FIDO2 Protocol

FIDO2 standard integrates FIDO standard authentication in the web browsers and in platforms more generally speaking is based on two different components:

  • WebAuthN standard, which are APIs specified by the W3C and supported by the latest browsers including Firefox, Edge, and Chrome and most Recent Safari to facilitate the introduction of strong customer authentication in web-based applications.

  • The second aspect of FIDO is CTAP (Client to Authenticate Protocol) which facilitates the connection between a platform like a PC to an external device like a USB key or a smart card or even a phone.

In a nutshell, with FIDO2 standards, developers are now able to

  • Replace username and password flows with unique device-specific credentials. Such credentials are unique to the device and not specific to any website or app.

  • Introduce usernameless authentication. In such flows, the user does not have to enter username given he/she is on a FIDO device.

  • Authenticate users on multiple device types including TPM, biometrics, and external USB dongles.

FIDO2 standard is primarily written for the web but not necessarily exclusively. The standard can also be used for apps or local native applications.

WebAuthentication (WebAuthn)

WebAuthn defines the API on the browser side which you as a website developer to utilize its standardized specification for creating an interface for authenticating users to web-based applications.

Behind WebAuthn, are multiple protocols (FIDO2 being the main) which are the protocols between the browser and the authenticator (example: USB dongle, built-in TPM functionality).

WebAuthn is implemented by all large web browsers:

How does FIDO2 Work?

There are 2 main steps on the FIDO2 process: registration and login.

To learn more about the definition of terms used in this section please refer to:

Registration

When a user authenticates to your application, you are able to prompt the user to confirm if he/she wants to use a FIDO device to authenticate. Should the user confirm, he/she will be able to register their device (USB key, phone). FIDO, through the WebAuthn API, will then generate a new key pair. The private key stays in the device, while the public key along with some metadata goes back to the application. The application then holds on the public key and the metadata, as part of the user profile.

FIDO2 Registration Flow

Login

Typically on the login flow, the application will prompt the user with a login form so the user can authenticate with the FIDO device. The application then sends the information pertaining to what key was used to register that user. The browser will prompt the user with a dialog to put in a gesture to confirm user presence. As part of that process, the application will then send a challenge key that gets signed by the device and then passed back to the application. The application then checks the signature and authenticates the user if such checks are valid.

FIDO2 Login/Authentication Flow