- 03 Dec 2024
- 3 Minutes to read
- DarkLight
- PDF
FIDO environment
- Updated on 03 Dec 2024
- 3 Minutes to read
- DarkLight
- PDF
This section provides provide general information about the FIDO environment and architecture, and illustrations about the relevant flows.
Supported authenticators
OneSpan offers the following authenticator types:
Biometric authenticator
Application PIN authenticator
For more information on each type of authenticator, see About the FIDO authenticators.
Architecture of the FIDO environment
The FIDO environment consists of three main components: FIDO authenticators, client user applications, and back-end servers.
General FIDO architecture illustrates the general architecture of a FIDO implementation.
General FIDO architecture
User agent: the user's device (computer, smartphone etc.).
Browser/application: web-browser, desktop application, or Android/iOS application running on the user's device.
FIDO Client: implements the client-side of the FIDO UAF protocol and handles communication with UAF authenticators through the UAF Authenticator API.
Authenticator: can be embedded in the user's device or connected via some channel; is able to generate keys that are compatible with the FIDO UAF protocol.
Relying party infrastructure: hosting the relying party applications.
Relying party server: hosting relying party applications which provide different online services; these applications are typically hosted on a web server.
FIDO Server: application that implements FIDO protocols. It can be a separate application which communicates with the relying party application over HTTP or other transport protocols.
FIDO Universal Server SDK: contains the implementation of the UAF protocol. It can be included directly in the relying party application or used to implement a stand-alone application which communicates with the relying party application over HTTP or other transport protocols.
FIDO metadata service: contains data about authenticators. Data from this service may be used by the FIDO protocols to access authenticator data and use it when performing UAF processes. This service is exposed by the FIDO Alliance.
FIDO UAF workflows
The FIDO UAF protocol defines several key workflows for different aspects of authentication and security. The typical workflows in a FIDO implementation are:
Authenticator registration (Authenticator registration flow in a FIDO implementation)
Authentication (Authentication flow in a FIDO implementation)
Signature (Signature flow in a FIDO implementation)
Authenticator deregistration (Deregistration flow in a FIDO implementation)
User registration workflow
The registration process begins when a user initiates the registration of a new FIDO authenticator with an online service.
The registration is for a specific user, not for an authenticator!
The FIDO user application communicates with FIDO Client to securely process the FIDO registration message and generate a FIDO registration response, including the user's public key and attestation The FIDO user application sends a registration response to the back-end server of the online service.
The back end server processes the registration response, associates the public key with the user's account, and stores relevant registration data securely. The back-end server responds to the FIDO user application to confirm the successful registration.
Authenticator registration flow in a FIDO implementation
Authentication workflow
The authentication process begins when a user initiates the authentication of a FIDO registered user. The back-end server returns a FIDO authentication request.
The FIDO user application communicates with FIDO Client to securely process the FIDO authentication request. The FIDO Client returns the authentication response. The FIDO user application sends the authentication response to the back-end server.
The back-end server processes the authentication response result to confirm the successful or unsuccessful authentication.
Authentication flow in a FIDO implementation
Signature workflow
The transaction signature workflow is very similar to the authentication workflow. The transaction signature process begins when a user initiates a transaction. The back-end server returns a FIDO transaction authentication request.
The FIDO user application communicates with FIDO Client to securely process the FIDO transaction authentication request. The FIDO Client returns the transaction authentication response. The FIDO user application sends the transaction authentication response to the back-end server.
The back-end server processes the transaction authentication response result to confirm the successful or unsuccessful transaction authentication.
Signature flow in a FIDO implementation
Deregistration workflow
When a user wants to deregister an authenticator from a FIDO user application, they initiate a deregistration request. The back-end server creates and sends a deregistration request to the FIDO user application. The FIDO user application sends the deregistration request to the FIDO Client to process.
Deregistration flow in a FIDO implementation