Jump to content

FIDO Alliance: Difference between revisions

From Wikipedia, the free encyclopedia
Content deleted Content added
Strugee (talk | contribs)
note proposed merge from FIDO2 Project
Milestones: Remove promotional material
(25 intermediate revisions by 20 users not shown)
Line 1: Line 1:
{{about|the consortium promoting authentication|the store-and-forward bulletin-board networking service|FidoNet}}
{{merge from|FIDO2 Project|discuss=Talk:FIDO2 Project#Proposed merge with FIDO Alliance|date=November 2022}}
{{short description|Industry consortium working on authentication mechanisms}}
{{short description|Industry consortium working on authentication mechanisms}}
{{Infobox company
{{Infobox company
Line 12: Line 12:
The '''FIDO''' ("Fast IDentity Online") '''Alliance''' is an open industry association launched in February 2013 whose stated mission is to develop and promote [[authentication]] standards that "help reduce the world’s over-reliance on [[password]]s".<ref>{{cite web | url=https://www.envzone.com/why-big-tech-is-striving-for-the-world-without-password/ | title=Password-The Security Issue That the Big Leaders Want to Eliminate | date=30 June 2020 }}</ref> FIDO addresses the lack of interoperability among devices that use [[strong authentication]] and reduces the problems users face creating and remembering multiple usernames and passwords.
The '''FIDO''' ("Fast IDentity Online") '''Alliance''' is an open industry association launched in February 2013 whose stated mission is to develop and promote [[authentication]] standards that "help reduce the world’s over-reliance on [[password]]s".<ref>{{cite web | url=https://www.envzone.com/why-big-tech-is-striving-for-the-world-without-password/ | title=Password-The Security Issue That the Big Leaders Want to Eliminate | date=30 June 2020 }}</ref> FIDO addresses the lack of interoperability among devices that use [[strong authentication]] and reduces the problems users face creating and remembering multiple usernames and passwords.


FIDO supports a full range of authentication technologies, including [[biometrics]] such as [[Fingerprint recognition|fingerprint]] and [[iris recognition|iris scanners]], [[speaker recognition|voice]] and [[Facial recognition system|facial recognition]], as well as existing solutions and communications standards, such as [[Trusted Platform Module]]s (TPM), USB [[security token]]s, embedded Secure Elements (eSE), [[smart card]]s, and [[near field communication]] (NFC).<ref name="FIDO spec overview">{{cite web |publisher=FIDO Alliance |title=Specifications Overview |url=https://fidoalliance.org/specifications |accessdate=31 October 2014}}</ref> The USB security token device may be used to authenticate using a simple password (e.g. four-digit [[Personal identification number|PIN]]) or by pressing a button. The specifications emphasize a device-centric model. Authentication over the wire happens using [[public-key cryptography]]. The user's device registers the user to a server by registering a public key. To authenticate the user, the device signs a challenge from the server using the private key that it holds. The keys on the device are unlocked by a local user gesture such as a biometric or pressing a button.
FIDO supports a full range of authentication technologies, including [[biometrics]] such as [[Fingerprint recognition|fingerprint]] and [[iris recognition|iris scanners]], [[speaker recognition|voice]] and [[Facial recognition system|facial recognition]], as well as existing solutions and communications standards, such as [[Trusted Platform Module]]s (TPM), USB [[security token]]s, embedded Secure Elements (eSE), [[smart card]]s, and [[near-field communication]] (NFC).<ref name="FIDO spec overview">{{cite web |publisher=FIDO Alliance |title=Specifications Overview |url=https://fidoalliance.org/specifications |accessdate=31 October 2014}}</ref> The USB security token device may be used to authenticate using a simple password (e.g. four-digit [[Personal identification number|PIN]]) or by pressing a button. The specifications emphasize a device-centric model. Authentication over the wire happens using [[public-key cryptography]]. The user's device registers the user to a server by registering a public key. To authenticate the user, the device signs a challenge from the server using the private key that it holds. The keys on the device are unlocked by a local user gesture such as a biometric or pressing a button.


FIDO provides two types of user experiences depending on which protocol is used.<ref name="FIDO spec overview" /> Both protocols define a common interface at the client for whatever local authentication method the user exercises.
FIDO provides two types of user experiences depending on which protocol is used.<ref name="FIDO spec overview" /> Both protocols define a common interface at the client for whatever local authentication method the user exercises.
Line 29: Line 29:
** U2F&nbsp;1.2 Proposed Standard (July&nbsp;11, 2017)
** U2F&nbsp;1.2 Proposed Standard (July&nbsp;11, 2017)


* [[FIDO2 Project|FIDO&nbsp;2.0]] (FIDO2, contributed to the W3C on November&nbsp;12, 2015)<ref>{{Cite web|title=FIDO 2.0: Overview|url=https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-overview-v2.0-rd-20170927.html|access-date=2021-01-21|website=fidoalliance.org}}</ref>
* FIDO&nbsp;2.0 (FIDO2, contributed to the W3C on November&nbsp;12, 2015)<ref>{{Cite web|title=FIDO 2.0: Overview|url=https://fidoalliance.org/specs/fido-v2.0-rd-20170927/fido-overview-v2.0-rd-20170927.html|access-date=2021-01-21|website=fidoalliance.org}}</ref>
** FIDO&nbsp;2.0 Proposed Standard (September&nbsp;4, 2015)
** FIDO&nbsp;2.0 Proposed Standard (September&nbsp;4, 2015)


Line 40: Line 40:
The U2F&nbsp;1.0 Proposed Standard (October&nbsp;9, 2014) was the starting point for the specification known as FIDO&nbsp;2.0 Proposed Standard (September&nbsp;4, 2015). The latter was formally submitted to the [[World Wide Web Consortium]] (W3C) on November&nbsp;12, 2015.<ref name="FIDO submission to W3C">{{cite web |title=Submission Request to W3C: FIDO 2.0 Platform Specifications 1.0 |url=https://www.w3.org/Submission/2015/02/ |publisher=[[World Wide Web Consortium]] (W3C) |accessdate=12 February 2019}}</ref> Subsequently, the first Working Draft of the W3C Web Authentication ([[WebAuthn]]) standard was published on May&nbsp;31, 2016. The WebAuthn standard has been revised numerous times since then, becoming a W3C Recommendation on March&nbsp;4, 2019.
The U2F&nbsp;1.0 Proposed Standard (October&nbsp;9, 2014) was the starting point for the specification known as FIDO&nbsp;2.0 Proposed Standard (September&nbsp;4, 2015). The latter was formally submitted to the [[World Wide Web Consortium]] (W3C) on November&nbsp;12, 2015.<ref name="FIDO submission to W3C">{{cite web |title=Submission Request to W3C: FIDO 2.0 Platform Specifications 1.0 |url=https://www.w3.org/Submission/2015/02/ |publisher=[[World Wide Web Consortium]] (W3C) |accessdate=12 February 2019}}</ref> Subsequently, the first Working Draft of the W3C Web Authentication ([[WebAuthn]]) standard was published on May&nbsp;31, 2016. The WebAuthn standard has been revised numerous times since then, becoming a W3C Recommendation on March&nbsp;4, 2019.


Meanwhile the U2F&nbsp;1.2 Proposed Standard (July&nbsp;11, 2017) became the starting point for the Client to Authenticator Protocol&nbsp;2.0 Proposed Standard, which was published on September&nbsp;27, 2017. FIDO CTAP&nbsp;2.0 complements W3C WebAuthn, both of which are in scope for the [[FIDO2 Project]].
Meanwhile the U2F&nbsp;1.2 Proposed Standard (July&nbsp;11, 2017) became the starting point for the Client to Authenticator Protocol&nbsp;2.0 Proposed Standard, which was published on September&nbsp;27, 2017. FIDO CTAP&nbsp;2.0 complements W3C WebAuthn, both of which are in scope for the ''FIDO2 Project''.

===FIDO2===
The FIDO2 Project is a joint effort between the FIDO Alliance and the [[World Wide Web Consortium]] (W3C) whose goal is to create [[strong authentication]] for the web. At its core, FIDO2 consists of the W3C Web Authentication ([[WebAuthn]]) standard and the FIDO [[Client to Authenticator Protocol]] 2 (CTAP2).<ref name="FIDO-FIDO2">{{cite web |title=FIDO2: Moving the World Beyond Passwords |url=https://fidoalliance.org/fido2/ |publisher=FIDO Alliance |accessdate=30 January 2019}}</ref> FIDO2 is based upon previous work done by the FIDO Alliance, in particular the [[Universal 2nd Factor]] (U2F) authentication standard.

Taken together, WebAuthn and CTAP specify a standard [[authentication protocol]]<ref name="W3C-WebAuthn">{{cite web |editor1-last=Balfanz |editor1-first=Dirk |editor2-last=Czeskis |editor2-first=Alexei |editor3-last=Hodges |editor3-first=Jeff |editor4-last=Jones |editor4-first=J.C. |editor5-last=Jones |editor5-first=Michael B. |editor6-last=Kumar |editor6-first=Akshay |editor7-last=Liao |editor7-first=Angelo |editor8-last=Lindemann |editor8-first=Rolf |editor9-last=Lundberg |editor9-first=Emil |title=Web Authentication: An API for accessing Public Key Credentials Level&nbsp;1 |url=https://www.w3.org/TR/webauthn/ |publisher=World Wide Web Consortium (W3C) |accessdate=30 January 2019}}</ref> where the protocol endpoints consist of a user-controlled [[Cryptography|cryptographic]] [[authenticator]] (such as a smartphone or a hardware [[Security token|security key]]) and a WebAuthn Relying Party (also called a FIDO2 server). A web [[user agent]] (i.e., a web browser) together with a WebAuthn client form an intermediary between the authenticator and the relying party. A single WebAuthn client Device may support multiple WebAuthn clients. For example, a laptop may support multiple clients, one for each conforming user agent running on the laptop. A conforming user agent implements the WebAuthn JavaScript API.

As its name implies, the [[Client to Authenticator Protocol]] (CTAP) enables a conforming cryptographic authenticator to interoperate with a WebAuthn client. The CTAP specification refers to two protocol versions called CTAP1/U2F and CTAP2.<ref name="FIDO-CTAP">{{cite web |editor1-last=Brand |editor1-first=Christiaan |editor2-last=Czeskis |editor2-first=Alexei |editor3-last=Ehrensvärd |editor3-first=Jakob |editor4-last=Jones |editor4-first=Michael B. |editor5-last=Kumar |editor5-first=Akshay |editor6-last=Lindemann |editor6-first=Rolf |editor7-last=Powers |editor7-first=Adam |editor8-last=Verrept |editor8-first=Johan |title=Client to Authenticator Protocol (CTAP) |url=https://fidoalliance.org/specs/fido-v2.0-id-20180227/fido-client-to-authenticator-protocol-v2.0-id-20180227.html |publisher=FIDO Alliance |accessdate=30 January 2019 |date=February 27, 2018}}</ref> An authenticator that implements one of these protocols is typically referred to as a U2F authenticator or a FIDO2 authenticator, respectively. A FIDO2 authenticator that also implements the CTAP1/U2F protocol is backward compatible with U2F.

The invention of using a smartphone as a cryptographic authenticator on a computer network is claimed in US Patent 7,366,913 filed in 2002.


== Milestones ==
== Milestones ==
Line 58: Line 67:
* (2017-11-28) The UAF&nbsp;1.2 Review Draft was released
* (2017-11-28) The UAF&nbsp;1.2 Review Draft was released
* (2018-02-27) The Client To Authenticator Protocol&nbsp;2.0 Implementation Draft was released
* (2018-02-27) The Client To Authenticator Protocol&nbsp;2.0 Implementation Draft was released
* (2019–03) W3C’s Web Authentication (WebAuthn) recommendation – a core component of the FIDO Alliance’s FIDO2 set of specifications – became an official web standard, signaling a major step forward in making the web more secure and usable for users around the world. <ref>{{cite web | url=https://fidoalliance.org/overview/history/ | title=History of FIDO Alliance }}</ref>
* (2019–03) W3C’s Web Authentication (WebAuthn) recommendation – a core component of the FIDO Alliance’s FIDO2 set of specifications – became an official web standard. <ref>{{cite web | url=https://fidoalliance.org/overview/history/ | title=History of FIDO Alliance }}</ref>

== FIDO Members ==

=== Board level members ===
{{#invoke:Compact list
|main
|ook
|ook1=[[1Password]]
|ook2=[[Amazon (company)|Amazon]]
|ook3=[[American Express]]
|ook4=[[Apple Inc.]]
|ook5=Axiad
|ook6=[[Bank of America]]
|ook7=Beyond Identity
|ook8=[[CISCO]]
|ook9=[[CVS Health]]
|ook10=[[Daon, Inc.]]
|ook11=[[Dashlane]]
|ook12=[[DELL]]
|ook13=Egis
|ook14=Feitian
|ook15=[[Google]]
|ook16=HYPR
|ook17=[[IDEMIA]]
|ook18=[[infineon]]
|ook19=[[intel]]
|ook20=[[Intuit]]
|ook21=[[Jumio]]
|ook22=[[LastPass]]
|ook23=[[Lenovo]]
|ook24=[[LY Corporation]]
|ook25=[[Mastercard]]
|ook26=[[Mercari]]
|ook27=[[Meta Platforms]]
|ook28=[[Microsoft]]
|ook29=Nok Nok
|ook30=[[NTT DOCOMO]]
|ook31=[[OneSpan]]
|ook32=[[PayPal]]
|ook33=[[PNC Bank]]
|ook34= Prove Identity Inc.
|ook35=[[Qualcomm]]
|ook36=Raon
|ook37=[[RSA Security]]
|ook38=[[Samsung]]
|ook39=[[Thales Group]]
|ook40=[[TikTok]]
|ook41=[[Trusona]]
|ook42=[[US Bank]]
|ook43=[[VISA]]
|ook44=[[Wells Fargo]]
|ook45=[[Yubico]]
|_limit=45
}}

=== Sponsor level members ===
{{#invoke:Compact list
|main
|ook
|ook1=1Kosmos
|ook2=AIRCUVE
|ook3=[[Akamai Technologies]]
|ook4=[[AU10TIX]]
|ook5=[[Avast]]
|ook6=[[BankAxept]]
|ook7=[[Bitwarden]]
|ook8=[[Binance]]
|ook9=[[Groupement des Cartes Bancaires CB]]
|ook10=[[JPMorgan Chase]]
|ook11=[[Coinbase]]
|ook12=CompoSecure
|ook13=[[CyberArk]]
|ook14=[[DocuSign]]
|ook15=[[eBay]]
|ook16=[[Entersekt]]
|ook17=EXCELSECU
|ook18=Fime
|ook19=[[Fujitsu]]
|ook20=Futurae Technologies
|ook21=[[Giesecke+Devrient]]
|ook22=[[Oppo]]
|ook23=[[Hedera Hashgraph]]
|ook24=[[HID Global Corporation]]
|ook25=[[Hitachi]]
|ook26=[[HSBC]]
|ook27=[[Huawei Technologies]]
|ook28=[[IBM]]
|ook29=IDnow
|ook30=[[Industrial Technology Research Institute]]
|ook31=International Systems Research
|ook32=iProov
|ook33=[[JCB (credit card company)|JCB Co.]]
|ook34=[[KDDI]]
|ook35=[[Keeper (password manager)]]
|ook36=[[M&T Bank]]
|ook37=[[Mozilla]]
|ook38=[[NEC Corporation]]
|ook39=[[Nomura Research Institute]]
|ook40=[[Okta, Inc.]]
|ook41=[[Onfido]]
|ook42=[[Ping Identity]]
|ook43=[[Rakuten]]
|ook44=[[Red Hat]]
|ook45=[[Academia Sinica]]
|ook46=[[RoboForm]]
|ook47=[[Salesforce]]
|ook48=[[SBI Group]]
|ook49=Sentry Enterprises
|ook50=[[SK Telecom]]
|ook51=Socure
|ook52=[[SoftBank]]
|ook53=SOFTGIKEN
|ook54=[[Sony Corporation]]
|ook55=SSenStone
|ook56=Swiss Marketplace Group
|ook57=Swissbit
|ook58=[[Target Brands, Inc.]]
|ook59=[[MITRE Corporation]]
|ook60=[[Twilio]]
|ook61=[[The Vanguard Group]]
|ook62=Veridium
|ook63=[[Vingroup]]
|ook64=WiSECURE
|ook65=[[Worldline SA]]
|ook66=[[Yahoo]]
|_limit=66
}}

=== Government level members ===
{{#invoke:Compact list
|main
|ook
|ook1=[[Australian Government]]
|ook2=[[Ministry of Information and Communications (Vietnam)]]
|ook3=[[UK Cabinet Office]]
|ook4=Electronic Transactions Development Agency (Thailand)
|ook5=[[Federal Office for Information Security]]
|ook6=[[Ministry of Digital Affairs (Taiwan)]]
|ook7=[[Ministry of the Interior (Taiwan)]]
|ook8=[[National Institute of Standards and Technology]]
|ook9=TELECOM TECHNOLOGY CENTER (Taiwan)
|ook10=Telecommunication Technology Association (South Korea)
|_limit=10
}}

=== Associate Level Members ===
{{#invoke:Compact list
|main
|ook
|ook1=4Auth Limited (trading as tru.ID)
|ook2=Accura Scan
|ook3=Advanced Card Systems Ltd.
|ook4=AirID GmbH
|ook5=AItrust Inc.
|ook6=Allthenticate
|ook7=Amwal Tech
|ook8=Anonybit
|ook9=Asignio, Inc.
|ook10=[[ASRock]] Industrial Computer Corp.
|ook11=atsec (Beijing) Information Technology Co., Ltd.
|ook12=AuthenticID
|ook13=AuthentOn
|ook14=AuthenTrend
|ook15=authID.ai
|ook16=Authme Co., Ltd.
|ook17=Authsignal Limited
|ook18=AuthX Security LLC
|ook19=Aware, Inc.
|ook20=AXELL CORPORATION
|ook21=Azimuth Labs Pte Ltd.
|ook22=BIO–key
|ook23=Biometric Associates, LP
|ook24=BIT4ID S.R.L.
|ook25=BixeLab Pty Ltd.
|ook26=Buypass AS
|ook27=Capy Inc.
|ook28=CardLab Innovation ApS
|ook29=[[Cathay Financial Holdings]]
|ook30=Changing Information Technology Inc.
|ook31=Chelpis Quantum Tech Co., LTD.
|ook32=[[China Financial Certification Authority]]
|ook33=ChipWon Technology
|ook34=Comsign Ltd.
|ook35=Coretech Knowledge Inc.
|ook36=Crosscert
|ook37=Cryptnox SA
|ook38=Cyber Street Solutions Corp.
|ook39=D–TRUST
|ook40=[[Dai Nippon Printing]] Co., Ltd
|ook41=Dapple Security
|ook42=Data Zoo
|ook43=Datasec Solutions Pty Ltd
|ook44=DDS, Inc.
|ook45=DeCloak Intelligences Co.
|ook46=Deepnet Security
|ook47=Descope Inc.
|ook48=e-Smart Systems Limited
|ook49=Easy Dynamics
|ook50=eDoktor Co, Ltd.
|ook51=ELAN Microelectronics Corporation
|ook52=emdha TSP
|ook53=eMudhra Technologies Limited
|ook54=Enpass Technologies Inc.
|ook55=Ensurity Technologies
|ook56=Entrust Datacard Corporation
|ook57=eTunnel Inc.
|ook58=EXGEN NETWORKS Co., Ltd.
|ook59=Fazpass
|ook60=Fingerprint Cards
|ook61=Foongtone Technology Co., Ltd.
|ook62=Frontegg
|ook63=Gallagher North America Inc.
|ook64=Gentex Corporation
|ook65=GoTrustID Inc.
|ook66=HANKO
|ook67=HAVENTEC GROUP SERVICES PTY LTD
|ook68=Hideez Poland Sp. z.o.o.
|ook69=Hypersecu Information Systems, Inc.
|ook70=Hyweb Global Technology Co. Ltd
|ook71=i-Sprint Innovations Pte Ltd
|ook72=ID R&D
|ook73=[[ID.me]]
|ook74=IDEATEC
|ook75=Identiv, Inc.
|ook76=Identy, Inc.
|ook77=[[IDEX Biometrics]]
|ook78=IDmelon Technologies Inc.
|ook79=ImprovelD
|ook80=Ingenium Biometrics Ltd
|ook81=Intelligent Information Security Technology Inc.
|ook82=Intercede
|ook83=IP Cube Co., Ltd.
|ook84=Kaizen Secure Voiz
|ook85=Kelvin Zero Inc.
|ook86=Keyless Technologies Ltd.
|ook87=Keytos
|ook88=KeyXentic
|ook89=KICA
|ook90=KONA I CO., LTD
|ook91=Kridentia Technology Sdn Bhd
|ook92=KSIGN
|ook93=LC&J Security Solutions
|ook94=Ledger
|ook95=LIQUID, Inc.
|ook96=Locii Innovation Pty Ltd trading as truth
|ook97=LoginID
|ook98=Loginradius
|ook99=[[LOGITECH]] EUROPE S.A.
|ook100=LuxTrust SA
|ook101=Lydsec Digital Technology Co., Ltd.
|ook102=Metalenz
|ook103=MK Group Joint Stock Company
|ook104=Mobile Technologies Limited
|ook105=MTRIX GmbH
|ook106=National Credit Card Center of ROC
|ook107=NEOWAVE
|ook108=NEVIS Security AG
|ook109=Nihon Jyoho System Co., LTD
|ook110=NOX Co., Ltd.
|ook111=Nulab Inc.
|ook112=Nymi Inc.
|ook113=OCR Labs Global
|ook114=Octacto Co., Ltd.
|ook115=OneLog AG
|ook116=Open Source Solution Technology Corporation
|ook117=[[Panasonic]] Holdings Corporation
|ook118=Passbolt
|ook119=Penril Datability
|ook120=PONE Biometrics
|ook121=Precision Biometric India Pvt. Ltd.
|ook122=PT Privy Identitas Digital
|ook123=QaiWare
|ook124=Quado, Inc.
|ook125=Quantum Networks
|ook126=RF Ideas Inc.
|ook127=Rock Solid Knowledge Ltd.
|ook128=Scramble ID, Inc.
|ook129=Secfense Inc.
|ook130=SECIOSS, Inc
|ook131=Secret Double Octopus
|ook132=SecuGen Corporation
|ook133=SecureAuth
|ook134=SecureKi
|ook135=Securemetric Technology Sdn Bhd
|ook136=Secuve Co., Ltd.
|ook137=Shenzhen National Engineering Laboratory (aka NELD TV)
|ook138=SmartDisplayer Technology
|ook139=SoloKeys
|ook140=Starfish GmbH & Co. KG
|ook141=Stellar Craft, Inc.
|ook142=Strivacity
|ook143=StrongKey
|ook144=Stytch, Inc.
|ook145=SurePassID
|ook146=SWEMPIRE Co., Ltd.
|ook147=[[Synaptics]]
|ook148=TEMET AG
|ook149=TendyRON
|ook150=TOKEN2
|ook151=Tokenize Inc.
|ook152=TOPPAN IDGATE
|ook153=Torus Labs Private Limited
|ook154=Tradelink Electronic Commerce Limited
|ook155=TraitWare Inc.
|ook156=Transmit Security
|ook157=Trillbit Inc.
|ook158=Trinamix GmbH
|ook159=Trust Stamp
|ook160=TrustAsia Technologies, Inc.
|ook161=TRUSTDOCK Inc.
|ook162=TruU, Inc.
|ook163=TWCA
|ook164=UAB 360 IT (NordPass)
|ook165=UberEther, Inc.
|ook166=Uniken Inc.
|ook167=UNIONCOMMUNITY Co., Ltd.
|ook168=VALMIDO
|ook169=VEAS JSC
|ook170=VeroGuard Systems Pty Ltd
|ook171=Versasec AB
|ook172=VisionLabs B.V.
|ook173=VP, Inc.
|ook174=VU LLC
|ook175=WebComm Technology Co., Ltd.
|ook176=WinMagic Corp.
|ook177=Wuhan Tianyu Information Industry Co. Ltd.
}}
<ref>{{Cite web |title=FIDO Alliance Member Companies & Organizations |url=https://fidoalliance.org/members/ |access-date=2024-03-22 |website=FIDO Alliance |language=en-US}}</ref>


== See also ==
== See also ==
Line 64: Line 401:
* [[Initiative for Open Authentication]] (OATH)
* [[Initiative for Open Authentication]] (OATH)
* [[WebAuthn]] web authentication
* [[WebAuthn]] web authentication
* [[YubiKey]]


== References ==
== References ==
Line 71: Line 409:


[[Category:Biometrics]]
[[Category:Biometrics]]
[[Category:Authentication methods]]
[[Category:Identification]]
[[Category:Identification]]
[[Category:Consortia in the United States]]
[[Category:Consortia in the United States]]

Revision as of 15:19, 11 September 2024

FIDO Alliance
FoundedFebruary 2013; 11 years ago (2013-02)
Headquarters,
Websitefidoalliance.org

The FIDO ("Fast IDentity Online") Alliance is an open industry association launched in February 2013 whose stated mission is to develop and promote authentication standards that "help reduce the world’s over-reliance on passwords".[1] FIDO addresses the lack of interoperability among devices that use strong authentication and reduces the problems users face creating and remembering multiple usernames and passwords.

FIDO supports a full range of authentication technologies, including biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as existing solutions and communications standards, such as Trusted Platform Modules (TPM), USB security tokens, embedded Secure Elements (eSE), smart cards, and near-field communication (NFC).[2] The USB security token device may be used to authenticate using a simple password (e.g. four-digit PIN) or by pressing a button. The specifications emphasize a device-centric model. Authentication over the wire happens using public-key cryptography. The user's device registers the user to a server by registering a public key. To authenticate the user, the device signs a challenge from the server using the private key that it holds. The keys on the device are unlocked by a local user gesture such as a biometric or pressing a button.

FIDO provides two types of user experiences depending on which protocol is used.[2] Both protocols define a common interface at the client for whatever local authentication method the user exercises.

Specifications

The following open specifications may be obtained from the FIDO web site.[3]

  • Universal Authentication Framework (UAF)
    • UAF 1.0 Proposed Standard (December 8, 2014)
    • UAF 1.1 Proposed Standard (February 2, 2017)
    • UAF 1.2 Review Draft (November 28, 2017)
  • Universal 2nd Factor (U2F)
    • U2F 1.0 Proposed Standard (October 9, 2014)
    • U2F 1.2 Proposed Standard (July 11, 2017)
  • FIDO 2.0 (FIDO2, contributed to the W3C on November 12, 2015)[4]
    • FIDO 2.0 Proposed Standard (September 4, 2015)
The evolution of the FIDO2-WebAuthn family of protocol standards

The U2F 1.0 Proposed Standard (October 9, 2014) was the starting point for the specification known as FIDO 2.0 Proposed Standard (September 4, 2015). The latter was formally submitted to the World Wide Web Consortium (W3C) on November 12, 2015.[5] Subsequently, the first Working Draft of the W3C Web Authentication (WebAuthn) standard was published on May 31, 2016. The WebAuthn standard has been revised numerous times since then, becoming a W3C Recommendation on March 4, 2019.

Meanwhile the U2F 1.2 Proposed Standard (July 11, 2017) became the starting point for the Client to Authenticator Protocol 2.0 Proposed Standard, which was published on September 27, 2017. FIDO CTAP 2.0 complements W3C WebAuthn, both of which are in scope for the FIDO2 Project.

FIDO2

The FIDO2 Project is a joint effort between the FIDO Alliance and the World Wide Web Consortium (W3C) whose goal is to create strong authentication for the web. At its core, FIDO2 consists of the W3C Web Authentication (WebAuthn) standard and the FIDO Client to Authenticator Protocol 2 (CTAP2).[6] FIDO2 is based upon previous work done by the FIDO Alliance, in particular the Universal 2nd Factor (U2F) authentication standard.

Taken together, WebAuthn and CTAP specify a standard authentication protocol[7] where the protocol endpoints consist of a user-controlled cryptographic authenticator (such as a smartphone or a hardware security key) and a WebAuthn Relying Party (also called a FIDO2 server). A web user agent (i.e., a web browser) together with a WebAuthn client form an intermediary between the authenticator and the relying party. A single WebAuthn client Device may support multiple WebAuthn clients. For example, a laptop may support multiple clients, one for each conforming user agent running on the laptop. A conforming user agent implements the WebAuthn JavaScript API.

As its name implies, the Client to Authenticator Protocol (CTAP) enables a conforming cryptographic authenticator to interoperate with a WebAuthn client. The CTAP specification refers to two protocol versions called CTAP1/U2F and CTAP2.[8] An authenticator that implements one of these protocols is typically referred to as a U2F authenticator or a FIDO2 authenticator, respectively. A FIDO2 authenticator that also implements the CTAP1/U2F protocol is backward compatible with U2F.

The invention of using a smartphone as a cryptographic authenticator on a computer network is claimed in US Patent 7,366,913 filed in 2002.

Milestones

  • (2014-10-09) The U2F 1.0 Proposed Standard was released
  • (2014-12-08) The UAF 1.0 Proposed Standard was released[9][10]
  • (2015-06-30) The FIDO Alliance released two new protocols that support Bluetooth technology and near field communication (NFC) as transport protocols for U2F[11]
  • (2015-09-04) The FIDO 2.0 Proposed Standard was released
    • FIDO 2.0 Key Attestation Format
    • FIDO 2.0 Signature Format
    • FIDO 2.0 Web API for Accessing FIDO 2.0 Credentials
  • (2015-11-12) The FIDO Alliance submitted the FIDO 2.0 Proposed Standard to the World Wide Web Consortium (W3C)[5][12]
  • (2016-02-17) The W3C created the Web Authentication Working Group
  • (2017-02-02) The UAF 1.1 Proposed Standard was released
  • (2017-07-11) The U2F 1.2 Proposed Standard was released
  • (2017-09-27) The Client To Authenticator Protocol 2.0 Proposed Standard was released
  • (2017-11-28) The UAF 1.2 Review Draft was released
  • (2018-02-27) The Client To Authenticator Protocol 2.0 Implementation Draft was released
  • (2019–03) W3C’s Web Authentication (WebAuthn) recommendation – a core component of the FIDO Alliance’s FIDO2 set of specifications – became an official web standard. [13]

FIDO Members

Board level members

Government level members

Associate Level Members

List
  • 4Auth Limited (trading as tru.ID)
  • Accura Scan
  • Advanced Card Systems Ltd.
  • AirID GmbH
  • AItrust Inc.
  • Allthenticate
  • Amwal Tech
  • Anonybit
  • Asignio, Inc.
  • ASRock Industrial Computer Corp.
  • atsec (Beijing) Information Technology Co., Ltd.
  • AuthenticID
  • AuthentOn
  • AuthenTrend
  • authID.ai
  • Authme Co., Ltd.
  • Authsignal Limited
  • AuthX Security LLC
  • Aware, Inc.
  • AXELL CORPORATION
  • Azimuth Labs Pte Ltd.
  • BIO–key
  • Biometric Associates, LP
  • BIT4ID S.R.L.
  • BixeLab Pty Ltd.
  • Buypass AS
  • Capy Inc.
  • CardLab Innovation ApS
  • Cathay Financial Holdings
  • Changing Information Technology Inc.
  • Chelpis Quantum Tech Co., LTD.
  • China Financial Certification Authority
  • ChipWon Technology
  • Comsign Ltd.
  • Coretech Knowledge Inc.
  • Crosscert
  • Cryptnox SA
  • Cyber Street Solutions Corp.
  • D–TRUST
  • Dai Nippon Printing Co., Ltd
  • Dapple Security
  • Data Zoo
  • Datasec Solutions Pty Ltd
  • DDS, Inc.
  • DeCloak Intelligences Co.
  • Deepnet Security
  • Descope Inc.
  • e-Smart Systems Limited
  • Easy Dynamics
  • eDoktor Co, Ltd.
  • ELAN Microelectronics Corporation
  • emdha TSP
  • eMudhra Technologies Limited
  • Enpass Technologies Inc.
  • Ensurity Technologies
  • Entrust Datacard Corporation
  • eTunnel Inc.
  • EXGEN NETWORKS Co., Ltd.
  • Fazpass
  • Fingerprint Cards
  • Foongtone Technology Co., Ltd.
  • Frontegg
  • Gallagher North America Inc.
  • Gentex Corporation
  • GoTrustID Inc.
  • HANKO
  • HAVENTEC GROUP SERVICES PTY LTD
  • Hideez Poland Sp. z.o.o.
  • Hypersecu Information Systems, Inc.
  • Hyweb Global Technology Co. Ltd
  • i-Sprint Innovations Pte Ltd
  • ID R&D
  • ID.me
  • IDEATEC
  • Identiv, Inc.
  • Identy, Inc.
  • IDEX Biometrics
  • IDmelon Technologies Inc.
  • ImprovelD
  • Ingenium Biometrics Ltd
  • Intelligent Information Security Technology Inc.
  • Intercede
  • IP Cube Co., Ltd.
  • Kaizen Secure Voiz
  • Kelvin Zero Inc.
  • Keyless Technologies Ltd.
  • Keytos
  • KeyXentic
  • KICA
  • KONA I CO., LTD
  • Kridentia Technology Sdn Bhd
  • KSIGN
  • LC&J Security Solutions
  • Ledger
  • LIQUID, Inc.
  • Locii Innovation Pty Ltd trading as truth
  • LoginID
  • Loginradius
  • LOGITECH EUROPE S.A.
  • LuxTrust SA
  • Lydsec Digital Technology Co., Ltd.
  • Metalenz
  • MK Group Joint Stock Company
  • Mobile Technologies Limited
  • MTRIX GmbH
  • National Credit Card Center of ROC
  • NEOWAVE
  • NEVIS Security AG
  • Nihon Jyoho System Co., LTD
  • NOX Co., Ltd.
  • Nulab Inc.
  • Nymi Inc.
  • OCR Labs Global
  • Octacto Co., Ltd.
  • OneLog AG
  • Open Source Solution Technology Corporation
  • Panasonic Holdings Corporation
  • Passbolt
  • Penril Datability
  • PONE Biometrics
  • Precision Biometric India Pvt. Ltd.
  • PT Privy Identitas Digital
  • QaiWare
  • Quado, Inc.
  • Quantum Networks
  • RF Ideas Inc.
  • Rock Solid Knowledge Ltd.
  • Scramble ID, Inc.
  • Secfense Inc.
  • SECIOSS, Inc
  • Secret Double Octopus
  • SecuGen Corporation
  • SecureAuth
  • SecureKi
  • Securemetric Technology Sdn Bhd
  • Secuve Co., Ltd.
  • Shenzhen National Engineering Laboratory (aka NELD TV)
  • SmartDisplayer Technology
  • SoloKeys
  • Starfish GmbH & Co. KG
  • Stellar Craft, Inc.
  • Strivacity
  • StrongKey
  • Stytch, Inc.
  • SurePassID
  • SWEMPIRE Co., Ltd.
  • Synaptics
  • TEMET AG
  • TendyRON
  • TOKEN2
  • Tokenize Inc.
  • TOPPAN IDGATE
  • Torus Labs Private Limited
  • Tradelink Electronic Commerce Limited
  • TraitWare Inc.
  • Transmit Security
  • Trillbit Inc.
  • Trinamix GmbH
  • Trust Stamp
  • TrustAsia Technologies, Inc.
  • TRUSTDOCK Inc.
  • TruU, Inc.
  • TWCA
  • UAB 360 IT (NordPass)
  • UberEther, Inc.
  • Uniken Inc.
  • UNIONCOMMUNITY Co., Ltd.
  • VALMIDO
  • VEAS JSC
  • VeroGuard Systems Pty Ltd
  • Versasec AB
  • VisionLabs B.V.
  • VP, Inc.
  • VU LLC
  • WebComm Technology Co., Ltd.
  • WinMagic Corp.
  • Wuhan Tianyu Information Industry Co. Ltd.

[14]

See also

References

  1. ^ "Password-The Security Issue That the Big Leaders Want to Eliminate". 30 June 2020.
  2. ^ a b "Specifications Overview". FIDO Alliance. Retrieved 31 October 2014.
  3. ^ "Download Specifications". FIDO Alliance. Retrieved 13 February 2019.
  4. ^ "FIDO 2.0: Overview". fidoalliance.org. Retrieved 2021-01-21.
  5. ^ a b "Submission Request to W3C: FIDO 2.0 Platform Specifications 1.0". World Wide Web Consortium (W3C). Retrieved 12 February 2019.
  6. ^ "FIDO2: Moving the World Beyond Passwords". FIDO Alliance. Retrieved 30 January 2019.
  7. ^ Balfanz, Dirk; Czeskis, Alexei; Hodges, Jeff; Jones, J.C.; Jones, Michael B.; Kumar, Akshay; Liao, Angelo; Lindemann, Rolf; Lundberg, Emil (eds.). "Web Authentication: An API for accessing Public Key Credentials Level 1". World Wide Web Consortium (W3C). Retrieved 30 January 2019.
  8. ^ Brand, Christiaan; Czeskis, Alexei; Ehrensvärd, Jakob; Jones, Michael B.; Kumar, Akshay; Lindemann, Rolf; Powers, Adam; Verrept, Johan, eds. (February 27, 2018). "Client to Authenticator Protocol (CTAP)". FIDO Alliance. Retrieved 30 January 2019.
  9. ^ "FIDO 1.0 Specifications Published and Final". FIDO Alliance. 9 December 2014. Retrieved 31 December 2014.
  10. ^ "Computerworld, December 10, 2014: "Open authentication spec from FIDO Alliance moves beyond passwords"". Computerworld. 9 December 2014. Retrieved 10 December 2014.
  11. ^ "eWeek, July 1, 2015: "FIDO Alliance Extends Two-Factor Security Standards to Bluetooth, NFC"". eWeek. July 2015. Retrieved 1 July 2015.
  12. ^ "W3C Member Submission 20 November 2015: FIDO 2.0: Web API for accessing FIDO 2.0 credentials". W3C. Retrieved March 14, 2016.
  13. ^ "History of FIDO Alliance".
  14. ^ "FIDO Alliance Member Companies & Organizations". FIDO Alliance. Retrieved 2024-03-22.