FAQ’s

FIDO authentication technologies are deployed in hundreds of millions of devices today with, total potential reach to over 1.5 billion user accounts. FIDO authentication is already enabled through early deployments from PayPal, Samsung, Nok Nok Labs, Synaptics, Github, Google, DropBox, NTT DOCOMO, and many more. Anyone with a FIDO U2F authenticator or FIDO® Certified device can start authenticating wherever FIDO authentication is supported, such as through the Chrome browser and Google Accounts as announced in October 2014: Strengthening 2-Step Verification with Security Key. 

The FIDO (Fast IDentity Online) Alliance is a 501(c)6 non-profit organization incorporated in mid-2012 to develop standards that address the lack of interoperability among strong authentication devices as well as the problems users face with creating and remembering multiple usernames and passwords. To learn
more about the FIDO Alliance governance and structure please refer to the About page and the Membership Details page.

The FIDO Alliance website provides comprehensive information about the Alliance, its specifications, FIDO Certified products, community resources and general progress. You can also sign up to receive updates and invitations to future events, many of which are open to the public. You can also follow @FIDOalliance on Twitter and/or on LinkedIn.

As of December 9th, the Alliance is providing support for deployers of the technology by operating the new [email protected] public discussion list that anyone can subscribe to. For organizations interested in detailed progress and influencing outcomes, the best way to get involved is to join the Alliance.

Please see the required steps on the FIDO Alliance membership web page.

There are significant benefits to member organizations, based on whether they are looking to deploy FIDO authentication, or to produce FIDO compliant software or hardware to enhance authentication for your customers. If your company would like to contribute to the development and adoption of the FIDO standards, please consider joining the alliance.

Open industry standards assure that existing and future products and offerings are compatible and that anyone can evaluate the technology. Users can depend on their FIDO devices working wherever FIDO authentication is supported. Service providers and enterprises can accommodate various devices and services without having to make new investments or reverting to proprietary configurations.

Similar to the development of WiFi, Bluetooth, NFC, and other standards, FIDO is developing a new set of industry protocols. Any device manufacturer, software developer and/or online service provider can build support for FIDO protocols into their existing products and services to make online authentication simpler and stronger for their users. With the goal of standardization, the FIDO ecosystem can grow and scale by means of the “net effect”, where any new implementation of the standards will be able to immediately interoperate with any other implementation without the need for any pre-established arrangement between device developer and service provider.

FIDO specifications are device-agnostic and support a full range of authentication technologies, including U2F tokens and biometrics such as fingerprint and iris scanners, voice and facial recognition, as well as PIN or pattern-protected microSD cards. FIDO specifications will also enable existing solutions and communications standards, such as Trusted Platform Module (TPM), USB Security Tokens, embedded Secure Elements (eSE), Smart Cards, Bluetooth Low Energy (BLE), and Near Field Communication (NFC). Because FIDO specifications are open, they are designed to be extensible and to accommodate future innovation, as well as protect existing investments.

FIDO specifications allow users a broad range of choice in devices that meet their needs or preferences, as well as those of service providers, online merchants, or enterprises where users must authenticate.

Unlike current password systems which have proven vulnerable to mass-scale attacks and fraud, FIDO UAF authentication credentials are never shared or stored in centralized databases. FIDO credentials are known and maintained only by the user’s own device. There are no secrets stored with the online service provider, only the public keys paired to the user’s device where the private keys are stored, so nothing to harm the user if that service provider is breached (unlike the password situation). Biometics used in FIDO authentication never leave the device.

While it’s not impossible for a determined criminal to steal a FIDO device and hack it to obtain the user’s credentials, consider the challenges to do so, even in a laboratory-controlled environment. A would-be attacker must perform two completely different types of attacks in order to complete a single, not scalable, one-off device spoof. Consider the example of spoofing a fingerprint sensor equipped FIDO device. First, the attacker must obtain a perfectly formed, complete latent print that is also enrolled on the target user’s device. Then, the attacker must gain access to the user’s device, in order to control only that one device. The single spoof, even if accomplished, doesn’t approach the potential harm done by today’s typical mass-scale attack, which can result in harvesting millions and hundreds of millions of users’ credentials. The password ecosystem has afforded attackers with great return on investment with relatively limited risk; the FIDO ecosystem is far more difficult, expensive, and risky for attackers to profit from.

Yes, you can use multiple websites from one FIDO device. Each device/website pairing requires a separate registration and a separate cryptographic key pair. Once registered, a user can easily authenticate to multiple sites from the same device, yet each site has no knowledge of the user interactions with other sites.

If a user acquires a new device or wants to use multiple FIDO devices, the user needs only register each of the devices at the sites where he wants to use them. Once a device is registered at a site, it will be recognized whenever the user needs to authenticate at that site. When a user visits a site with a new device that hasn’t been registered, and thus isn’t automatically recognized, the user will be prompted to register the new FIDO device to enable FIDO authentication with the new device at that site.

The FIDO Alliance MetaData Service (MDS) is a web-based tool where FIDO authenticator vendors can publish metadata statements for FIDO servers to download. This provides organizations deploying FIDO servers with a centralized and trusted source of information about FIDO authenticators. The MDS service presently supports FIDO UAF. The FIDO Alliance intends to develop an analogous service for products compliant with the FIDO U2F protocol.

In order to publish metadata statements, a company must register with the FIDO Alliance and obtain a vendor ID. There are no restrictions on accessing the metadata.

No.

https://fidoalliance.org/adoption/mds

Start by making sure your implementation passes the conformance tests (registration required). After you’ve validated your implementation, register for an Interoperability event and you’re on your way to certifying your product.

Yes. There is a recognizable FIDO Certified logo for vendors to include with their web sites, product materials, packaging, etc.

Use of the FIDO Certified logo will require signing a TMLA. There is a streamlined process for Relying Parties that wish to use the certification logo on their websites, which includes a “clickless” license agreement.

The FIDO Alliance will be introducing security lab testing within the next few months. Other forms of validation testing may be introduced in the future, depending on the business requirements of online service providers.

A product is certified indefinitely as long as the code base of its FIDO implementation doesn’t change in any substantial way. Certification can only be terminated in rare instances, such as determining that an implementation improperly passed test tools or interoperability events. Certification only applies to a specific specification and implementation class (i.e. “UAF
Authenticator”). If new major version of specifications are released (as determined by the FIDO Certification Working Group) and an implementation would like to claim conformance with
that specification, new certification will be required.

Yes. Implementations must request certification (and pay the certification fees) for each implementation class they are seeking to certify. For example, if an 
implementation certifies for both a FIDO UAF Server and a U2F Server, that implementation must follow the certification process for both (and pay the certification fees for both). The
implementation would ultimately receive two certifications. The primary difference between UAF testing and U2F testing is the different test tools and the different interoperability events.

For those interested in the UAF program, an additional Vendor ID fee of $3000 is required for UAF Authenticators only.

The UAF authenticator specification defines an AAID field that is half Vendor ID and half Device ID used to uniquely identify each authenticator. The Vendor ID is a unique identifier assigned by FIDO to each company implementing a UAF authenticator. The other half of the AAID field, the Device ID, is assigned to the authenticator by the implementing company.  Only UAF Authenticators require a Vendor ID.

Yes.  Non-members are welcome to certify their implementations. 

FIDO members can certify an implementation of UAF server, client or authenticator; or U2F server or authenticator for $5,000 per certification. Derivatives (implementations that are the same code embedded into a different product) can be registered for $500 each. Non-member rates are $6,500 for certifications and $750 for derivatives. These fees cover the trademark licensing, interoperability event, test tool usage and support, and documentation processing.

Certification is starts with self-assessment of specification conformance through the use of FIDO Alliance provided test tools, followed by interoperability testing with at least 3 test partners at FIDO Alliance proctored test events. At this time, there is no lab aspect to the certification program.

There are four major testing steps:

1. Conformance self-validation; which uses test tools to ensure that an
   implementation is conformant to the specification.
2. Interoperability testing; where implementers gather to test their implementations together
3. Certification registration; where the implementation is submitted to FIDO for certification
4. Optional trademark agreement; enabling the FIDO certification mark to be used with a product or service.

The implementation must satisfy two main criteria. That it is conformant to the FIDO specification (to the best of our ability to determine that) and that it is known to interoperate with other implementations. This should provide both businesses and consumers with confidence that a FIDO Certified implementation delivers the FIDO values of stronger, simpler, authentication

Most likely that an implementation has some bugs to work through before being considered an exemplar of FIDO.

Interoperability events occur at least every 90 days, but may occur more frequently based on implementer demand.

Derivative certification was created to streamline the certification process for implementers that have a large volume of certifications that are essentially all based off of the same implementation. In this case, implementers may certify one implementation and the rest may be registered as “derivatives” of that base certification. Derivatives don’t require running test tools or attending interoperability events to achieve certification, but the implementation cannot change in any substantial way from the original certification earned via our test tools and interoperability testing.

No. But a product must be certified to claim to be FIDO Certified and use the FIDO Certified logo.

The FIDO Alliance staff will audit on a monthly basis the usage of FIDO Certified logos and published claims of certification. Auditing of actual implementations will be driven by market feedback. Should any concerns arise, feedback can be submitted through the Certified Logo Violation form.

The FIDO Alliance issued Certificates have the following numerical format:

SSSXYZAYYYYMMDD####

SSS - Specification number (UAF or U2F)

X - Specification number

Y - Specification minor number

Z - Specification revision number

A - Specification errata number

YYYY - Year issued

MM - Month issued

DD - Day issued

#### - The number of the certificate issued today

No. Only products that have passed through FIDO Certification program and have been granted a certification number can claim to be FIDO Certified.

Yes. Implementations must request certification (and pay the certification fees) for each implementation class they are seeking to certify. For example, if an implementation certifies for both a FIDO UAF Server and a U2F Server, that implementation must follow the certification process for both (and pay the certification fees for both). The implementation would ultimately receive two certifications. The primary difference between UAF testing and U2F testing is the different test tools and the different interoperability testing procedures.

For those interested in the UAF program, an additional Vendor ID fee of $3000 is required for UAF Authenticators only.