Terms and definitions relating to FIDO

Authenticator Attestation ID, AAID

The AAID is a manufacturer-chosen identifier for the make and model of a FIDO Authenticator. Authenticators with the same ID share the same set of characteristics.

The AAID must be set if the authenticator implements FIDO UAF.

Authenticator Attestation GUID, AAGUID

The AAGUID is a manufacturer-chosen identifier for the make and model of a FIDO Authenticator. Authenticators with the same ID share the same set of characteristics.

The AAGUID must be set if the authenticator implements FIDO2.

attestation, FIDO

A FIDO Authenticator generates keys and/or other measurements for attestation. The FIDO Authenticator claims to the relying party that the transmitted keys or reported measurements originate from the registered authenticator itself. The relying party may verify the attestation using a metadata service to establish trust in the attestation key and reported measurements.

  • FIDO specifies multiple attestation models i.e. full basic attestation, surrogate basic attestation, and others.
  • FIDO attestation is specific to a FIDO Authenticator device model.

authentication, FIDO

FIDO Authentication is an umbrella term for FIDO1 (U2F/CPT1) and FIDO2 (CPT2 and WebAuthn) authentication types.

In the FIDO Authentication flow, an end-user proves the possession of a registered FIDO Authenticator towards a relying party.

bound FIDO Authenticator

In contrast to roaming FIDO Authenticators, bound FIDO Authenticators are an integral part of e.g. a smartphone or a laptop.

client, FIDO

A FIDO client is an application or a software component that can bind FIDO Authenticators with a relying party.

  • Between the FIDO Authenticator and the FIDO client, the CTP1/CTP2 protocol is being used.
  • Between the FIDO client and the relying party, WebAuthn is being used.


The ColdDB is a persistent database where aggregated session information of the security gate process is stored for later usage by Airlock Anomaly Shield. The main purpose is, to hold training data to train the machine learning algorithm, but it may also be used for other analytics purposes.


The fast identity online standard is an authentication standard developed by the fidoTM Alliance, launched in 2013. The authentication method started as a universal 2nd factor (U2F, also known as FIDO1) and has been further developed to FIDO2, allowing multifactor authentication and passwordless authentication.

Airlock IAM supports both FIDO versions. Note that FIDO2 Authenticators are fully backward compatible FIDO1 Authenticators.

We use FIDO wherever a distinction between FIDO1 and FIDO2 is not necessary.

FIDO Authenticator

FIDO Authenticators are client hardware or software devices that are used to authenticate the end-user with FIDO/WebAuthn. FIDO Authenticators maintain the cryptographic material that is required for the relying party to authenticate the end-user, this includes authenticator-specific metadata.

FIDO Authenticators are available with different FIDO Authenticator certification levels. We strongly recommend using fidoTM Alliance certified FIDO Authenticators only.

FIDO Authenticator Metadata

FIDO Authenticator Metadata is information about the characteristics of a fidoTM Alliance certified authenticator. The set of metadata is associated with either an AAID (for FIDO1 Authenticators) or an AAGUID (for FIDO2 Authenticators).

In the discovery phase of the FIDO protocol, the relying party determines the available capabilities of the FIDO Authenticator by looking up the authenticators AAID/AAGUID from a database.

registration, FIDO

FIDO registration is the process in which an end-user enables FIDO-based authentication for a service with a FIDO Authenticator. During the process, the end-user's FIDO Authenticator generates a new public key that is associated with the end-user's account at the relying party.

Registering a FIDO Authenticator may be subject to policies set i.e. specific attestation requirements by the relying party. For example, the relying party can be configured to only accept specific authenticator models or technological requirements i.e. set to accept FIDO2 Authenticators only.

Registration is not a part of the FIDO Authenticator enrollment process.

roaming FIDO Authenticator

In contrast to bound FIDO Authenticators, which are part of the end user's device, roaming FIDO Authenticators are external pieces of hardware or software.

Relying Party (RP), FIDO

A FIDO Relying Party (RP) is a web site or entity that uses a FIDO protocol to authenticate end-users. This could be either a FIDO-only direct or a federated authentication e.g. via SAML or OpenID Connect.

For federated authentication, the federated identity provider plays the role of the FIDO Relying Party.

resident key

A resident key is a private key stored in persistent memory on the authenticator, instead of being stored encrypted on the relying party (RP) server.

user device, FIDO

A FIDO user device is a computer, smartphone, or similar computing device that runs a FIDO client and can be used for FIDO authentication together with a FIDO Authenticator.

user handle, FIDO

The user handle is used to map the public key credential of FIDO Authenticators to end-user's accounts on the relying party. FIDO Authenticators in turn map RP IDs and user handle pairs to the public key credential sources.

FIDO user handles are required for passwordless FIDO authentication flows.

Note that passwordless FIDO/WebAuthn authentication is not supported for FIDO1 Authenticators, as FIDO1 (U2F) Authenticators are unable to store user handles.