FIDO UAF

  • Published on Jul 8, 2025
  • 2 minute(s) read
Prev Next

The FIDO UAF protocol provides users the ability to authenticate to online services without a password. The initial use case for the UAF protocol is for the user to register an authenticator on their device with the FIDO Server for a given application. During registration, the user is prompted to enter the password for their account with the relying party. After this registration, the user authenticates with the previously registered authenticator instead of the account password. The UAF protocol also provides a transaction confirmation mechanism (if the authenticator is capable of displaying transaction confirmation), and offers support to prompt the user to confirm a specific transaction.

If required, it is also possible to deregister previously registered authenticators. This applies, for example, when the user wants to delete their account with the relying party, who in turn can trigger the key deletion on the FIDO Server.

The FIDO UAF SDK contains a set of modules to perform UAF processes like registration, authentication, deregistration of keys, and transaction confirmation. It is designed to expose an easy-to-use API that can be used to generate and process UAF requests and responses.

FIDO UAF architecture overview

Figure: FIDO UAF architecture — high-level overview

  • User agent. The user's device (computer, smartphone etc.).
  • Browser/application. Web browser, desktop application, or Android/iOS application running on the user's device.
  • FIDO Client. Implements the client side of the FIDO UAF protocol and handles communication with UAF authenticators through the UAF Authenticator API.
  • ASM (UAF Authenticator Specific Module). Interface used by the FIDO client to discover an available authenticator on the user's device. It also hides the complexity of internal communication with UAF authenticators.
  • Authenticator. Can be embedded in the user's device or connected via various channels. Generates keys that are compatible with the FIDO UAF protocol.
  • Relying party infrastructure.Hosts the relying party applications.
    • Relying party server. Hosts relying-party applications that provide different online services. These applications are typically hosted on a web server.
    • FIDO Server. Application that implements FIDO protocols. It can be a separate application which communicates with the relying party application over HTTP or other transport protocols.
  • FIDO UAF SDK. Contains the implementation of the UAF protocol. It can be included directly in the relying party application or used to implement a standalone application which communicates with the relying party application via HTTP or other transport protocols.
  • FIDO metadata service. Contains data about authenticators. Data from this service may be used by the FIDO protocols to access authenticator data and use it when performing UAF processes. This service is exposed by the FIDO Alliance