idea

FIDO authentication is a set of open protocols that use secure stores on devices owned by the user, and PK infrastructure, to authenticate users without the need for a password.

Auth happens by asking user to auth locally, possibly using biometrics or other hardware-based verification like physical tokens. This generates a key pair, and public key is registered to the user. When logging in, a challenge is issued to the user from the public key, that is resolved using the private key, using device protection to sign in the person.^[1]

sequenceDiagram;

participant user;
participant device;
participant site;

alt registration
  user -&raquo; site: register
  site -&raquo; device: get key
  device -&raquo; user: please auth
  user &rarr;> device: auth
  device -&raquo; device: generate passkey
  device &rarr;> site: public key
  site &rarr;> user: done
end

alt login
  user -&raquo; site: login
  site -&raquo; device: validate creds
  device -&raquo; user: sign in using biometrics
  user &rarr;> device: biometric auth
  device &rarr;> site: validate creds using PK
  site &rarr;> user: welcome
end

In this context, each of the devices registered as credential to the user is referred to as a passkey^[2]. The idea there is that the credential used when authenticating is synchronized between devices by the credential provider (e.g. iPhone -> Mac), which is handled by the OS itself (unless they are "single device passkeys")

Passkeys are supported by Apple, Google and Microsoft ; as well as FIDO keys

To sign-in accross devices (e.g. signup from Android and sign-in from Windows), the sign-in is requested from an existing device (Android) and the new device then acquires the passkey - this leverages Bluetooth Low Energy (BLE) to determine physical proximity.

The concept of passkey itself embeds MFA, as users need possession of a device (1st factor), and a second factor such as fingerprint or PIN.

To switch to a new device on a new platform without the old device, then the RP needs to implement a standard account recovery.

implementation

terminology

A service relying on a passkey is called Relying Party (RP)

The secure component handling authentication in a device is called authenticator.

W3C WebAuthn defines a standard web API built into browsers and OSs to enable FIDO Auth.

references

[1]: Fido Alliance / How FIDO works

[2]: Fido alliance / Passkeys (Passkey Authentication) (fidoalliance.org)

[3]: W3C / Web Authentication: An API for accessing Public Key Credentials Level 1 (w3.org)

[4]: Demo of WebAuthn: WebAuthn.io

SimpleWebAuthn, a lib to implement WebAuthn in TS/JS: GitHub - MasterKale/SimpleWebAuthn: WebAuthn, Simplified. A collection of TypeScript-first libraries for simpler WebAuthn integration. Supports modern browsers and Node.

idea

implementation

terminology

links

references