Scaling Privileged Access for Modern Infrastructure: Real-World Insights
Apr 25
Virtual
Register Today
Support
LOG IN
Teleport logoTry For Free
Contact SalesTry for Free
Support
LOG IN
Home > Teleport Academy > Authentication and Privileges

What is FIDO (Fast IDentity Online)?

Posted 6th Feb 2023 by Travis Rodgers
What is Secretless (Passwordless) Authentication?
What are Access Requests?
What is Authorization?
What are Ephemeral Privileges?
What is Just-In-Time (JIT) access?
Principle of Least Privilege: What It Is & How to Implement It
What is RBAC?
Configure RBAC for Kubernetes EKS
RBAC for Google Cloud Kubernetes Engine (GCP GKE)
What is ABAC?
What is MAC (Mandatory Access Control)?
What is OAuth 2.0 (Open Authorization)?
What is FIDO (Fast IDentity Online)?
What is U2F (Universal 2nd Factor)?
What is WebAuthn?
What is OIDC (Open ID Connect)?
What Is SAML (Security Assertion Markup Language)?
The Failures of Shared Secrets and How We Can Replace Them
How to Configure Single Sign-On (SSO) for Accessing AWS EKS Clusters
Just-in-Time Access for Amazon EKS
Authenticating GCP GKE with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with GitHub SSO
Authenticating Azure AKS Kubernetes Clusters with GitHub SSO
Authenticating Google Kubernetes Engine Clusters with Okta SSO
Authenticating AWS EKS Kubernetes Clusters with Okta SSO
Authenticating Azure AKS Kubernetes Clusters with Okta SSO
Configuring Okta as an Identity Provider for Kubernetes Clusters
Azure AKS RBAC

FIDO, or Fast IDentity Online, is a group of open standard authentication protocols created to strengthen and simplify the security of online authentication by reducing the reliance on passwords. These protocols make use of public key cryptography, where private keys never leave a user’s device and public keys serve to validate specific endpoints. These protocols provide a unified way for users to securely log into online services using an assortment of devices such as mobile phones, laptops, and tablets.

What is the FIDO Alliance?

The FIDO Alliance is the association overseeing these authentication standards and serves to educate with certification programs, memberships, and member-driven working groups. Founded in July of 2012 by PayPal, Lenovo, etc. and publicly launched in 2013, the alliance has since added names such as Google, Yubico, Apple, and NXP, and continues to evolve with its core component, WebAuthn, being named an official web standard with support for major browsers and smartphones.

FIDO specifications

There are currently three sets of specifications for simple and strong user authentication. The first generation of FIDO consisted of U2F and UAF, and has now evolved into FIDO2.

FIDO U2F

FIDO U2F (Universal 2nd Factor) is a universal authentication standard that provides an additional layer of security for traditional password-based online accounts. Think of this as adding something you have (a physical security key) with something you know (a password). After authenticating with a password, a challenge is then sent to a physical device, a security key plugged into a USB port, prompting the user to tap. The user taps the key and the authentication process completes. With the emergence of FIDO2, U2F is now called CTAP1.

FIDO UAF

FIDO UAF (Universal Authentication Framework) offers users a passwordless experience. With UAF, the user will register a UAF-enabled device (i.e. smartphone) with an online service and register a local authentication method such as fingerprint, facial recognition, or by speaking into the mic. After registration, the user simply needs to repeat this action to authenticate without having to enter a password.

FIDO2

FIDO2 is the second, and latest, generation of FIDO, combining the features of U2F and UAF into a more modern, global standardization. There are two main parts to FIDO2:

  1. A Web Authentication API, better known as WebAuthn, that allows web applications to implement FIDO authenticators.
  2. CTAP2 which is the same as U2F, but now allows mobile devices as external authenticators.

With these FIDO open standard authentication protocols, we can eliminate the need for complex passwords and the bad practices that associate with them. Instead, users can access their online accounts with a combination of biometric data such as fingerprints, facial recognition or via security keys that can be plugged into a USB port or used wirelessly.

As the threats of data breaches increase, protocols like FIDO compliance, adopted by big companies in tech, will prove more and more to be the way forward in protecting the sensitive information of online users.

What is Secretless (Passwordless) Authentication?
What are Access Requests?
What is Authorization?
What are Ephemeral Privileges?
What is Just-In-Time (JIT) access?
Principle of Least Privilege: What It Is & How to Implement It
What is RBAC?
Configure RBAC for Kubernetes EKS
RBAC for Google Cloud Kubernetes Engine (GCP GKE)
What is ABAC?
What is MAC (Mandatory Access Control)?
What is OAuth 2.0 (Open Authorization)?
What is FIDO (Fast IDentity Online)?
What is U2F (Universal 2nd Factor)?
What is WebAuthn?
What is OIDC (Open ID Connect)?
What Is SAML (Security Assertion Markup Language)?
The Failures of Shared Secrets and How We Can Replace Them
How to Configure Single Sign-On (SSO) for Accessing AWS EKS Clusters
Just-in-Time Access for Amazon EKS
Authenticating GCP GKE with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with Google Workspace SSO
Authenticating AWS EKS Kubernetes Clusters with GitHub SSO
Authenticating Azure AKS Kubernetes Clusters with GitHub SSO
Authenticating Google Kubernetes Engine Clusters with Okta SSO
Authenticating AWS EKS Kubernetes Clusters with Okta SSO
Authenticating Azure AKS Kubernetes Clusters with Okta SSO
Configuring Okta as an Identity Provider for Kubernetes Clusters
Azure AKS RBAC

Table of Contents

Background image

Teleport Enterprise

Protect your infrastructure with essential security & compliance capabilities

Tags
authentication