Login
    Contents x
    FIDO environment
    • 27 Oct 2024
    • 3 Minutes to read
    • Dark
      Light
    Contents

    FIDO environment

    • Updated on 27 Oct 2024
    • 3 Minutes to read
    • Dark
      Light
    Article summary

    This section provides provide general information about the FIDO environment and architecture, and illustrations about the relevant flows.

    Supported authenticators

    OneSpan offers the following authenticator types:

    • Biometric authenticator

    • Application PIN authenticator

    For more information on each type of authenticator, see About the FIDO authenticators.

    Architecture of the FIDO environment

    The FIDO environment consists of three main components: FIDO authenticators, client user applications, and back-end servers.

    General FIDO architecture illustrates the general architecture of a FIDO implementation.

    FIDO UAF general architecture diagram

    General FIDO architecture

    • User agent: the user's device (computer, smartphone etc.).

    • Browser/application: web-browser, desktop application, or Android/iOS application running on the user's device.

    • FIDO Client: implements the client-side of the FIDO UAF protocol and handles communication with UAF authenticators through the UAF Authenticator API.

    • Authenticator: can be embedded in the user's device or connected via some channel; is able to generate keys that are compatible with the FIDO UAF protocol.

    • Relying party infrastructure: hosting the relying party applications.

      • Relying party server: hosting relying party applications which provide different online services; these applications are typically hosted on a web server.

      • FIDO Server: application that implements FIDO protocols. It can be a separate application which communicates with the relying party application over HTTP or other transport protocols.

    • FIDO Universal Server SDK: contains the implementation of the UAF protocol. It can be included directly in the relying party application or used to implement a stand-alone application which communicates with the relying party application over HTTP or other transport protocols.

    • FIDO metadata service: contains data about authenticators. Data from this service may be used by the FIDO protocols to access authenticator data and use it when performing UAF processes. This service is exposed by the FIDO Alliance.

    FIDO UAF workflows

    The FIDO UAF protocol defines several key workflows for different aspects of authentication and security. The typical workflows in a FIDO implementation are:

    User registration workflow

    The registration process begins when a user initiates the registration of a new FIDO authenticator with an online service.

    The registration is for a specific user, not for an authenticator!

    The FIDO user application communicates with FIDO Client to securely process the FIDO registration message and generate a FIDO registration response, including the user's public key and attestation The FIDO user application sends a registration response to the back-end server of the online service.

    The back end server processes the registration response, associates the public key with the user's account, and stores relevant registration data securely. The back-end server responds to the FIDO user application to confirm the successful registration.

    Authenticator registration flow in a FIDO implementation

    Authentication workflow

    The authentication process begins when a user initiates the authentication of a FIDO registered user. The back-end server returns a FIDO authentication request.

    The FIDO user application communicates with FIDO Client to securely process the FIDO authentication request. The FIDO Client returns the authentication response. The FIDO user application sends the authentication response to the back-end server.

    The back-end server processes the authentication response result to confirm the successful or unsuccessful authentication.

    FIDO UAF Authentication workflow

    Authentication flow in a FIDO implementation

    Signature workflow

    The transaction signature workflow is very similar to the authentication workflow. The transaction signature process begins when a user initiates a transaction. The back-end server returns a FIDO transaction authentication request.

    The FIDO user application communicates with FIDO Client to securely process the FIDO transaction authentication request. The FIDO Client returns the transaction authentication response. The FIDO user application sends the transaction authentication response to the back-end server.

    The back-end server processes the transaction authentication response result to confirm the successful or unsuccessful transaction authentication.

    FIDO UAF Signature workflow

    Signature flow in a FIDO implementation

    Deregistration workflow

    When a user wants to deregister an authenticator from a FIDO user application, they initiate a deregistration request. The back-end server creates and sends a deregistration request to the FIDO user application. The FIDO user application sends the deregistration request to the FIDO Client to process.

    FIDO UAF Deregistration workflow

    Deregistration flow in a FIDO implementation

    Was this article helpful?
    What's Next
    Change password!
    Changing your password will log you out immediately. Use the new password to log back in.
    Change profile
    Success!
    First name must have atleast 2 characters. Numbers and special characters are not allowed.
    Last name must have atleast 1 characters. Numbers and special characters are not allowed.
    Enter a valid email
    Enter a valid password
    Your profile has been successfully updated.
    Logout
    ESC

    Ozzy, our interactive help assistant