“Together with WebAuthn, [FIDO’s Client to Authenticator Protocol] allows for authentication frameworks in which biometrics or hardware keys can be used to sign into web services directly through the browser, such as scanner your fingerprint on your phone to log into your bank account on your laptop.”
With FIDO2 having generated a ton of interest at the recent RSA conference, FIDO Alliance marketing director Andrew Shikiar is offering some detailed clarification of exactly what it is with a new post on FIDO’s website.
FIDO2 essentially comprises two standards. The one that has grabbed the most headlines is WebAuthn, the product of a collaboration between the FIDO Alliance and W3C, the web’s main standards body. WebAuthn lays out a standard API that developers can use to enable FIDO-based authentication directly within their browser. Google, Mozilla, and Microsoft have all committed to incorporating this kind of authentication into their popular web browsers, which could dramatically improve security for a huge swath of end users around the world.
The other FIDO2 standard is its Client to Authenticator Protocol, or CTAP. This allows external devices such as smartphones or USB security keys to communicate authentication credentials to PCs via Bluetooth, NFC, or USB. Together with WebAuthn, this allows for authentication frameworks in which biometrics or hardware keys can be used to sign into web services directly through the browser, such as scanner your fingerprint on your phone to log into your bank account on your laptop.
This all adds up to a big step forward in online security, and so it’s understandable that the week of RSA, when FIDO2 was launched, culminated in what Shikiar says was “a standing-room-only session” on the standards led by representatives from Google, Microsoft, and FIDO Alliance executive director Brett McDowell. And FIDO is promising further information on its big new standards package with a webinar on the topic scheduled for May 16th, for which it’s fair to expect substantial interest.