About the authenticators available for FIDO
In FIDO, authentication is performed using a FIDO-compliant "authenticator. This page introduces the types and features of authenticators.
Types and Roles of FIDO Authenticator
Type of authenticator
There are two main types of FIDO-enabled authenticators: "Platform authenticator" and "Roaming authenticator".
-
Platform authenticator
It refers to the use of a security module called a TPM (Trusted Platform Module) built into devices such as PC terminals and smartphones. FIDO uses this TPM for key generation and signing. As for smartphones, they can be used as external authenticators for the devices they use.
-
Roaming authenticator
Refers to an authenticator used externally to a device. FIDO uses an external authenticator to generate and sign keys. It is like an external TPM. Depending on the authenticator used, it has various connection interfaces such as USB, NFC (Near Field Communication), and Bluetooth.
It is commonly referred to as a "Security key".*The roaming authenticator will henceforth be referred to as a "security key.
Role of the authenticator
The authenticator plays the following roles in FIDO "Registration" and "Authentication".
*There are multiple FIDO standards, but this page describes them as "FIDO2(*1)", the latest specification of FIDO.
-
-
PIN or biometric (fingerprint / face) confirmation that it is the user's authenticator
-
Create a key pair to be used for signing
-
Sign the challenge and return it with the " validation key (public key)
-
-
-
PIN or biometric (fingerprint / face) confirmation that it is the user's authenticator
-
Return the challenge with signatures.
-
(*1) Why FIDO "2"?
FIDO2 has a predecessor standard, "FIDO1". FIDO1 was established as an authentication standard based on public key cryptography and consists of two standards: "Universal Authentication Framework (UAF)" and "FIDO U2F (Universal Second Factor)". UAF enables passwordless authentication using FIDO-compatible devices, utilizing methods such as PINs or biometrics. On the other hand, U2F is a two-factor authentication system using an external authenticator in combination with other authentication factors. These standards have been developed in parallel by the FIDO Alliance in two subcommittees, but it is no longer desirable for them to exist as separate standards, and it has become necessary to re-develop a unified standard. Then, FIDO2 was established as a new standard that integrated UAF and U2F and added a mechanism to check the authenticator's validity.
*Technical details about FIDO will be explained in a page to be published in the future.
Security key Features and Types
In the previous section, we explained that there are platform authenticators and external-type security keys, but there are even more different types of security keys for the latter. The following is a brief introduction to the features of security keys and what we offer.
Features of Security key
-
Phishing Resistance
To explain phishing simply, phishing is the act of "directing someone to a fake website with a similar URL, forcing them to enter their authentication information, and then robbing them of their accounts, information, or money. In the case of authentication using a security key, there is always a mechanism to mechanically check the domain name (URL) and pass authentication information (results) only to sites that match. Therefore, if you access a fake URL, you will not pass on your authentication information, and a third party will not be able to steal your information.
-
Convenience
The authentication is completed by inserting the security key into the USB port and entering the "PIN code" or "biometric confirmation" preset on the security key. Strong authentication is possible without compromising usability.
*The method of connection to the device depends on the security key used.
-
Robustness
With conventional password-based authentication, the password itself is confidential information that can be stolen through network eavesdropping or server attacks. In the case of security keys, on the other hand, the secret information is kept inside the security key and is designed so that it cannot be retrieved.
Introduction of Security keys
We are a security key distributor. Here is a brief introduction of the FIDO2-compliant security keys we offer. Although some keys have functions other than FIDO, we will focus on the FIDO function.
There are two main models of security keys.
-
PIN model
This model requires PIN code input when verifying the owner of the authenticator. The above figure applies to those without a check mark in the biometric item. Compared to biometric models, they are relatively inexpensive.
-
Biometric model
This model requires biometric verification when verifying the owner of the authenticator. The above figure applies to those with checks in the biometric items. Compared to the PIN model, the authentication operation is easier since the user only needs to touch the sensor during authentication.
Both types of security keys are available for USB, NFC, Bluetooth, and various other interfaces, so please select the security key that best suits your needs. Detailed specifications can be found here. Please purchase from Amazon. Please contact us for large quantity purchases, etc.
The following section describes the setup and support information for the authenticator.
Authenticator Setup and Support Information
Setup
To use a platform authenticator or security key as a FIDO authenticator, a PIN or biometric must be set. No PIN or fingerprint is set at the purchase stage. Please refer to the setup instructions below.
Use of platform authenticator
-
Windows device
If you use the built-in authenticator on a Windows device, you would use Windows Hello. Please refer to "Learn about Windows Hello and set it up" for setting up.
-
Mac device
If you use the built-in authenticator on a Mac device, you would use Touch ID. Please refer to "Use Touch ID on Mac" to set up Touch ID.
-
Smart phone
Although the PIN and biometrics will probably be set during initial setup, please refer to the manual for the model in question for detailed operations.
Use of security keys
A PC device is required to perform the initial setup of the security key. Please refer to the following for setup.
-
Have a Windows device
FIDO2 Security Key PIN Setting / Fingerprint Setting - for Windows
-
For users of Mac or Linux (GUI) devices
FIDO2 Security Key PIN Setting / Fingerprint Setting - for macOS
Support Information
FIDO is natively supported in browsers and platforms. (Latest version recommended)
Chrome
Edge
Firefox
Safari
Currently supported features vary by browser and platform combination.
For more information, please click here.
Where is it available?
I would like to use it in a web service or application.
Any service that supports MFA (multi-factor authentication) of FIDO authenticators can be used. Please check the MFA compatibility pages of the various services to see if the service you are currently using is compatible.You can easily find it by looking up "the name of the service you are using, MFA" in the search field of your browser.
*FIDO2 is not the only MFA that can be used; there are also MFA that use SMS and one-time passwords, so please make sure that your MFA is "FIDO2 (WebAuthn)" supported.