Term of the Moment

ballot selfie


Look Up Another Term


Definition: FIDO


(1) For email, see FidoNet.

(2) (Fast IDentity Online) A technology from the FIDO Alliance that authenticates a user logging into a website or online service. Introduced in 2013, FIDO is called a "passwordless" system. Instead of username and password, FIDO users sign in with a "passkey," and the same passkey can be used all the time. This is exactly the opposite of the "never use same password" advice. The passkey may be a simple numeric PIN or a biometric such as a fingerprint, or both may be used. See password.




FIDO Works Because of Private/Public Key Pairs
Following the diagram above, when users open an account online, their device generates a public/private key pair, and the public key is sent to the website. Private keys are never transmitted to, or stored on, the website server. At login, after the passkey authentication identifies the user, the website sends the client a random string of data to serve as a challenge.

The client "signs" (encrypts) the challenge with the user's private key and sends this "digital signature" back to the website for verification. The server decrypts the challenge with the public key and compares it to the challenge that was sent. If they match, the user is verified.

Digital signatures are used to authenticate data because they are signed with the private key, and any entity with the freely available public key can decrypt the signature and know the content comes from the incontestable owner of the key pair (see digital signature). See public key cryptography and FIDO protocols.







Internal and External Authenticators
The FIDO authenticator generates the keys and handles login authentication thereafter. The keys are stored in the computer's security chip (see TPM and Secure Enclave); however, using an external authenticator such as a USB key or smart card (above) enables people to log on from any computer. (Images courtesy of Yubico and CRYPTNOX SA.)




There Is Major Support
Influential companies are adding FIDO support to their logins, but a totally passwordless future will take time to implement. Having private keys means backing them up. Even external security keys must be backed up in case they are damaged. Most importantly, the majority of websites must support FIDO to make it truly worthwhile. For protocol details, see FIDO protocols. See password manager.