top of page

About the authenticators available for FIDO

In FIDO, authentication is performed using a FIDO-compliant "authenticator. This page introduces the types and features of authenticators.

authenticator_en.png

Types and Roles of FIDO Authenticator

Type of authenticator

There are two main types of FIDO-enabled authenticators: "Platform authenticator" and "Roaming authenticator".

authenticator_difference_en.png

  • Platform authenticator
    It refers to the use of a security module called a TPM (Trusted Platform Module) built into devices such as PC terminals and smartphones. FIDO uses this TPM for key generation and signing. As for smartphones, they can be used as external authenticators for the devices they use.
     

  • Roaming authenticator
    Refers to an authenticator used externally to a device. FIDO uses an external authenticator to generate and sign keys. It is like an external TPM. Depending on the authenticator used, it has various connection interfaces such as USB, NFC (Near Field Communication), and Bluetooth.

    It is commonly referred to as a "Security key".​*The roaming authenticator will henceforth be referred to as a "security key.

Role of the authenticator

The authenticator plays the following roles in FIDO "Registration" and "Authentication".

*There are multiple FIDO standards, but this page describes them as "FIDO2(*1)", the latest specification of FIDO.

  • FIDO's role in registration

    • PIN or biometric (fingerprint / face) confirmation that it is the user's authenticator

    • Create a key pair to be used for signing

    • Sign the challenge and return it with the " validation key (public key)

fido_registration_en.png

  • FIDO's role in authentication

    • PIN or biometric (fingerprint / face) confirmation that it is the user's authenticator

    • ​Return the challenge with signatures.

fido_authentication_en.png

(*1) Why FIDO "2"?

FIDO2 has a predecessor standard, "FIDO1". FIDO1 was established as an authentication standard based on public key cryptography and consists of two standards: "Universal Authentication Framework (UAF)" and "FIDO U2F (Universal Second Factor)". UAF enables passwordless authentication using FIDO-compatible devices, utilizing methods such as PINs or biometrics. On the other hand, U2F is a two-factor authentication system using an external authenticator in combination with other authentication factors. These standards have been developed in parallel by the FIDO Alliance in two subcommittees, but it is no longer desirable for them to exist as separate standards, and it has become necessary to re-develop a unified standard. Then, FIDO2 was established as a new standard that integrated UAF and U2F and added a mechanism to check the authenticator's validity.

*Technical details about FIDO will be explained in a page to be published in the future.

Security key Features and Types

In the previous section, we explained that there are platform authenticators and external-type security keys, but there are even more different types of security keys for the latter. The following is a brief introduction to the features of security keys and what we offer.

Features of Security key

  • Phishing Resistance
    To explain phishing simply, phishing is the act of "directing someone to a fake website with a similar URL, forcing them to enter their authentication information, and then robbing them of their accounts, information, or money. In the case of authentication using a security key, there is always a mechanism to mechanically check the domain name (URL) and pass authentication information (results) only to sites that match. Therefore, if you access a fake URL, you will not pass on your authentication information, and a third party will not be able to steal your information.
     

  • Convenience
    The authentication is completed by inserting the security key into the USB port and entering the "PIN code" or "biometric confirmation" preset on the security key. Strong authentication is possible without compromising usability.
    *The method of connection to the device depends on the security key used.
     

  • Robustness
    With conventional password-based authentication, the password itself is confidential information that can be stolen through network eavesdropping or server attacks. In the case of security keys, on the other hand, the secret information is kept inside the security key and is designed so that it cannot be retrieved.

Introduction of Security keys

We are a security key distributor. Here is a brief introduction of the FIDO2-compliant security keys we offer. Although some keys have functions other than FIDO, we will focus on the FIDO function.

securitykey_table_en.png

There are two main models of security keys.
 

  • PIN model
    This model requires PIN code input when verifying the owner of the authenticator. The above figure applies to those without a check mark in the biometric item. Compared to biometric models, they are relatively inexpensive.
     

  • Biometric model
    This model requires biometric verification when verifying the owner of the authenticator. The above figure applies to those with checks in the biometric items. Compared to the PIN model, the authentication operation is easier since the user only needs to touch the sensor during authentication.
     

Both types of security keys are available for USB, NFC, Bluetooth, and various other interfaces, so please select the security key that best suits your needs. Detailed specifications can be found here. Please purchase from Amazon. Please contact us for large quantity purchases, etc.

The following section describes the setup and support information for the authenticator.

Authenticator Setup and Support Information

Setup

To use a platform authenticator or security key as a FIDO authenticator, a PIN or biometric must be set. No PIN or fingerprint is set at the purchase stage. Please refer to the setup instructions below.

Use of platform authenticator
 

 

  • Mac device
    If you use the built-in authenticator on a Mac device, you would use Touch ID. Please refer to "Use Touch ID on Mac" to set up Touch ID.
     

  • Smart phone
    Although the PIN and biometrics will probably be set during initial setup, please refer to the manual for the model in question for detailed operations.

Use of security keys

A PC device is required to perform the initial setup of the security key. Please refer to the following for setup.
 

 

Support Information

FIDO is natively supported in browsers and platforms. (Latest version recommended)

Chrome_100.png

Chrome

Edge_100.png

Edge

Firefox_100.png

Firefox

Safari

Currently supported features vary by browser and platform combination.

For more information, please click here.

Where is it available?

I would like to use it in a web service or application.

Any service that supports MFA (multi-factor authentication) of FIDO authenticators can be used. Please check the MFA compatibility pages of the various services to see if the service you are currently using is compatible.You can easily find it by looking up "the name of the service you are using, MFA" in the search field of your browser.

*FIDO2 is not the only MFA that can be used; there are also MFA that use SMS and one-time passwords, so please make sure that your MFA is "FIDO2 (WebAuthn)" supported.

I would like to incorporate it into my company's services

YubiOn FIDO2® Server

We provide FIDO2 authentication infrastructure to enable MFA with FIDO at your service. You can choose either cloud or on-premise type of authentication infrastructure.

I would like to strengthen the login for PC devices.

YubiOn FIDO Logon

A cloud service that provides multi-factor authentication using the FIDO2 protocol for PC terminal logon, with convenient features such as integrated management via a web management console and remote control functions.

bottom of page