From MgmtWiki
Jump to: navigation, search

Full Title or Meme

A family of standards[1] for adding more factors to an existing interchange.


This spec is partially succeeded by Web Authentication.


Existing Authentication protocols based on a User Name and Password are insufficient in a world were so many Users depend on the internet for so much of their daily lives. The first attempt at Multi-factor Authentication was Smart Cards using X.509 Certificates. This scheme worked for large Enterprises but was never accepted by regular Consumers of the internet.


The following summary is abstracted from the FIDO U2F standard.[1]

  • All solutions depend on Late Binding Tokens to an "account at a particular origin (of the Relying Party, such as the device creates a new key pair usable only at that origin and gives the origin the public key to associate with the account."
  • Universal Serial Bus (USB) tokens are now widely available, most allow late binding of the user to the Web Site that requires this factor of Authentication.
  • Other networks, link NFC or Bluetooth are offered for small hand-held devices, but have not been as successful as the USB versions.
  • Initially the U2F functionality is available through JavaScript programs in the browser.
  • The spec claims that the same functionality could be embedded in Native Apps in the browser, but does not explain how this might be Attested as trustworthy.
  • The goal of the working group was that modern client device owned by the user would just work without needing additional driver or middleware setup.
  • So the USB U2F device is designed to work out of box with existing consumer operating systems with no driver installs or software changes.
  • USB device hardware key protection is the default, but other protection is provided with an Attestation mechanism.
  • The U2F device mints an origin-specific public/private key pair based on the origin's protocol (http(s)), host-name and port.
  • The U2F device gives the public key and a Key Handle to the origin online service or website during the user registration step.
  • The U2F signs the registration packet with an Attestation key burned into the U2F device to identified the U2F device as trustworthy.
  • The Key Handle is simply an identifierof a particular key on the U2F device.
  • The User Agent collects a challenge from the origin with its ID and a channel ID if that exists to hash for the Authentication step.
  • The U2F device signs the hash of the client data collected for return to the origin server where it is Validated.
  • The exact nature of the protection of the private key used above by the U2F device is dependent on the device must indicate the code used to sign.
  • Because of the various methods used to protect keys, the origin server must recognize the U2F device as one it has Attested to be secure for its use.


  1. 1.0 1.1 FIDO Index of /specs/

Other external links