FIDO authenticator FAQs

FIDO (Fast Identity Online) open standards for secure authentication are set by the FIDO Alliance, who’s members include Google, Microsoft, Mozilla, MasterCard, Visa and PayPal.

The FIDO specification was designed to allow a single authenticator (key, token or device) to be used to secure access to many services, with each service using separate, unique and anonymous authentication codes. This is an extremely scalable model for making use of a high security public and private key-pair architecture, in which the private keys are never shared and can be thoroughly protected within dedicated security hardware in an authenticator.

FIDO’s authentication protocol also enforces the verification of message origin, which makes it thoroughly resistant to phishing and man-in-the-middle attacks.

U2F (Universal 2nd Factor) was the original FIDO specification which, as the name suggests, was aimed at providing a commonly used means of strong authentication in addition to username and password. By making direct use of widely used standard interfaces (USB, NFC, Bluetooth) FIDO authenticators do not require additional reader hardware.

FIDO2 is the more recent standard, in addition to supporting multi-factor authentication it also provides for secure passwordless multi-factor authentication. U2F specifications are now a part of FIDO2 for backward compatibility of the standard.

Microsoft supports FIDO2 passwordless login, in addition to Window Hello, for Windows 10 with Azure AD. FIDO2 allows roaming passwordless login without the need for a user to have set themselves up to use Windows Hello on the chosen Window 10 machine.

FIDO2 has been adopted by the World Wide Web Consortium (W3C) within the WebAuthn specification, and has already been implemented by many leading cloud service providers. The corresponding FIDO2 Client-to-Authenticator Protocol (CTAP2), together with WebAuthn, is also supported by the most popular browsers.

FIDO U2F-only keys are not supported by Windows for login.

FIDO2 keys that implement certain features and extensions of the Client-to-Authenticator Protocol (CTAP2 spec), including a means of user authentication such as fingerprint verification, are supported by Windows 10 joined to Azure AD within the enterprise.

Microsoft compatible FIDO2 keys store the users credentials on the security key, allowing roaming users to login on any shared Windows 10 machine belonging to the enterprise – without needing to enter a username and password or set up Windows Hello beforehand.

Some Microsoft compatible FIDO2 authentication keys are also Windows Hello compatible devices – allowing users to set-up Windows Hello passwordless login on their specific Windows 10 machine. The user credentials stored on the Windows 10 machine authenticate with Azure AD for the enterprise.

The KEY-ID FIDO2 key with Windows Hello is both a Microsoft compatible FIDO2 key and also a Windows Hello compatible device, supporting Windows passwordless login as well as secure authentication to multiple FIDO2 compliant cloud services.

The table below shows a popular selection of the many enterprise and personal cloud services that support FIDO authentication keys.

Yes.

The KEY-ID FIDO U2F key has been fully tested and certified to comply with the U2F specifications, version 1.0, under the name ePass FIDO.

The KEY-ID FIDO2 key with U2F has been fully tested and certified to comply with the FIDO2 specifications version 2.0, Authenticator L1, under the name ePass FIDO2.

The KEY-ID FIDO2 key with Windows Hello has been fully tested and certified to comply with the FIDO2 specifications version 2.0, Authenticator L1, under the name EzFinger SDK.

The FIDO Alliance Metadata Service (MDS) is a web-based tool where FIDO authenticator vendors can publish metadata statements for FIDO servers to download. This provides organizations deploying FIDO servers with a trusted source of information about FIDO authenticators.

If you are developing your own server application that includes FIDO2 authentication, and you require metadata for KEY-ID security keys during development, please contact us to request JSON formatted files for the appropriate products.

FIDO keys are designed to work ‘straight out of the box’ as a standard HID (Human Interface Device) requiring no special driver software installation.

Software is required to set-up fingerprints on the KEY-ID FIDO2 key with Windows Hello, for use with biometric enabled FIDO2 authentication services. (Note: fingerprint enrolment for Windows Hello uses native Windows 10 functionality without additional software).

The KEY-ID FIDO2 key with Windows Hello supports biometric fingerprint verification for FIDO2 authenticated sign in.

To register one (or more) fingerprints for FIDO2 authentication see fingerprint enrolment.

(Note: fingerprint enrolment for Windows Hello uses native Windows 10 functionality without additional software).

The KEY-ID FIDO2 key with Windows Hello supports biometric fingerprint verification for FIDO2 authenticated sign in.

Some cloud services that support FIDO2 may allow you to sign-in using only the presence of your security key as an addition authentication factor (similar to the secure authentication used by the previous FIDO U2F standard), so when the key’s LED indicates that a touch on the sensor is required, the touch of any finger is sufficient.

If you have registered one (or more) of your fingerprints on your security key (see fingerprint enrolment) and the FIDO2 service supports biometrically verified, or passwordless, FIDO2 sign in, only registered fingerprints will then work.

No. Users self register FIDO keys with each service and can use the same key with many services.

Having enabled FIDO2 security keys as an authentication method in Azure AD, the settings for FIDO2 security keys may need to be configured – selecting the ‘Enforce attestation’ option allows specific security key products to be either allowed or disallowed, and AAGUID’s can be entered to identify those products.
(An AAGUID is an identifier indicating the type of the authenticator in accordance with the FIDO2 specification for the Authenticator Attestation GUID).

AAGUID’s for each KEY-ID security key product can be found in the tech-spec table on the relevant product page.

It is important to have a back-up means of authentication in case a key is lost. A second FIDO key can usually be registered with services, and kept as a back-up. When registering with services, alternative though less convenient authentication methods may also be enabled. Some services provide a set of back-up access codes when setting-up 2-step authentication, which should be kept securely for use if needed.

A lost key does not pose a security risk. FIDO security keys are designed to be anonymous to public online services. Each time a FIDO key is registered with an online account new cryptographic secrets are generated for use with that specific account and no information about the person’s real identity is linked to the key itself. This means that if someone finds a lost key they are not able identify the previous owner, it also means the same key can be safely re-used by a new owner for their own accounts (even for the same online services used by the previous owner).

KEY-ID FIDO keys do not share any personally identifiable information (PII) with any of the FIDO services they are registered with. Devices that include biometric (fingerprint) readers store biometric recognition information securely on the device only.

In addition to the native support provided by Windows and the cloud services listed above, any online service or application can integrate with the FIDO protocols.

The W3C WebAuthn standard was developed to support FIDO2 authentication devices, and implementation guidance is widely available – for example:

https://fidoalliance.org/developer-tutorial-webauthn-web-fido2-android/

https://en.wikipedia.org/wiki/WebAuthn

https://developers.google.com/web/updates/2018/05/webauthn

https://webauthn.guide/

Many leading Identity Provider solutions support FIDO keys as a means of secure authentication to their services, and single sign on (SSO) operation.

Microsoft support sign-in to Windows 10 devices using FIDO2 security keys, with single sign-on (SSO) to cloud resources – learn more.

See some example videos and instructions on our ‘How to… ‘ pages (navigation links at the top of page)

You only need to have your key plugged into a USB port when you are signing in. Some service providers, such as Google and Facebook, also allow you to choose to only require the key when you log in on a new device.

Yes, one FIDO security key can be used to secure multiple accounts, including multiple Gmail accounts for example.

One FIDO key can be used with very large number of accounts, there should be no practical limit on the number of accounts a user might wish to register a key with.

No batteries are required.