Is it tested to be really secure? With something so new there is some concern it may be immature and have untested flaws.
FIDO is a new technology but it is being built on existing standards and designed and reviewed by experienced security professionals. FIDO will evolve over time, but it will certainly be better than today where users have weak and reused passwords.
If my computer gets stolen, how can I revoke all issued FIDO tokens?
If your FIDO token is lost or stolen, you will be able to login to your web accounts with other credentials such as your password in combination with other challenges and disable the lost token on your account. You can then connect a new FIDO token to your account. The exact challenges and procedure will depend on the policies of the website.
How secure are Fingerprints?
The possibility of someone having the same fingerprint as you is about 1 in 6 million. The chances of someone finding your lost phone and/or authentication device AND having the same fingerprint is greater than 1 in a million.
If you choose to use your fingerprint reader as your FIDO token, your finger becomes the master key for your credential vault where all your FIDO tokens are stored. Each website or application that uses a FIDO token never gets to see your fingerprint and, better yet, they cannot obtain access unless you allow it. Unlike a PIN or Password, fingerprints cannot be guessed. You must be physically present to unlock your credential vault. Fingerprint readers do not store your fingerprint; they create a template during setup that can later be used to match your finger with a very high degree of accuracy. These templates are stored in a secure storage area on the device and cannot be accessed by any other software.
There is a far greater likelihood that someone could guess your PIN than it would be for that person to use another fingerprint on your device to access your information.
Why is a PIN better than a Password?
When used in conjunction with a secure second-factor authenticator device and authentication infrastructure such as FIDO, a PIN can be very secure.
With regards to FIDO devices, when you use a PIN, it is used only to locally unlock your device. The PIN does not get transmitted across the Internet. Today, passwords are used across many sites where they can be captured and tested against the user's other online accounts.
How secure is FIDO? How do you measure the security of FIDO? How do you prove that FIDO is secure?
When compared to the current passwords, FIDO is much more secure. FIDO security will be at least as good as current proprietary commercial security options, but FIDO will be more broadly available because the costs will be lower. The security improvement with FIDO Authenticators will depend on the type of FIDO device you have and the policies of the Relying Party websites will balance convenience and security, but FIDO will improve both.
If I have a virus on my computer, can that intercept and steal my FIDO Authenticator?
This depends to some degree on the nature of the FIDO Authenticators being employed. FIDO is designed to be very secure against current known and unknown attack strategies and cryptographic hardware-based authenticators will be more resilient to malware-based attacks.
The measurement and provability of FIDO security is being defined in the Technology Working Group and will likely involve attestation services, review by external security analysts and established thresholds for functionality.
Is FIDO resistant against a man-in-the-middle attack?
Yes. FIDO is designed to eliminate the dependency on the 'man-in-the-middle' for transactions so that would necessarily make it resistant to those types of attacks.
Is FIDO resistant against phishing attacks?
Yes, phishing sites will not be able to fool the FIDO Authenticators into believing that they are the real sites.
Is FIDO resistant against replay attacks?
Yes, this is a key property of the underlying cryptographic protocols.
When I sell my computer, how can I make sure that all FIDO tokens are securely erased?
This is a crucial component of the specification and user experience protocols currently being defined.
How can FIDO detect or make sure that it isn't initializing on a fake (virtual) hardware device?
A facet of the FIDO ecosystem, FIDO Device Attestation protects against just this concern.
Will FIDO help against the many cross-site-scripting attacks?
FIDO doesn't specifically address cross-site scripting (XSS) attacks and it is not currently a focus of the technology or ecosystem.
If the tokens are stored on my HD, can they be copied/stolen by malware?
The FIDO Authenticator is not designed to store tokens on your computer's HD. Implemented correctly, there should be no possibility of your token being stolen by malware for reuse on another system.