FIDO (Fast IDentity Online) is open standard for online authentication. It is designed for solving the password problems which is stems from a lot of security problems as we are suffering today.
Rather than relying on symmetric credentials (like password or pin, typically which is knowledge based factor), FIDO is based on public key cryptography algorithm which is based on asymmetric credentials.
Simply, the device generates the key pair and stores the private key within the secure area and send corresponding public key (as the name implies it is okay to be public) to the server.
Then, if the authentication is needed, the server sends challenges to the device and the device generates the digital signature with the private key and send it to the server.
Finally, the server can validate the signature with the registered public key.
FIDO2 is an improved standard for use on the web and other platforms as well as mobile. Various web browsers and OS platforms currently support the FIDO2 standard API.
Basically, FIDO2 has following operations - Registration, Authentication.
- User is prompted to choose an available FIDO authenticator that matches the online service’s acceptance policy.
- User unlocks the FIDO authenticator using a fingerprint reader, a button on a second–factor device, securely–entered PIN or other method.
- User’s device creates a new public/private key pair unique for the local device, online service an