FIDO authenticator FAQs

About FIDO

About FIDO
What is FIDO & what are FIDO U2F & FIDO2 authenticators?

FIDO (Fast Identity Online) open standards for secure authentication are set by the FIDO Alliance, who’s members include Google, Microsoft, Mozilla, MasterCard, Visa and PayPal.

The FIDO specification was designed to allow a single authenticator (key, token or device) to be used to secure access to many services, with each service using separate, unique and anonymous authentication codes. This is an extremely scalable model for making use of a high security public and private key-pair architecture, in which the private keys are never shared and can be thoroughly protected within dedicated security hardware in an authenticator.

FIDO’s authentication protocol also enforces the verification of message origin, which makes it thoroughly resistant to phishing and man-in-the-middle attacks.

U2F (Universal 2nd Factor) was the original FIDO specification which, as the name suggests, was aimed at providing a commonly used means of strong authentication in addition to username and password. By making direct use of widely used standard interfaces (USB, NFC, Bluetooth) FIDO authenticators do not require additional reader hardware.

FIDO2 is the more recent standard, in addition to supporting multi-factor authentication it also provides for secure passwordless multi-factor authentication. U2F specifications are now a part of FIDO2 for backward compatibility of the standard.

Microsoft supports FIDO2 passwordless login, in addition to Window Hello, for Windows 10 with Azure AD. FIDO2 allows roaming passwordless login without the need for a user to have set themselves up to use Windows Hello on the chosen Window 10 machine.

FIDO2 has been adopted by the World Wide Web Consortium (W3C) within the WebAuthn specification, and has already been implemented by many leading cloud service providers. The corresponding FIDO2 Client-to-Authenticator Protocol (CTAP2), together with WebAuthn, is also supported by the most popular browsers.

General FIDO compatibility

General FIDO compatibility
Can FIDO keys be used for Windows passwordless login as well as securing cloud services?

FIDO U2F-only keys are not supported by Windows for login.

FIDO2 keys that implement certain features and extensions of the Client-to-Authenticator Protocol (CTAP2 spec), including a means of user authentication such as fingerprint verification, are supported by Windows 10 joined to Azure AD within the enterprise.

Microsoft compatible FIDO2 keys store the users credentials on the security key, allowing roaming users to login on any shared Windows 10 machine belonging to the enterprise – without needing to enter a username and password or set up Windows Hello beforehand.

Some Microsoft compatible FIDO2 authentication keys are also Windows Hello compatible devices – allowing users to set-up Windows Hello passwordless login on their specific Windows 10 machine. The user credentials stored on the Windows 10 machine authenticate with Azure AD for the enterprise.

The KEY-ID FIDO2 key with Windows Hello is both a Microsoft compatible FIDO2 key and also a Windows Hello compatible device, supporting Windows passwordless login as well as secure authentication to multiple FIDO2 compliant cloud services.

Which browsers support FIDO keys?
Edge Windows FIDO2
Chrome (Windows / Mac / Linux) FIDO2 & U2F
Firefox (Windows / Mac / Linux) FIDO2 & U2F
Opera (Windows / Mac / Linux) FIDO2 & U2F
Safari MacOS FIDO2 & U2F

 

Which cloud services support FIDO keys?

The table below shows a popular selection of the many enterprise and personal cloud services that support FIDO authentication keys.

FIDO2 keys U2F keys
1Password R R
AWS Identity and Access Management R
Dashlane Premium R
Dropbox / Dropbox Business R R
Duo Security R R
Facebook R
GitHub R R
Google Cloud (Gmail, YouTube, etc.) R
Google G Suite (Gmail, Drive , Docs etc.) R
Gov.uk – Digidentity R
IBM Cloud Identity R
IBM Security Access Manager R R
Microsoft Azure AD R
Microsoft Office 365 (Outlook.com, Skype, OneDrive, etc.) R
Okta R R
Ping Identity R R
RSA SecurID Access R R
Salesforce.com R
Twitter R R
Are the KEY-ID FIDO security keys certified by the FIDO Alliance?

Yes.

The KEY-ID FIDO U2F key has been fully tested and certified to comply with the U2F specifications, version 1.0, under the name ePass FIDO.

The KEY-ID FIDO2 key with U2F has been fully tested and certified to comply with the FIDO2 specifications version 2.0, Authenticator L1, under the name ePass FIDO2.

The KEY-ID FIDO2 key with Windows Hello has been fully tested and certified to comply with the FIDO2 specifications version 2.0, Authenticator L1, under the name EzFinger SDK.

FIDO Alliance Metadata for server developers

The FIDO Alliance Metadata Service (MDS) is a web-based tool where FIDO authenticator vendors can publish metadata statements for FIDO servers to download. This provides organizations deploying FIDO servers with a trusted source of information about FIDO authenticators.

If you are developing your own server application that includes FIDO2 authentication, and you require metadata for KEY-ID security keys during development, please contact us to request JSON formatted files for the appropriate products.

Wider OS compatibility

Wider OS compatibility
How do I use a FIDO key on Linux?
For security, many versions of Linux prevent web browsers such as Chrome from talking directly to USB devices such as your Key-ID FIDO U2F security key. For details of how to enable U2F on Linux, please follow these instructions.
Do Chromebooks support FIDO keys?
Yes, provided they are running an up to date version of the Chrome operating system and have a USB slot.

Managing FIDO keys

Managing FIDO keys
Are admin rights or software or drivers required?

FIDO keys are designed to work ‘straight out of the box’ as a standard HID (Human Interface Device) requiring no special driver software installation.

Software is required to set-up fingerprints on the KEY-ID FIDO2 key with Windows Hello, for use with biometric enabled FIDO2 authentication services. (Note: fingerprint enrolment for Windows Hello uses native Windows 10 functionality without additional software).

How do I set-up fingerprint recognition for FIDO2?

The KEY-ID FIDO2 key with Windows Hello supports biometric fingerprint verification for FIDO2 authenticated sign in.

To register one (or more) fingerprints for FIDO2 authentication see fingerprint enrolment.

(Note: fingerprint enrolment for Windows Hello uses native Windows 10 functionality without additional software).

Why do unregistered fingers work on some FIDO2 services - using my fingerprint key?

The KEY-ID FIDO2 key with Windows Hello supports biometric fingerprint verification for FIDO2 authenticated sign in.

Some cloud services that support FIDO2 may allow you to sign-in using only the presence of your security key as an addition authentication factor (similar to the secure authentication used by the previous FIDO U2F standard), so when the key’s LED indicates that a touch on the sensor is required, the touch of any finger is sufficient.

If you have registered one (or more) of your fingerprints on your security key (see fingerprint enrolment) and the FIDO2 service supports biometrically verified, or passwordless, FIDO2 sign in, only registered fingerprints will then work.

Do FIDO keys need to be configured or pre-registered before issuing to users?

No. Users self register FIDO keys with each service and can use the same key with many services.

Configuring Azure AD to use specific security keys

Having enabled FIDO2 security keys as an authentication method in Azure AD, the settings for FIDO2 security keys may need to be configured – selecting the ‘Enforce attestation’ option allows specific security key products to be either allowed or disallowed, and AAGUID’s can be entered to identify those products.
(An AAGUID is an identifier indicating the type of the authenticator in accordance with the FIDO2 specification for the Authenticator Attestation GUID).

AAGUID’s for each KEY-ID security key product can be found in the tech-spec table on the relevant product page.

What happens if I lose my FIDO key?

It is important to have a back-up means of authentication in case a key is lost. A second FIDO key can usually be registered with services, and kept as a back-up. When registering with services, alternative though less convenient authentication methods may also be enabled. Some services provide a set of back-up access codes when setting-up 2-step authentication, which should be kept securely for use if needed.

A lost key does not pose a security risk. FIDO security keys are designed to be anonymous to public online services. Each time a FIDO key is registered with an online account new cryptographic secrets are generated for use with that specific account and no information about the person’s real identity is linked to the key itself. This means that if someone finds a lost key they are not able identify the previous owner, it also means the same key can be safely re-used by a new owner for their own accounts (even for the same online services used by the previous owner).

How do FIDO keys handle personal data with regard to data privacy & GDPR?

KEY-ID FIDO keys do not share any personally identifiable information (PII) with any of the FIDO services they are registered with. Devices that include biometric (fingerprint) readers store biometric recognition information securely on the device only.

Can FIDO security keys enable strong two-factor authentication for my enterprise?

In addition to the native support provided by Windows and the cloud services listed above, any online service or application can integrate with the FIDO protocols.

The W3C WebAuthn standard was developed to support FIDO2 authentication devices, and implementation guidance is widely available – for example:

https://fidoalliance.org/developer-tutorial-webauthn-web-fido2-android/

https://en.wikipedia.org/wiki/WebAuthn

https://developers.google.com/web/updates/2018/05/webauthn

https://webauthn.guide/

Does FIDO authentication work with single sign on?

Many leading Identity Provider solutions support FIDO keys as a means of secure authentication to their services, and single sign on (SSO) operation.

Microsoft support sign-in to Windows 10 devices using FIDO2 security keys, with single sign-on (SSO) to cloud resources – learn more.

Using FIDO keys

Using FIDO keys
How do you use a FIDO key?

See some example videos and instructions on our ‘How to… ‘ pages (navigation links at the top of page)

When does a USB FIDO key need to be plugged in & should it stay plugged in?

You only need to have your key plugged into a USB port when you are signing in. Some service providers, such as Google and Facebook, also allow you to choose to only require the key when you log in on a new device.

Can the same single key be used for multiple accounts on the same service?

Yes, one FIDO security key can be used to secure multiple accounts, including multiple Gmail accounts for example.

How many service accounts can a single FIDO key be used with?

One FIDO key can be used with very large number of accounts, there should be no practical limit on the number of accounts a user might wish to register a key with.

Do KEY-ID FIDO security keys need batteries?

No batteries are required.