Types of FIDO Authenticators
As mentioned in the introduction to FIDO, there are different types of FIDO Authenticators. As FIDO2 is backward compatible, it also supports FIDO1 (U2F/CTAP 1) Authenticators. But passwordless authentication only works with FIDO2 Authenticators (CTAP2).
Did you know... that a FIDO Authenticator can be used for an unlimited number of end-user FIDO accounts? Even if the Authenticator creates a new key-pair per user account and FIDO relying party, it does not necessarily have to store it in its memory.
A factory-generated symmetric key that never leaves the FIDO Authenticator is used to encrypt the key pair and have it stored by the FIDO relying party. When using the Authenticator, the relying party sends the encrypted key pair to the Authenticator.
This allows the FIDO Authenticator to serve an unlimited amount of FIDO key pairs despite its limited storage capacity.
FIDO key pairs stored on the FIDO relying party in this way are called non-resident and cannot be used for passwordless authentication.
FIDO user verification and passwordless authentication
FIDO Authenticators can be used as 2nd authentication factor or in passwordless authentication.
The term passwordless authentication is widely understood as an authentication flow that does not require a password, PIN, or other proof of knowledge at all.
FIDO knows the concept of user verification, which may involve a PIN, fingerprint, or alike. FIDO user verification is handled by the FIDO Authenticator together with the FIDO client (e.g. enter PIN in browser) and does not involve the FIDO relying party.
FIDO user verification is optional but may be required by the FIDO relying party.
Resident keys for passwordless authentication
FIDO registration for passwordless authentication requires storing a so-called resident key on the FIDO2 Authenticator. A distinct key pair is required per account per relying party.
Because FIDO2 Authenticators have limited memory, typical authenticators can store only 25 to 50 resident keys.
Note that there are (even current) FIDO Authenticator products that do not support resident keys at all. They cannot be used for passwordless authentication.
Airlock IAM can be configured to require resident keys only when targeting for passwordless authentication purposes.
Bound- vs. roaming FIDO Authenticators
FIDO distinguishes between bound and roaming authenticators.
- Bound authenticators: Built-in (platform) authenticators like Android Key, TPM (e.g., for Windows Hello), Touch-ID, or Face-ID based on Apple smartphones or laptops.
- Roaming authenticators: External devices usually connected via Bluetooth, USB or NFC.
Transport Types
FIDO knows different transport types, i.e., different ways how FIDO Authenticators communicate with the FIDO client. The transport types are not limited by the FIDO standard.
Possible transport types:
- Bluetooth
- USB
- NFC
- Bound devices may be connected via internal bus systems.
When an end-user registers a FIDO key or Passkey, IAM persists the transport type used for the registration. The next time the end-user logs in, IAM automatically presents the persisted transport type to the end-user. This prevents end-users from having to choose between all transport types, even unsupported ones, during authentication.
It is possible to disable this default setting. For more information, see Disabling the persisting of FIDO transports
Further information and links
- List of FIDO certified products
- For notes about Windows Hello as FIDO Authenticator, see The FIDO Settings configuration plugin.