LLMpediaThe first transparent, open encyclopedia generated by LLMs

FIDO2

Generated by GPT-5-mini
Note: This article was automatically generated by a large language model (LLM) from purely parametric knowledge (no retrieval). It may contain inaccuracies or hallucinations. This encyclopedia is part of a research project currently under review.
Article Genealogy
Parent: Microsoft Azure Active Directory Hop 4
Expansion Funnel Raw 89 → Dedup 0 → NER 0 → Enqueued 0
1. Extracted89
2. After dedup0 (None)
3. After NER0 ()
4. Enqueued0 ()
FIDO2
FIDO2
FIDO Alliance · Public domain · source
NameFIDO2
DeveloperFIDO Alliance
Initial release2018
Latest release2024
WebsiteFIDO Alliance

FIDO2 FIDO2 is an authentication standard enabling passwordless, phishing-resistant access to online services through public-key cryptography and platform or roaming authenticators. It is a joint specification effort that builds on prior work by the FIDO Alliance and the World Wide Web Consortium, aiming to replace shared-secret credentials with attested cryptographic credentials usable across Google, Microsoft, Apple, Mozilla, and other technology providers. Major stakeholders include identity, hardware, and financial organizations such as Mastercard, Visa, Amazon Web Services, Intel, and Samsung.

Overview

FIDO2 comprises specifications that couple a client-to-authenticator protocol with a browser-to-relying-party protocol, integrating standards developed by FIDO Alliance and the World Wide Web Consortium. Implementations rely on authenticators like platform authenticators embedded in devices produced by Apple Inc., Samsung Electronics, and Dell Technologies or roaming authenticators from manufacturers such as Yubico and Feitian Technologies. Relying parties include cloud services from Google LLC, Microsoft Corporation, Amazon.com, Inc. and financial services provided by JPMorgan Chase, HSBC, and Goldman Sachs. The standard interoperates with web platforms including Chromium Project, Mozilla Foundation, WebKit, and Blink (browser engine).

History and Development

The FIDO2 initiative evolved from earlier FIDO specifications developed by the FIDO Alliance, which was founded by organisations like PayPal, Lenovo, Nokia, Infineon Technologies, and Visa International. Initial concepts drew on public-key work from cryptographers associated with institutions such as MIT, Stanford University, and ETH Zurich. Collaboration with the World Wide Web Consortium produced the WebAuthn API, standardized after review by working groups that included contributors from Google, Microsoft Corporation, Mozilla Foundation, and Yubico. Pilot programs and interoperability testing occurred at events like the RSA Conference, Black Hat USA, DEF CON, and standards workshops at IETF meetings. Industry adoption accelerated following compatibility declarations by GitHub, Dropbox, Salesforce, Okta, and major banks participating in programs like FIDO Alliance certification.

Technical Architecture

FIDO2 combines the Web Authentication API (WebAuthn) and the Client to Authenticator Protocol (CTAP), enabling browsers and operating systems to mediate between relying parties and authenticators produced by vendors such as Yubico, Feitian Technologies, Samsung Electronics, and Google LLC. The architecture uses asymmetric keys: a resident or non-resident keypair stored in an authenticator that generates attestation statements and signs challenges issued by relying parties like Facebook, Twitter, LinkedIn, and Slack Technologies. Attestation formats and transports reference specifications from IETF, dependency libraries maintained by OpenSSL, and cryptographic primitives associated with standards bodies such as NIST and ISO/IEC. Authenticators can be platform-based (e.g., Windows Hello, Apple Touch ID, Android Keystore) or roaming tokens connecting via USB Implementers Forum, Bluetooth SIG, or NFC Forum-specified transports.

Security Properties and Threat Model

FIDO2 defends against phishing and replay by binding keys to specific relying parties and by requiring presence or user verification via biometric systems like FIDO Alliance-certified sensors or local PINs. Security analyses reference threat models discussed at conferences such as USENIX Security Symposium, IEEE Symposium on Security and Privacy, and reviews by agencies like ENISA and GCHQ. Attestation can provide device provenance useful in fraud detection for financial institutions like Mastercard and Visa International, while cryptographic protections rely on algorithms standardized by NIST and curve selections like those from SECG. Threats include physical compromise of authenticators, side-channel attacks examined by researchers affiliated with University of Cambridge, University of Oxford, and ETH Zurich, and supply-chain risks highlighted by investigations involving vendors such as Infineon Technologies.

Implementations and Ecosystem

Major browser vendors (Google, Microsoft, Apple Inc., Mozilla Foundation) implement WebAuthn, while operating system vendors (Microsoft Corporation with Windows Hello, Apple Inc. with Touch ID/Face ID, Google LLC with Android Keystore) integrate CTAP support. Hardware token manufacturers like Yubico, Feitian Technologies, Nitrokey, and SoloKeys provide roaming authenticators, and enterprise identity platforms such as Okta, Ping Identity, OneLogin, Auth0, and Duo Security offer FIDO2 support. Cloud providers including Amazon Web Services, Google Cloud Platform, and Microsoft Azure expose APIs and identity solutions compatible with FIDO2 flows. Certification programs run by the FIDO Alliance and testbeds at organizations like NIST facilitate interoperability.

Adoption and Use Cases

Use cases span consumer account protection at Google, Microsoft Corporation, Apple Inc., and Facebook; enterprise single sign-on for firms such as Salesforce, Workday, and ServiceNow; and strong customer authentication in banking and payments for institutions including JPMorgan Chase, Citigroup, HSBC, and Mastercard. Governments and public sector services in jurisdictions like United Kingdom, France, and Singapore have pilot programs leveraging FIDO2 for citizen e-government portals. Identity providers in healthcare and education use implementations from vendors like Okta, Ping Identity, and Azure Active Directory to reduce credential theft in institutions such as Johns Hopkins University, Mayo Clinic, and Harvard University.

Criticisms and Limitations

Critics cite deployment challenges involving legacy systems at enterprises such as IBM and Oracle Corporation, hardware costs for small businesses, and interoperability issues across platforms in early adopter reports presented at RSA Conference and Black Hat USA. Privacy concerns have been raised by advocates associated with Electronic Frontier Foundation and researchers at UC Berkeley regarding attestation and device tracking. Accessibility and inclusivity critiques reference work by organizations like W3C's Web Accessibility Initiative and disability advocacy groups. Standards evolution continues through contributions from academia and industry actors including MIT, Stanford University, ETH Zurich, Google, and Microsoft Corporation.

Category:Authentication standards