FAQs

What are the key goals of the Alliance?

To be the industry initiative which changes the nature of online authentication, eliminating the dependency on passwords, by enabling interoperable biometric or non-biometric alternatives.

To support the international standardization of the OSTP by a recognized standards body.

To make the protocol an open standard to be embraced by Enterprises and web Destinations.

To make the protocol stack ubiquitously available on client devices.

What is the governance model?

The FIDO Alliance is a California Mutual Benefit Non-Profit corporation governed by a Board of Directors and managed by a Management Committee.

Why isn't this going straight to a standards body?

The FIDO authentication protocol needs to be part of a standardized, interoperable ecosystem to be successful. Building this ecosystem requires the active commitment of everybody from hardware chipset vendors, to the manufacturers of back-end server systems. Coordination across the divergent interests of these players is a complex affair, and one that current technical standards bodies are not well suited to handle.

The FIDO Alliance will refine the protocol, and monitor the extensions required to meet market needs and to make the protocol robust and mature. Implementation will not be undertaken by the FIDO Alliance. The mature protocol will be presented to the IETF, W3C or similar body after which it will be open to all industry players to implement.

What is the distribution strategy for middleware deployment on user devices?

It is expected that FIDO middleware will be available through multiple channels including system and device vendors, and will support all major browsers. FIDO member companies are working together with OEMs to enable FIDO devices to be shipped as built-in devices like Wi-Fi and cameras.

How does FIDO differ from TLS/SSL?

In contrast to TLS, FIDO doesn’t assume that there is a pre-trust relationship between the client and server entities. FIDO has a “device registration” step, which implies provisioning a secret into an authentication device from server and thus creating the trust relationship between them.

Although TLS supports mutual authentication by its design, all efforts to deploy client authentication in large environments have failed. In contrast, FIDO tries to leverage the existing infrastructure and make the deployment and usability easier.

Another difference between these two protocols is that FIDO provides a way for relying parties to choose (and sometimes enforce, depending on transaction type) which device to use for authentication.

In general there is a potential to merge these two protocols together to have the flexibility of FIDO and the maturity of TLS.

Does any company have exclusive implementation rights to FIDO?

No. Any company that joins the FIDO Alliance and the FIDO Technology Working Group will receive implementation rights subject to the Intellectual Property Rights Policy within the FIDO alliance Membership Agreement. Creating a vibrant interoperable strong authentication ecosystem requires this very open approach to implementation rights, and we encourage all interested parties to join the FIDO Alliance and add FIDO-compliant capabilities to their products and services

Which websites will use/offer FIDO-based authentication?

We expect that any website that needs strong authentication in order to protect a user's financial and personal information will be interested in adopting FIDO.

How do I get FIDO on my computer?

FIDO client software must be installed your computer. The FIDO client software will be made available through multiple channels including system vendors, with FIDO authentication devices and should be available for download on most browsers. The software is "invisible "until you access a FIDO-enabled website.

What if I reinstall the operating system or get a new computer, will I lose all my FIDO tokens?

This is the type of issue that the FIDO Alliance Technology Working Group is addressing in the specifications that will be published later this year (2013).

Does it only work with specific websites or can I also replace other password-protected stuff such as zip-files, emails, etc.?

Applications will be able to utilize FIDO protocols to secure local information, but the initial focus is on accessing internet services through web browsers and web applications.

Can I use FIDO to logon to Windows?

This is related to the (above) question regarding what, other than web browsers and web applications, can be accessed using the FIDO protocol. The answer is this really depends on the availability of appropriate software components for Windows.

I have a Windows computer at work, a Mac at home and an iPhone: will FIDO work on all of them? If not -- I still need Passwords?!

We expect broad support for FIDO on different types of devices, through different browser and at various websites. But like all new technologies, this broad adoption will take some time. You may still need to use passwords occasionally if you don't have a FIDO device.

Will FIDO work on my Android phone, Windows tablet, Apple iBook?

While there are no current product announcements, we anticipate multiple FIDO options available on Android phones this year and development with Windows tablet and Apple products shortly thereafter. Check in with us in a few months.

Are all tokens considered equal? Who has to pay-to-play and what is really "open"?

All authenticators will conform to the FIDO protocols. While some authenticators may provide two-factor (authentication) others may provide only a single factor, but these will provide better account security than current passwords. Ultimately, it is up to the Relying Party website to decide how much security is required to perform a particular action.

How do proprietary systems begin FIDO compliance; how does that affect their OS?

The FIDO Alliance Technology Working Group will be defining the compliance parameters. FIDO is intended to be above the OS level. Security token vendors would implement the OS-dependent parts in the DSM (Device Specific Modules) needed to support their specific device.

What is the process for a new authentication vendor to become FIDO-compliant?

The FIDO Alliance will be defining a compliance program during 2013. Please join the FIDO Alliance and contribute to the effort.

Is it tested to be really secure? With something so new there is some concern it may be immature and have untested flaws.

FIDO is a new technology but it is being built on existing standards and designed and reviewed by experienced security professionals. FIDO will evolve over time, but it will certainly be better than today where users have weak and reused passwords.

If my computer gets stolen, how can I revoke all issued FIDO tokens?

If your FIDO token is lost or stolen, you will be able to login to your web accounts with other credentials such as your password in combination with other challenges and disable the lost token on your account. You can then connect a new FIDO token to your account. The exact challenges and procedure will depend on the policies of the website.

How secure are Fingerprints?

The possibility of someone having the same fingerprint as you is about 1 in 6 million. The chances of someone finding your lost phone and/or authentication device AND having the same fingerprint is greater than 1 in a million.

If you choose to user your fingerprint reader as your FIDO token, your finger becomes the master key for your credential vault where all your FIDO tokens are stored. Each website or application that uses a FIDO token never gets to see your fingerprint and, better yet, they cannot obtain access unless you allow it. Unlike a PIN or Password, fingerprints cannot be guessed. You must be physically present to unlock your credential vault. Fingerprint readers do not store your fingerprint; they create a template during setup that can later be used to match your finger with a very high degree of accuracy. These templates are stored in a secure storage area on the device and cannot be accessed by any other software.

There is a far greater likelihood that someone could guess your PIN than it would be for that person to use another fingerprint on your device to access your information.

Why is a PIN better than a Password?

When used in conjunction with a secure second-factor authenticator device and authentication infrastructure such as FIDO, a PIN can be very secure.

With regards to FIDO devices, when you use a PIN, it is used only to locally unlock your device. The PIN does not get transmitted across the Internet. Today, passwords are used across many sites where they can be captured and tested against the user's other online accounts.

How secure is FIDO? How do you measure the security of FIDO? How do you prove that FIDO is secure?

When compared to the current passwords, FIDO is much more secure. FIDO security will be at least as good as current proprietary commercial security options, but FIDO will be more broadly available because the costs will be lower. The security improvement with FIDO Authenticators will depend on the type of FIDO device you have and the policies of the Relying Party websites will balance convenience and security, but FIDO will improve both.

If I have a virus on my computer, can that intercept and steal my FIDO Authenticator?

This depends to some degree on the nature of the FIDO Authenticators being employed. FIDO is designed to be very secure against current known and unknown attack strategies and cryptographic hardware-based authenticators will be more resilient to malware-based attacks.

The measurement and provability of FIDO security is being defined in the Technology Working Group and will likely involve attestation services, review by external security analysts and established thresholds for functionality.

Is FIDO resistant against a man-in-the-middle attack?

Yes. FIDO is designed to eliminate the dependency on the 'man-in-the-middle' for transactions so that would necessarily make it resistant to those types of attacks.

Is FIDO resistant against phishing attacks?

Yes, phishing sites will not be able to fool the FIDO Authenticators into believing that they are the real sites.

Is FIDO resistant against replay attacks?

Yes, this is a key property of the underlying cryptographic protocols.

When I sell my computer, how can I make sure that all FIDO tokens are securely erased?

This is a crucial component of the specification and user experience protocols currently being defined.

How can FIDO detect or make sure that it isn't initializing on a fake (virtual) hardware device?

A facet of the FIDO ecosystem, FIDO Device Attestation protects against just this concern.

Will FIDO help against the many cross-site-scripting attacks?

FIDO doesn't specifically address cross-site scripting (XSS) attacks and it is not currently a focus of the technology or ecosystem.

If the tokens are stored on my HD, can they be copied/stolen by malware?

The FIDO Authenticator is not designed to store tokens on your computer's HD. Implemented correctly, there should be no possibility of your token being stolen by malware for reuse on another system.

Is FIDO based on a central authentication entity like RSA or Verisign? And if this is compromised, would all users' tokens potentially be at risk?

While much of the FIDO technology is similar to, and builds upon the work already done by standards bodies such as IETF,it is not based specifically on a central authentication entity such as RSA or Verisign.

FIDO-based authentication is between the client and the server without direct third-party involvement. However, validation of FIDO authenticators may rely on a third-party service, depending on choices made by the server deployer/operator.

Therefore a compromise of RSA, Verisign or other CAE technology would not put your token at risk.

Where are the FIDO tokens stored on my computer/smartphone?

That varies according to specific FIDO user device characteristics. Many FIDO Authenticators are built-in hardware components or discrete separate components (USB-based devices).

What if a user is not coming through a browser, but through another source, like a native mobile application?

Appropriate HTTP-software stack components enabling FIDO interactions will be installed on the client FIDO user device. Native applications will be able to use this software stack to provide the same protection.

Will the specification include mobile?

Yes. The user experience on mobile devices and apps is being defined by the specification.

Will my computer still work when I'm offline?

Yes, employing FIDO will not affect your system's behavior when you are offline.

What if my Fingerprints won't work (because of an injury, band-aid, etc.)?

FIDO provides flexibility with authentication options. The FIDO-enabled website controls which forms of authentication it will accept, so it may accept logon with a PIN, USB token, or other authentication device. The website may also allow you to login with your password.

I'm sharing some passwords with my spouse — how can I share my fingerprint?

FIDO client implementations will accommodate such use cases — the other user will be able to "enroll" their fingerprint with a FIDO biometric authenticator.

Can I install my FIDO-tokens on my $#40;secure) USB-stick, carry my tokens with me and at the same time separate it from the platform?

Yes. We anticipate there being FIDO-enabled USB sticks using PIN, password and biometric features, and these will be portable across user' systems through a USB port.

Am I using the same FIDO token for all authentications to all websites and applications? Or does each site provision its own token? If it is many tokens, what is the maximum number of tokens I can have?

It is a key goal of the FIDO Alliance for you to be able to use the same FIDO Authenticator with all enabled websites and applications. But some Relying Parties or companies may have separate policies regarding the relative security of your device in relation to authentication to their service. For example, your employer may give you a FIDO Authenticator to use, but you may already have one for your personal records.

Why do we need FIDO if we have SAML?

While SAML (Security Assertion Markup Language) is a data format for exchanging authentication and authorization information between an identity provider and a service provider so as to address the single sign-on problem, it is not designed to support the actual secure authentication process.

Where does FIDO end and NSTIC begin?

NSTIC is a U.S. Government initiative with a large umbrella covering every area of cyber security. OASIS is an industry standards body bringing together government and industry to establish open standards to address the NSTIC initiatives. Identification, Authentication and Authorization are three smaller umbrellas with overlapping areas of interest and each is covered by one or more technical committees within OASIS. The standards flowing from OASIS committees form the foundation for all the cyber security work now in various stages of deployment and development. FIDO relies on these foundation standards to implement its solution, just like OpenID and OAuth have done.

How is FIDO different from OpenID?

FIDO and OpenID are two separate but complementary approaches.
OpenID is a federated identity management protocol specifying how an Identity Provider can vouch for the identity of a user to other websites. It does not specify how the end user authenticates with the Identity Provider. Typically, accepted current practice approaches such as static passwords are employed.
FIDO will specify new strong direct authentication protocols to be used in conjunction with various second-factor authenticators, such as a fingerprint sensor. FIDO protocols will be drop-in replacements for the typical website authentication techniques of today, such as those used by Identity Providers.
FIDO will not address the topic of federated identity management, as that is a separate topic and there are a plethora of available approaches. Hence, FIDO will enhance and complement rather than compete with federated identity management approaches.

How is FIDO different from OAuth?

OAuth is an open standard for authorization. OAuth provides a method for clients to access server resources on behalf of a resource owner (such as a different client or an end-user). It also provides a process for end-users to authorize third-party access to this server resources without sharing their credentials (typically, a username and password pair), using user-agent redirections.
FIDO's focus is on strong authentication and our work is orthogonal to that of OAuth. Use of OAuth will be enhanced by FIDO's strong authentication methods and will allow OAuth deployments to ensure that resource authorization is only given with the explicit permission of the owner.

If I replace my bank account password with a FIDO Authenticator will this change my liability risk?

This depends upon your banking institution and the regulations and policies established for account access.

I would like to understand the privacy implications with using FIDO tokens: what data (user, computer, usage, location, etc.) will be shared with a remote entity?

FIDO authentication takes place locally on your device, so only the information you've chosen to share with another party will be available to them. FIDO also offers you a new layer of protection by letting you verify that the other party is getting exactly what you intend and that it hasn't been manipulated by some browser or server malware.