10.2.3.3.1. Types of FIDO Authenticators

As mentioned in the 10.2.3. introduction to FIDO, there are different types of FIDO Authenticators. Remember that FIDO2 is backward compatible in that it also supports FIDO1 (U2F/CTAP 1) Authenticators but passwordless authentication only works with FIDO2 Authenticators (CTAP2).

Did you know... that a FIDO Authenticator can be used for an unlimited number of end-user FIDO accounts? Even if the Authenticator creates a new key-pair per user account and FIDO relying party, it does not necessarily have to store it in its memory.

A factory-generated symmetric key that never leaves the FIDO authenticator is used to encrypt the key pair and have it stored by the FIDO relying party. When using the authenticator, the relying party sends the encrypted key pair to the authenticator.

This allows the FIDO authenticator to serve an unlimited amount of FIDO key pairs despite its limited storage capacity.

FIDO key pairs stored on the FIDO relying party in this way are called non-resident and cannot be used for passwordless authentication.

FIDO user verification and passwordless authentication

FIDO Authenticators can be used as 2nd authentication factor or in passwordless authentication.

The term passwordless authentication is widely understood as an authentication flow that does not require a password, PIN, or other proof of knowledge at all.

FIDO knows the concept of user verification which may involve a PIN, fingerprint, or alike. FIDO user verification is handled by the FIDO Authenticator together with the FIDO client (e.g. enter PIN in browser) and does not involve the FIDO relying party.

2FA with FIDO pwless userless

FIDO user verification is optional but may be required by the FIDO relying party.

Resident keys for passwordless authentication

FIDO registration for passwordless authentication requires storing a so-called resident key that is stored on the FIDO2 Authenticator. A distinct key pair is required per account per relying party.

Because FIDO2 Authenticators have limited memory, typical authenticators can store only 25 to 50 resident keys.

Note that there are (even current) FIDO Authenticator products that do not support resident keys at all. They cannot be used for passwordless authentication.

Airlock IAM can be configured to require resident keys only when targeting for passwordless authentication purposes.

Bound- vs. Roaming FIDO Authenticators

FIDO distinguishes between bound and roaming authenticators.

  • Bound Authenticators: Built-in (platform) authenticators like Android Key, TPM (e.g. for Windows Hello), Touch-ID, or Face-ID based on Apple smartphones or laptops.
  • Roaming Authenticators: External devices usually connected via Bluetooth, USB or NFC.

Transport Types

FIDO knows different transport types, i.e. different ways how FIDO Authenticators communicate with the FIDO client. The transport types are not limited by the FIDO standard.

  • Bluetooth
  • USB
  • NFC
  • Bound devices may be connected via internal bus systems.

Further information and links