Simple FIDO authentication example


  • The end-user needs to own a FIDO1 or FIDO2 compliant FiDO Authenticator.
  • The end-user needs access to a client device like a smartphone with a FIDO-enabled app or simply a computer with a web browser with FIDO support.

Most modern web browsers have built-in FIDO support (CTAP1/2 and WebAuthn).


  1. In our example, authentication is achieved
  2. over a smartphone using an NFC FIDO Authenticator.
  3. over a web browser and a USB FIDO Authenticator.

However, more complex scenarios are possible where e.g. the FIDO Authenticator itself or the relying party may require a PIN or biometrics to be used for authentication – i.e. to enhance the security compared to a simple proof of possession.

Keep in mind that user verification actions are not mandatory in the FIDO authentication flow. Nevertheless, Airlock IAM as the relying party may be configured to only accept FIDO Authenticators with biometrics or PIN.

  • Airlock IAM acts as the FIDO relying party (RP) and uses the browser's WebAuthn API to start the authentication flow via REST calls.
  • The client to authenticator protocol (CTAP1 or CTAP2) establishes communication between the browser and the FIDO Authenticator. The client's FIDO Authenticator proves possession of the private key to the service or application by signing the RP's challenge.

Any PIN, biometrics, or passwords that might be required to use a FIDO Authenticator is not sent to the FIDO relying party but handled locally using the CTAP protocol.