top of page

About FIDO

Top

"FIDO" stands for Fast IDentity Online, an authentication technology formulated and promoted by the non-profit "FIDO Alliance" with the aim of standardizing a new password-independent online authentication technology. In addition to providing the convenience of easy authentication, FIDO offers the security of strong authentication through a combination of public key cryptography and challenge response. It is also designed to prevent confidential information from leaking outside the company, and combines resistance to phishing, man-in-the-middle attacks, server attacks, and other attacks.

FIDO_Alliance_Passkey_logo™-1024x512.jpg

As a sponsoring member of the FIDO Alliance,

we are working toward a password-independent world.

The major differences between traditional password authentication and FIDO authentication are as follows

pw_vs_fido_en.png

Password authentication

  • Confidential information must be entered. (Theft Risk)

  • Transmission of passwords and other confidential information to the server side. (Eavesdropping risk)

  • Confidential information is stored on the server side. (Leakage risk)

*There are many other risks, but I won't go into them here.

FIDO authentication

  • No confidential information is entered.

  • Confidential information is retained inside the authenticator at hand, and no confidential information is leaked.

  • No confidential information is stored on the server side.
    *The biometric information and PIN used for authentication are never sent to the server side.

How FIDO works

FIDO uses a combination of public key cryptographic "signatures" and challenge responses for authentication. 

First, we will explain the public key cryptography used in FIDO.

*There are multiple FIDO standards, but this page describes FIDO as "FIDO2," the latest specification of FIDO.

Public key cryptography used in FIDO

FIDO uses a public key cryptographic "signature" technique. The following is a brief explanation of this technology.

For this signature, a pair of "signing key" and " validation key" is created, and the key is used.These two keys have the following roles and will not function unless they are both present.

Signing key: Key to sign (also known as a key that should not be published or a private key)
Validation key: A key that validates a signature (also called a public key, a key that is safe to publish)

*It is not necessary to know how to generate this key at this stage. It is no problem to just be aware of the existence of such a key.

Focusing on the "signature" of public key cryptography, this section uses an image diagram to explain.

pkc_en.png

Alice prepares a pair of "signing key" and " validation key". The "signing key" is a key that should be kept secret, so Alice will keep it. The "" validation key "" will be given to Bob. Alice signs the message using her "signature key" and gives it to Bob. Bob receives a signed message and verifies it using a " validation key".

If the signature is successfully verified, Bob can say the following

  • The message has not been tampered with.
    If the message has been tampered with, the validation will not work.

  • This signature is generated with a signing key that is paired with a validation key.

Bob had received a " validation key" from Alice. Its counterpart, the " signing key," is a secret key that only Alice has, so we know that the person who signed the document is Alice. FIDO uses this mechanism.

Overview of FIDO Authentication

To briefly explain FIDO authentication, a challenge (random character string) sent from the server side at the time of a login request is signed with a signing key (private key) inside the authenticator, and the signature is validated with a " validation key (public key)" on the server side.

fido_overview_en.png

In FIDO authentication, there is a new type of "authenticator" that did not appear when "public key cryptography used in FIDO" was explained. There are a variety of FIDO-compliant authenticators, including PC terminals, smartphones, and security keys, all of which are designed to keep internal confidential information from leaking out. FIDO uses this authenticator to perform authentication. (More details will be explained later.)

As mentioned above, FIDO uses a combination of public key cryptographic signatures and challenge responses for authentication. To validate a signature, a " validation key (public key)" must be given to the other party (server) in advance. In other words, two steps are required for FIDO authentication: "registration" and "authentication" by FIDO.

About FIDO registration

In order to use FIDO authentication, the " validation key (public key)" must be registered in advance. The following image illustrates the registration procedure.

fido_registration_en.png

The user makes a registration request for the service he/she wishes to use. The service (server) creates a "challenge (random string)" and requests that the challenge be signed and sent back. The user's authenticator (in this example, the security key) receives this request and verifies that it is the user's authenticator by performing a PIN or biometric authentication. Once the owner is verified, a pair of "signing key (private key)" and " validation key (public key)" is created. Sign the challenge using the created "signing key" and send it together with the " validation key" to the service. The service uses the received " validation key" to verify that the signature is correct. If the validation is successful, the "validation key" is registered with the service.

About FIDO authentication

Authentication with FIDO is explained using an illustration.

fido_authentication_en.png

The user makes a login request to the service he/she wishes to use. The service (server) creates a "challenge (random string)" and requests that the challenge be signed and sent back. The user's authenticator (in this example, the security key) receives this request and verifies that the user is the owner of this authenticator by performing a PIN or biometric authentication. Once the owner is verified, the "signing key" is used to sign the challenge and send it to the service. The service validates that the signature is correct using the "validation key" that the user had previously registered. If the validation is successful, the login is complete.

We said that FIDO provides strong authentication through public key cryptography and challenge response, but it also provides strong authentication through local identity verification. It is achieved through two-factor authentication by "possession" of an authenticator (PC terminal/smartphone/security key, etc.) and PIN ("knowledge") or "biometric" authentication.

Details are explained on the "About the authenticators available for FIDO" page.

FIDO Related Blogs

No posts published in this language yet
Once posts are published, you’ll see them here.

FIDO-compliant YubiOn products

Authentication Services

YubiOn FIDO2® Server

We provide FIDO2 authentication infrastructure to enable MFA with FIDO at your service. You can choose either cloud or on-premise type of authentication infrastructure.

Endpoint Security

YubiOn FIDO Logon

A cloud service that provides multi-factor authentication using the FIDO2 protocol for PC terminal logon, with convenient features such as integrated management via a web management console and remote control functions.

bottom of page