The post White Paper: High Assurance Enterprise FIDO Authentication appeared first on FIDO Alliance.

The post White Paper: FIDO Authentication for Moderate Assurance Use Cases appeared first on FIDO Alliance.

The post White Paper: Replacing Password-Only Authentication with Passkeys in the Enterprise appeared first on FIDO Alliance.

The post White Paper: Introduction: Deploying Passkeys in the Enterprise appeared first on FIDO Alliance.

This white paper is aimed at governmental agencies that are interested in using FIDO for the EUDI Wallet according to the eIDAS2 regulation. The intended readers are project managers, technical experts, and developers.

The post White Paper: Using FIDO for the EUDI Wallet appeared first on FIDO Alliance.

Enterprises and governments around the globe are turning to modern online authentication solutions featuring FIDO specifications based on public key cryptography. Governments and industries have embraced FIDO as the preferred way to deliver high-assurance MFA to consumers. Notably, the Cybersecurity & Infrastructure Security Agency (CISA), a component of the U.S. Department of Homeland Security (DHS), refers to FIDO security keys as the gold standard of MFA¹. 

Several governments globally have deployed and/or supported FIDO authentication for citizens to securely conduct government transactions, including making tax payments and applying for and accessing government benefits. Governments leveraging FIDO authentication solutions have realized reduced operational costs and increased consumer satisfaction.

This white paper provides guidance for policymakers and department/agency heads seeking to learn about FIDO authentication to support or deploy FIDO for e-government services.

The post White Paper: FIDO for e-Government Services appeared first on FIDO Alliance.

This white paper is intended for information security executives, product owners, identity and access management, attorneys, accessibility practitioners, and others who are considering deploying FIDO Authenticators across their enterprises. This white paper may also help hardware manufacturers identify opportunities to deliver more accessible external authenticators. 

The post White Paper:  Guidance for Making FIDO Deployments Accessible to Users with Disabilities  appeared first on FIDO Alliance.

The post White Paper: FIDO Authentication in Digital Payment Security appeared first on FIDO Alliance.

In this paper, we explain how FIDO and WebAuthn standards previously enabled low-cost deployments of authentication mechanisms with very high assurance levels. While this has proved an attractive alternative to traditional smart card authentication, and even opened the door to high-assurance authentication in the consumer space, we haven’t attained large-scale adoption of FIDO-based authentication in the consumer space. We explain how the introduction of multi-device FIDO credentials will enable FIDO technology to supplant passwords for many consumer use cases as they make the FIDO credentials available to users whenever they need them—even if they replace their device.

The post White Paper: Multi-Device FIDO Credentials appeared first on FIDO Alliance.

Secure access to online applications and services has evolved into a framework reliant on devices, public-key cryptography, and biometrics to replace the shared secrets of aging passwords. Since 2013, the FIDO Alliance has developed open and scalable advancements to eliminate phishing and other security attacks. To introduce these improvements and to educate employees throughout corporate management and IT security, the FIDO Alliance has established a series of best practices and how-to white papers that align the Alliance’s goals with the responsibilities and titles of technology professionals. This work is dedicated to eliminating passwords and securing the simple act of logging on within the enterprise. 

This white paper is intended for IT administrators and Enterprise Security Architects who are considering deploying FIDO Authenticators across their enterprise and defining life cycle management policies. In this paper, we provide an overview of the different use cases for multi-factor authentication and the FIDO Authenticator choices administrators have. The intent is to help and guide administrators in choosing the right authenticator types for their specific environment.

The post White Paper: Choosing FIDO Authenticators for Enterprise Use Cases  appeared first on FIDO Alliance.

This white paper is intended for IT administrators and enterprise security architects who are considering deploying FIDO Authenticators across their enterprises and defining life cycle management policies. In this paper, we provide an overview of the different use cases for multi-factor authentication and the FIDO Authenticator choices administrators have. The intent is to help and guide administrators in choosing the right authenticator types for their specific environment.

The post White Paper: Choosing FIDO Authenticators for Enterprise Use Cases appeared first on FIDO Alliance.

This white paper targets IT administrators and Enterprise Security Architects considering deploying FIDO Authenticators across their enterprises and defining lifecycle management policies.

The post White Paper: FIDO Authenticator Lifecycle Management for IT Administrators appeared first on FIDO Alliance.

Today, this onboarding process is usually done manually by a technician – a process that is slow, expensive, and insecure. Industry sources have said that it is not uncommon for the cost of installation and setup to exceed the cost of the device itself. Although multiple companies have worked to automate the onboarding process, there wasn’t a widely accepted industry standard. Also, many proprietary solutions that do exist require that the end customer be known at the time of the device manufacture so that the device can be pre-configured. This creates friction and cost in the supply chain. 

The FIDO Alliance stepped up in the summer of 2019 to address this industry challenge. With its broad membership of leading cloud service providers, semiconductor companies and security companies, the Alliance is well positioned to bring together those that create and supply the technologies in the IoT ecosystem. The FIDO Alliance formed its IoT Technical Working Group (IoT TWG) with these stakeholders to define a new standard for automated, secure IoT onboarding. Less than 2 years after the working group formed, the FIDO Alliance is now releasing to the industry the FIDO Device Onboarding (FDO) specification.

Read the paper for a full introduction to FDO.

The post FIDO Device Onboard: A Specification for Automated, Secure IoT Provisioning Technology appeared first on FIDO Alliance.

The authentication of consumers during remote transactions has undeniable benefits in terms of security and approval rates but raises concerns of transactions being abandoned by consumers, as those consumers are not always able to authenticate properly to their banks.

Merchants and wallet providers have an existing relationship with consumers, and there is an opportunity to leverage authentication mechanisms established during that relationship to authenticate to remote transactions as a delegation of the bank’s authentication.

This white paper reviews the different authentication mechanisms that can be used by merchants or wallet providers in the context of Strong Customer Authentication (SCA) Delegation and explains why FIDO is best positioned to meet the requirements from regulatory authorities, banks, merchants, or wallet providers.

The post White Paper: FIDO for SCA Delegation to Merchants or Wallet Providers appeared first on FIDO Alliance.

Today, secure access to online applications and services has evolved into a model based on devices, public key cryptography and biometrics to replace the anachronistic use of passwords as shared secrets. Since 2013, the FIDO Alliance has developed open and scalable advancements to eliminate phishing and other security attacks. To introduce these improvements and to educate employees throughout corporate management and IT security, FIDO Alliance has developed a series of best practices and how-to white papers that match the Alliance’s goals with the responsibilities and titles of technology professionals. This work is dedicated to eliminating passwords and securing the simple act of logging on within all companies. 

A FIDO server is a necessary component in a FIDO implementation. The FIDO server stores the user’s public key credential and account information. During a FIDO Authentication or registration flow, the server generates a cryptographic challenge in response to a request from the application. The server then verifies the signature provided by the client using the server’s corresponding public key, and logs the user in. 

This white paper is intended for IT professionals and identity architects to guide them in choosing the right FIDO server implementation and deployment architecture when integrating and enabling FIDO-based authentication in enterprise applications. Enterprises must consider several factors in their planning to select and deploy a FIDO server, including build vs. buy assessment (and the risks and benefits associated with each), the desired deployment model, the required server capabilities, and the security and privacy requirements. 

The post White Paper: Considerations for Deploying FIDO Servers in the Enterprise appeared first on FIDO Alliance.

Today, secure access to online applications and services has evolved into a framework reliant on devices, public key cryptography and biometrics to replace the shared secrets of aging passwords. Since 2013, the FIDO Alliance has developed and advanced open and scalable standards to eliminate phishing and other security attacks. To introduce these improvements and to educate employees throughout corporate management and IT security, FIDO Alliance has developed a series of best practices and how-to white papers that match the Alliance’s goals with the responsibilities and titles of technology professionals. This work is dedicated to eliminating passwords and securing the simple act of logging on within all companies. 

Enterprises that accept FIDO credentials are participating in a digital credential exchange. This white paper is intended for CISOs and IT professionals who are considering deploying FIDO across their enterprise. In this paper, we provide a high-level overview of the most common digital exchange – the authentication exchange. We will examine the participants, protocols, and decisions that enterprises must make regarding the creation, management, and usage of FIDO credentials. 

The post White Paper: Accepting FIDO Credentials in the Enterprise appeared first on FIDO Alliance.

This document focuses on the role of the merchant as the FIDO or WebAuthn relying party and defines the methods for the merchant to leverage EMV 3DS as the conduit to report FIDO Authentication Data to the issuing bank. This data, along with the other transaction details sent using EMV 3DS messaging via the 3DS Authentication Request message, can help ensure minimized friction through risk-based authentication at the time of online payment. Although the resultant assurance level is reduced using this method, as opposed to an issuer-managed credential, and it will need to be viewed within the context of the entire EMV 3DS message, it can provide an approach that can be more easily deployed at scale than issuer-managed FIDO Authentication methods. 

The post Technical Note: FIDO Authentication and EMV 3-D Secure – Using FIDO for Payment Authentication appeared first on FIDO Alliance.

Besides generic session authentication, there is an increasing need to gather explicit user consent for a specific action, i.e. “Transaction Confirmation”. Transaction Confirmation allows a relying party to not only determine if a user is involved in a transaction, but also confirm that the transaction is what the user actually intended – for example, whether they intended to pay $1000 to company X for purchasing product Y, or whether they consent to have specific data shared with another party, such as test results with a doctor.

This paper provides an overview on Transaction Confirmation and the drivers for its support including: regulatory requirements (PSD2, eIDAS); addressing friendly and mobile fraud; and to enable online binding agreements. It explains current approaches for Transaction Confirmation, including through FIDO protocols for native applications, and the value of adding support for it directly in web browsers. It concludes with a call for feedback from relying parties on whether they would like to see Transaction Confirmation should be supported directly in web browsers.

The post White Paper: FIDO Transaction Confirmation appeared first on FIDO Alliance.

Today, secure access to online applications and services has evolved into a framework reliant on devices, public key cryptography and biometrics to replace the shared secrets of aging passwords. Since 2013, the FIDO Alliance has developed open and scalable advancements to eliminate phishing and other security attacks. To introduce these improvements and to educate employees throughout corporate management and IT security, FIDO Alliance has developed a series of best practices and how-to white papers that match the Alliance’s goals with the responsibilities and titles of technology professionals. This work is dedicated to eliminating passwords and securing the simple act of logging on within all companies. 

This white paper answers the most common questions from CXOs about the value proposition of FIDO Authentication and how the FIDO2 passwordless framework addresses the authentication needs and challenges of companies for the modern workforce. The goal of this document is to guide executive leaders within an organization as to why they should invest in FIDO2 deployment for their employees. 

The post White Paper: CXO Explanation: Why Use FIDO for Passwordless Employee Logins? appeared first on FIDO Alliance.

When a service deploys FIDO Authentication, it must have a secure account recovery process to address lost, damaged or stolen FIDO authenticators. A previous FIDO Alliance white paper, Recommended Account Recovery Practices for FIDO Relying Parties, recommends two strategies:

1. Require the user to register multiple authenticators, to reduce the need for account recovery; 

if #1 is not feasible:

2. Re-run the initial identity proofing or user onboarding process to recover the account.

The first strategy, to require multiple authenticators, plays a very important role for FIDO-enabled consumer-facing accounts where the number of account recovery options can be limited. This includes scenarios where the password has been disabled after FIDO credentials are registered, or where passwords and FIDO credentials are registered for two-step authentication. 

This paper focuses on the first strategy and provides guidance on how to deploy FIDO Authentication with multiple authenticators. It discusses how to register new authenticators bound to an already-registered authenticator, security considerations, coverage/authenticator options, usability, and policy, based on FIDO-enabled browsers and platforms. It provides recommendations for registration methods and policy examples for deploying the solution.

The post White Paper: Multiple Authenticators for Reducing Account-Recovery Needs for FIDO-Enabled Consumer Accounts appeared first on FIDO Alliance.

Banks in Europe have deployed customer authentication solutions for several years. These solutions have served their purpose well and enabled customers to safely log in to their bank accounts. In the world of e-commerce, these solutions, when used, have been successful in combatting online payment fraud. 

The Second Payment Services Directive (PSD2) and its associated Regulatory Technical Standards (RTS) dramatically change the payment landscape, considering:

• The mandate for strong, multi-factor authentication, 
• The emergence of Third Party Providers (TPP) accessing accounts via open APIs

The success of PSD2 will ultimately be determined by how well banks can balance user convenience with security obligations, while maximizing reach. As such, they may want to evaluate how well their legacy authentication solutions meet this new need. 

FIDO authentication standards have been proposed as a way for banks to meet all requirements in a PSD2 world — but is the change from a legacy method to FIDO worthwhile? This paper proposes guidance to banks to help them decide. 

The paper describes FIDO Authentication standards and compares it with legacy authentication methods used to access an account or secure an online payment. The methods compared are SMS OTPs, hardware OTP generators, CAP readers, and proprietary smartphone and biometrics-based solutions in terms of PSD2 compliance, security, usability and scalability. Ultimately, the paper answers the question: Why change to FIDO?

The post White Paper: PSD2 Support: Why Change to FIDO appeared first on FIDO Alliance.

eIDAS stands for “electronic identification, authentication and trust services” It builds the legal basis for cross-border interoperability of electronic identification, authentication, and electronic signatures amongst EU Member States.

This introductory white paper describes the relationship between FIDO2 standards and eIDAS compliant schemes that can accommodate modern authentication protocols. The paper includes:

• An introduction to eIDAS
• An overview on how to use FIDO as part of an eID scheme
• An overview on using FIDO2 for authentication to Qualified Trust Service Providers (QTSPs)

This paper is intended for governmental agencies that are interested in using FIDO2 as part of an eIDAS notified eID scheme, and QTSPs who are interested in deploying eIDAS remote signing services that leverage the FIDO2 standard.

For details, including architectural concepts for integration of FIDO2 into the eIDAS interoperability framework, please read the complementary white paper, “Using FIDO with eIDAS Services.”

The post White Paper: Introduction of FIDO & eIDAS Services appeared first on FIDO Alliance.

eIDAS stands for “electronic identification, authentication and trust services” It builds the legal basis for cross-border interoperability of electronic identification, authentication, and electronic signatures amongst EU Member States.

This white paper describes how to use FIDO2 standards with eIDAS compliant schemes and Qualified Trust Service Providers (QTSPs), including architectural concepts for integration of FIDO2 into the eIDAS interoperability framework. The paper includes: 

• An introduction to eIDAS
• Detailed information on how FIDO as part of an eID scheme
• Detailed information on how to use FIDO2 for secured access to QTSPs

This paper is intended for governmental agencies that are interested in using FIDO2 as part of an eIDAS notified eID scheme, and QTSPs who are interested in deploying eIDAS remote signing services that leverage the FIDO2 standard.

For introductory level information on the relationship between FIDO and eIDAS, please read the complementary white paper, “Introduction to FIDO and eIDAS.”

The post White Paper: Using FIDO with eIDAS Services appeared first on FIDO Alliance.

This white paper is aimed at enterprises and government agencies looking to expand their authentication capabilities to include FIDO technology, and have FIDO work in conjunction with other authentication systems such as a Public Key Infrastructure (PKI), Kerberos, and Lightweight Directory Access Protocol (LDAP) that may be in place at the organization.  This document specifically focuses on the use and coexistence of FIDO with a PKI, and answers the following questions:

• How can FIDO protocols deliver new and/or enhanced business benefits to the enterprise?
• Which enterprise applications (and application layer protocols) can use PKI?
• Can FIDO be used to provide similar services as PKI for applications that use or can use public key cryptography?
• Which enterprise security needs and security threats are best addressed using FIDO?
• How can an expanded public-key cryptographic system incorporating PKI and FIDO benefit an enterprise?
• What are the business implications for adding FIDO technology within an enterprise that already operates other authentication systems?

This document covers enterprise and government use cases. Consumer use cases are not in the scope of the whitepaper.

The post White Paper: FIDO and PKI Integration in the Enterprise appeared first on FIDO Alliance.

The post Recommended Account Recovery Practices for FIDO Relying Parties appeared first on FIDO Alliance.

The document analyses articles in the following relevant sections of the RTS:

• [RTS Chapter I] General provisions
• [RTS Chapter II] Security measures for the application of Strong Customer Authentication
• [RTS Chapter IV] Confidentiality and integrity of the Payment Service User’s security credentials

The post How FIDO Standards Meet PSD2’s Regulatory Technical Standards Requirements On Strong Customer Authentication appeared first on FIDO Alliance.

This white paper is aimed at enterprises deploying FIDO for strong authentication. It is intended to provide guidance to architects and developers on how to integrate FIDO authentication and existing federation protocols, namely SAML and OpenID Connect.

It is assumed that the reader has an understanding of FIDO architecture and protocols.

The post White Paper: Enterprise Adoption Best Practices – Integrating FIDO & Federation Protocols appeared first on FIDO Alliance.

The post White Paper: FIDO UAF and PKI in Asia – Case Study and Recommendations appeared first on FIDO Alliance.

When PSD2 is deployed in Europe, users will be able to take advantage of services offered by Third Party Providers (TPPs) to trigger payments or to view account information. These users will typically start interacting on the TPP’s user interface. However, at the point when a TPP will request from an Account Servicing Payment Service Provider (ASPSP) access to a user’s account(s), the PSD2 Regulatory Technical Standards (RTS) for Strong Customer Authentication (SCA) require that the user be strongly authenticated by the ASPSP and demonstrate that he/she has provided consent for the operation that the TPP is requesting to execute.

The Strong Customer Authentication requirement introduces challenges in the customer experience as there are no longer just two parties involved, the user and its bank, but three: The end user journey starts and ends on the TPP’s user interface.

TPPs will interface with the ASPSPs via open APIs. A number of standardization bodies have released drafts of such Open APIs, for example, the Open Banking Implementation Entity (OBIE) in the UK, STET in France and the Berlin Group for various European countries.

These specifications describe how Strong Customer Authentication should be implemented and several models have been defined, if not (yet) fully specified: the redirection, decoupled and embedded models. At the time of this paper’s release, a potential delegated model is also being discussed. These models vary in the way the user interacts with the TPP and the ASPSP and have a deep impact on both the user experience and the security of the user’s financial accounts.

This paper examines the advantages and drawbacks of the different SCA compliant authentication models and outlines how FIDO compliant solutions deliver the best user experience in any of these models, in a way that meets the needs of TPPs and ASPSPs.

The post White Paper: FIDO & PSD2 – Providing for a Satisfactory Customer Journey appeared first on FIDO Alliance.

The post FAQ on FIDO Relevance for the GDPR appeared first on FIDO Alliance.

This paper introduces the details of a hardware-backed Keystore authenticators (HKA) implementation approach, based on the first commercial deployment. It takes advantage of secure Android Keystore with key attestation and fingerprint sensors in hardware on standard off-the-shelf Android 8.0 or later mobile devices. Since it is enabled only by Android applications, any RPs and application developers can develop their own secure FIDO UAF 1.1 authenticators.

The post White Paper: Hardware-backed Keystore Authenticators (HKA) on Android 8.0 or Later Mobile Devices appeared first on FIDO Alliance.

The post White Paper: FIDO Authentication and the General Data Protection Regulation appeared first on FIDO Alliance.

The post White Paper: Enterprise Adoption Best Practices – Managing FIDO Credential Lifecycle for Enterprises appeared first on FIDO Alliance.

The post FIDO & PSD2: Meeting the needs for Strong Consumer Authentication appeared first on FIDO Alliance.

The post White Paper: Korean FIDO Deployment Case Study- Accredited Certification System for Safe Usage of Accredited Certificate using FIDO in Smartphone in Korea (K-FIDO) appeared first on FIDO Alliance.

The post FIDO Alliance Letter Regarding Payment Services Directive 2 appeared first on FIDO Alliance.

FIDO White Papers & Public Documents

• FIDO Privacy Principles Policy (October 2020): This paper describes the privacy-preserving principles that are a core part of the FIDO Alliance’s technologies, and explains how they reinforce the FIDO Alliance’s approach to strong authentication.
• FAQ on FIDO relevance for the GDPR (September 2018): This document provides answers to questions on authentication, user consent, use of biometrics…in the context of the European General Data Protection Regulation. It shows how FIDO authentication can help service providers comply with the regulation.
• FIDO Alliance White Paper: Hardware-backed Keystore Authenticators (HKA) on Android 8.0 or Later Mobile Devices – Enabling Any Relying Parties to Create FIDO UAF (1.1 or later) Client Apps (June 2018): This paper introduces the details of a hardware-backed Keystore authenticators (HKA) implementation approach, based on the first commercial deployment. It takes advantage of secure Android Keystore with key attestation and fingerprint sensors in hardware on standard off-the-shelf Android 8.0 or later mobile devices. Since it is enabled only by Android applications, any RPs and application developers can develop their own secure FIDO UAF 1.1 authenticators.
• FIDO Alliance White Paper: FIDO Authentication and the General Data Protection Regulation (GDPR) (May 2018): This white paper explores three key areas of the EU’s General Data Protection Regulation that deal with authentication, including exploring how FIDO uniquely solves these issues.
• FIDO Alliance White Paper: Enterprise Adoption Best Practices – Managing FIDO Credential Lifecycle for Enterprises (April 2018): This white paper provides guidance to IT and Security professionals on how manage FIDO authentication credentials throughout their full lifecycle­.
• FIDO Alliance and Asia PKI Consortium White Paper: FIDO UAF and PKI in Asia – Case Study and Recommendations (April 2018): This paper depicts three possible scenarios for integrating FIDO UAF and PKI in Asian countries, along with recommendations for how the two technologies can work together to bring innovation to the authentication marketplace and to pave the way for deploying better authentication solutions to the public.
• FIDO Alliance White Paper: FIDO & PSD2 – Providing for a Satisfactory Customer Journey (September 2018): This white paper examines the different authentication models that could apply within the interactions of a Third Party Provider and an Account Servicing Payment Service Provider. It proposes the FIDO standards as a solution to simplify the user experience, for any of these models, in a way that meets the Strong Customer Authentication requirements of PSD2.

• FIDO Alliance White Paper: Enterprise Adoption Best Practices – Integrating FIDO & Federation Protocols (December 2017): This white paper outlines how the FIDO standards compliment federation protocols. It also provides guidelines on how to integrate the two in order to add support for FIDO-based MFA  and replace or supplement traditional authentication methods in federation environments.
• Javelin Strategy & Research’s 2017 State of Authentication Report (October 2017): This report, sponsored by FIDO Alliance, analyzes the state of customer and enterprise (employee) authentication amongst U.S. businesses. It examines how strong authentication is evolving, and offers a detailed breakdown on the factors influencing industries’ adoption of authentication solutions.
• FIDO Alliance White Paper: Korean FIDO Deployment Case Study- Accredited Certification System for Safe Usage of Accredited Certificate using FIDO in Smartphone in Korea (K-FIDO) (September 2017): This case study describes a Korean deployment that combines the FIDO UAF specification and PKI to enable authentication, identify verification and interoperability among various Fintech services for increased user convenience.
• FIDO & PSD2: Meeting the needs for Strong Consumer Authentication (September 2017): This white paper outlines how the FIDO standards can facilitate the implementation of the new disruptive PSD2 regulation with user-friendly secure solutions.
• FIDO Alliance Letter Regarding Payment Services Directive 2 (August 2017):  FIDO Alliance’s letter to European Commission and European Parliament on whether screen scraping should be allowed as a fallback option under PSD2
• FIDO Alliance White Paper: Leveraging FIDO Standards to Extend the PKI Security Model in United States Government Agencies (March 2017)
• Response to the European Banking Authority (EBA) Discussion Paper on Future Draft Regulatory Technical Standards on Strong Customer Authentication and Secure Communication Under the Revised Payment Services Directive (PSD2) (Feb 2016)
• FIDO Alliance White Paper: FIDO UAF Metadata Service (Feb 2016)
• FIDO Alliance White Paper: Bluetooth & NFC Transport for FIDO U2F (July 2015)
• The FIDO Alliance Whitepaper on FIDO 1.0 Final Specifications: This whitepaper explores the background of FIDO authentication: the needs, benefits and early deployments (Dec 2014).

The post White Papers appeared first on FIDO Alliance.

The post Whitepaper on FIDO 1.0 Final Specifications appeared first on FIDO Alliance.