO Alliance | Copyright 201723
FIDO BUILDING BLOCKS
(Roaming)
Authenticator
User Device
Browser
(Bound)
Authenticator
Platform
RP App FIDO Authentication
RP App Server
FIDO Server
Metadata
Web
Authentication
JS API
CTAP

24. All Rights Reserved | FIDO Alliance | Copyright 201724
WEBAUTHN APIs: Create
User Device
Browser
Authenticator
Platform
RP AppWeb
Authentication
JS API
publicKeyCred = {
challenge, rp: {name=“Acme”},
user: { name=“john.smith@example.com”,
displayName = “John’s personal account”,
id: “1098237235409872”,
icon: "https://pics.acme.com/00/apqPb.png"
},
parameters: [ {
type: "public-key", algorithm: "ES256" }],
}
navigator.credentials.create( {publicKeyCred})
.then(function (newCredInfo) {
// Send new credential info to server for checking
// contains AuthenticatorAttestationResponse
})
);
John

25. All Rights Reserved | FIDO Alliance | Copyright 201725
WEBAUTHN APIs: Get
User Device
Browser
Authenticator
Platform
RP AppWeb
Authentication
JS API
var options = {
challenge: ValueFromServer,
timeout: 60000, // 1 minute
allowList: [{ type: "public-key" }]
};
navigator.credentials.get({ "publicKey": options })
.then(function (assertion) {
// Send assertion to server for verification
})
John

26. All Rights Reserved | FIDO Alliance | Copyright 201726
FIDO BUILDING BLOCKS
(External)
Authenticator
User Device
Browser
(Bound)
Authenticator
Platform
RP AppWeb
Authentication
JS API
authenticaorGetInfo()
authenticatorMakeCredential()
authenticatorGetAssertion()
authenticatorClientPIN()
authenticatorCancel()
Platform
specific
interface
FIDO CTAP
interface

27. All Rights Reserved | FIDO Alliance | Copyright 201727
FIDO AUTHENTICATION:
SECURITY & CONVENIENCE

28. All Rights Reserved | FIDO Alliance | Copyright 201728
CONVENIENCE & SECURITY
Security
Convenience
Password + OTP
Password

29. All Rights Reserved | FIDO Alliance | Copyright 201729
CONVENIENCE & SECURITY
Security
Convenience
Password + OTP
Password
FIDO
In FIDO
• Same user verification method
for all servers
In FIDO: Arbitrary user verification
methods are supported
(+ they are interoperable)

30. All Rights Reserved | FIDO Alliance | Copyright 201730
CONVENIENCE & SECURITY
Security
Convenience
Password + OTP
Password
FIDO
In FIDO: Scalable security
depending on Authenticator
implementation
In FIDO:
• Only public keys on server
• Not phishable

31. All Rights Reserved | FIDO Alliance | Copyright 201731
CONCLUSION
• Different authentication use-cases lead to different
authentication requirements
• FIDO separates user verification from authentication and
hence supports all user verification methods
• FIDO supports scalable convenience & security
• User verification data is known to Authenticator only
• FIDO complements federation

32. All Rights Reserved | FIDO Alliance | Copyright 201732

33. All Rights Reserved | FIDO Alliance | Copyright 201733
Please Silence All
Electronic Devices