Terms and definitions relating to FIDO

Authenticator Attestation ID, AAID

The AAID is a manufacturer-chosen identifier for the make and model of a FIDO Authenticator. Authenticators with the same ID share the same set of characteristics.

The AAID must be set if the authenticator implements FIDO UAF.

Authenticator Attestation GUID, AAGUID

The AAGUID is a manufacturer-chosen identifier for the make and model of a FIDO Authenticator. Authenticators with the same ID share the same set of characteristics.

The AAGUID must be set if the authenticator implements FIDO2.

attestation, FIDO

A FIDO Authenticator generates keys and/or other measurements for attestation. The FIDO Authenticator claims to the relying party that the transmitted keys or reported measurements originate from the registered authenticator itself. The relying party may verify the attestation using a metadata service to establish trust in the attestation key and reported measurements.

  • FIDO specifies multiple attestation models i.e. full basic attestation, surrogate basic attestation, and others.
  • FIDO attestation is specific to a FIDO Authenticator device model.

client, FIDO

A FIDO client is an application or a software component that can bind FIDO Authenticators with a relying party.

  • Between the FIDO Authenticator and the FIDO client, the CTP1/CTP2 protocol is being used.
  • Between the FIDO client and the relying party, WebAuthn is being used.

credential ID, FIDO

FIDO credential IDs are a (likely) unique identifier for registered FIDO credentials. Every FIDO credential ID is associated with a relying party.

discoverable FIDO key

A discoverable FIDO key is a FIDO key (or authenticator) that can be discovered by the FIDO client (typically the browser) without any information about the user. For example, a web application may as the browser (via the WebAuthn interface), if there are any FIDO keys for the current domain.

Discoverable FIDO keys must be resident FIDO keys. However, a FIDO client may choose not to disclose selected FIDO keys for privacy reasons.

FIDO

The fast identity online standard is an authentication standard developed by the fidoTM Alliance, launched in 2013. The authentication method started as a universal 2nd factor (U2F, also known as FIDO1) and has been further developed to FIDO2, allowing multifactor authentication and passwordless authentication.

Airlock IAM supports both FIDO versions. Note that FIDO2 Authenticators are fully backward compatible FIDO1 Authenticators.

We use FIDO wherever a distinction between FIDO1 and FIDO2 is not necessary.

FIDO Authenticator

FIDO Authenticators are client hardware or software devices that are used to authenticate the end-user with FIDO/WebAuthn. FIDO Authenticators maintain the cryptographic material that is required for the relying party to authenticate the end-user, this includes authenticator-specific metadata.

FIDO Authenticators are available with different FIDO Authenticator certification levels. We strongly recommend using fidoTM Alliance certified FIDO Authenticators only.

FIDO Authenticator Metadata

FIDO Authenticator Metadata is information about the characteristics of a fidoTM Alliance certified authenticator. The set of metadata is associated with either an AAID (for FIDO1 Authenticators) or an AAGUID (for FIDO2 Authenticators).

In the discovery phase of the FIDO protocol, the relying party determines the available capabilities of the FIDO Authenticator by looking up the authenticators AAID/AAGUID from a database.

platform authenticator (FIDO)

In contrast to a roaming FIDO authenticator, a platform FIDO authenticator is integrated into the operating system. Examples are Windows Hello, iOS's and Android's built-in FIDO authenticators.
Platform authenticators may or may not use device-bound FIDO keys.

registration, FIDO

FIDO registration is the process in which an end-user enables FIDO-based authentication for a service with a FIDO Authenticator. During the process, the end-user's FIDO Authenticator generates a new public key that is associated with the end-user's account at the relying party.

Registering a FIDO Authenticator may be subject to policies set i.e. specific attestation requirements by the relying party. For example, the relying party can be configured to only accept specific authenticator models or technological requirements i.e. set to accept FIDO2 Authenticators only.

Registration is not a part of the FIDO Authenticator enrollment process.

roaming FIDO Authenticator

In contrast to bound FIDO Authenticators, which are part of the end user's device, roaming FIDO Authenticators are external pieces of hardware or software.

Relying Party (RP), FIDO

A FIDO Relying Party (RP) is a web site or entity that uses a FIDO protocol to authenticate end-users. This could be either a FIDO-only direct or a federated authentication e.g. via SAML or OpenID Connect.

For federated authentication, the federated identity provider plays the role of the FIDO Relying Party.

resident key

A resident key is a private key stored in persistent memory on the authenticator, instead of being stored encrypted on the relying party (RP) server.

user device, FIDO

A FIDO user device is a computer, smartphone, or similar computing device that runs a FIDO client and can be used for FIDO authentication together with a FIDO Authenticator.

user handle, FIDO

The user handle is used to map the public key credential of FIDO Authenticators to end-user's accounts on the relying party. FIDO Authenticators in turn map RP IDs and user handle pairs to the public key credential sources.

FIDO user handles are required for passwordless FIDO authentication flows.

Note that passwordless FIDO/WebAuthn authentication is not supported for FIDO1 Authenticators, as FIDO1 (U2F) Authenticators are unable to store user handles.