Skip to main content

Glossary of Terms

FIDO

Fast Identity Online a non-profit 501(c)6 organization founded to address both the lack of interoperability among strong authentication devices, as well as the problems users face with creating and remembering multiple usernames and passwords.

FIDO Technical Glossary

AAGUID

Authenticator Attestation GUID. See Authenticator Attestation Global Unique Identifier.

AAID

Authenticator Attestation ID. See Authenticator Attestation ID.

Accessibility Conformance Report (ACR)

A document, based on the Voluntary Product Accessibility Template (ITI VPAT), that explains how information and communication technology (ICT) products such as software, hardware, electronic content, and support documentation conform to the Revised 508 Standards for IT accessibility.

Application

A set of functionality provided by a common entity (the application owner, also called the Relying Party), and perceived by the user as belonging together.

attestation

A key pair that is burned into the device during manufacturing time that is specific to a device model. In a FIDO context, attestation is how authenticators make an identity claim about themselves that can be cryptographically verified and looked up in the Metadata Service.

Attestation Certificate

A public key certificate related to an attestation key.

attestation public key / attestation private key

Public and private key pairs used for FIDO authenticator attestation. See also public key cryptography.

attestation root certificate

A root certificate that attestation certificates chain to and is explicitly trusted by the FIDO Alliance.

authentication

Authentication is the process by which a user employs their FIDO authenticator to prove to a relying party that they possess a registered key.

authentication algorithm

The combination of signature and hash algorithms used for authenticator-to-relying party authentication.

authentication scheme

The combination of an authentication algorithm and a message syntax or framing that is used by an authenticator when constructing a response.

Authenticator, Authnr

See FIDO Authenticator.

Authenticator, 1stF / First Factor

A FIDO authenticator that transactionally provides a username and at least two authentication factors: cryptographic key material (something you have) plus user verification (something you know/something you are) and can therefore be used by itself to complete an authentication.

It is assumed that these authenticators have an internal matcher. The matcher is able to verify an already enrolled user. If there is more than one user enrolled, the matcher is also able to identify the right user.

Examples of such an authenticator is a biometric sensor or a PIN based verification. Authenticators that only verify presence, such as a physical button, or perform no verification at all, cannot act as a first-factor authenticator.

Authenticator, 2ndF / Second Factor

A FIDO Authenticator which acts only as a second factor. Second-factor authenticators always require a single key handle to be provided before responding to a sign command. They might or might not have a user verification method. It is assumed that these authenticators might or might not have an internal matcher.

authenticator attestation

The process of communicating a cryptographic assertion to a relying party that a key presented during authenticator registration was created and protected by a genuine authenticator with verified characteristics.

Authenticator Attestation Global Unique Identifier (AAGUID)

A unique 128-bit identifier signifying the model of a device that is sent during registration to the service along with a newly created public key. This unique identifier can be used to look up a metadata statement in a service such as the FIDO Metadata Service (MDS).

A unique identifier assigned to a model, class or batch of FIDO2 Authenticators that all share the same characteristics, and which a relying party can use to look up an attestation public key and authenticator metadata for the device.

Authenticator Attestation ID (AAID)

A unique identifier assigned to a model, class or batch of FIDO UAF Authenticators that all share the same characteristics, and which a relying party can use to look up an attestation public key and authenticator metadata for the device.

authenticator metadata

Verified information about the characteristics of a certified authenticator, associated with an Authenticator Attestation ID (AAID) and available from the FIDO Alliance. FIDO Servers are expected to have access to up-to-date metadata to be able to interact with a given authenticator.

authenticator model

A set of authenticators that have the same AAID, AAGUID, or at least one common attestationCertificateKeyIdentifier in the metadataStatement.

authenticator policy

A JSON data structure that allows a relying party to communicate the capabilities or specific authenticators that are allowed or disallowed for use in a given operation to a FIDO client.

biometrics

Body measurements and calculations related to unique human characteristics and features, such as fingerprints, used in computer science as a form of identification for access control.

Bluetooth Low Energy (BLE)

Bluetooth Low Energy provides considerably reduced power consumption and cost while maintaining a similar communication range, compared to Classic Bluetooth.

bound authenticator

A FIDO authenticator, or combination of authenticator and ASM, that uses an access control mechanism to restrict the use of registered keys to trusted FIDO clients and/or trusted FIDO user devices. Compare to a roaming authenticator.

certificate

A digital certificate is a file or electronic password that proves the authenticity of a device, server, or user through the use of cryptography and the public key infrastructure (PKI).

Also known as a public key certificate, it is used to cryptographically link ownership of a public key with the entity that owns it.

client

Any computer hardware or software device that requests access to a service provided by a server. This term is used in context, and might refer to a FIDO UAF Client or some other type of client, for example, a TLS client. See FIDO Client.

credential

A data object that is a portable representation of the association between an identifier and a unit of authentication information, and that can be presented for use in verifying an identity claimed by an entity that attempts to access a system RFC4949.

In a FIDO context, the association is cryptographically verifiable.

deregistration

A phase of a FIDO protocol in which a relying party tells a FIDO authenticator to forget a specified piece of (or all) locally managed key material associated with a specific relying party account, in case such keys are no longer considered valid by the relying party.

device-bound passkey

Passkeys that are only stored and used on a single device.

discovery

A phase of a FIDO protocol during which a relying party is able to determine the availability of FIDO capabilities at the client’s device, including metadata about the available authenticators.

E(K,D)

Denotes the Encryption of data D with key K.

ECDAA

See Elliptic Curve based Direct Anonymous Attestation.

ECDSA

See Elliptic Curve Digital Signature Algorithm (ECDSA).

Elliptic Curve based Direct Anonymous Attestation (ECDAA)

Elliptic Curve based Direct Anonymous Attestation. ECDAA is an attestation scheme alternative to FIDO Basic Attestation. It is an improved Direct Anonymous Attestation scheme based on elliptic curves and bilinear pairings. Direct Anonymous Attestation schemes use individual private keys in the Authenticator while avoiding global correlation handles. ECDAA provides significantly improved performance compared with the original DAA scheme. FIDO ECDAA [FIDOEcdaaAlgorithm] defines object encodings, pairing friendly curves, etc. to lead to interoperable ECDAA implementations across different FIDO Servers and FIDO Authenticators.

Elliptic Curve Digital Signature Algorithm (ECDSA)

Elliptic Curve Digital Signature Algorithm, as defined by ANSI X9.62 [ECDSA-ANSI].

Enrollment

The process of making a user known to an authenticator. This might be a biometric enrollment as defined in [ISOBiometrics] or involve processes such as taking ownership of, and setting a PIN or password for, a non-biometric cryptographic storage device. Enrollment might happen as part of a FIDO protocol ceremony, or it might happen outside of the FIDO context for multi-purpose authenticators.

Enterprise Attestation

An enterprise attestation is a per-authenticator unique attestation, which might be configured to support either of both:

  • vendor-facilitated enterprise attestation (also called EA mode 1): In this case, the Authenticator Vendor pre-configures a (non-updatable) list of RP IDs, upon request from the Enterprise, for those RPs allowed to request enterprise attestation.
  • platform-managed enterprise attestation (also called EA mode 2): In this case, the platform/browser, managed by the Enterprise, knows which RPs are allowed to request enterprise attestation, for example through a local policy lookup.

face or touch unlock

Authentication built into a device such as a phone or laptop that uses fingerprint or facial recognition to confirm the identity of a user.

FIDO authenticator

An authentication entity that meets the FIDO Alliance’s requirements and which has related metadata.

A FIDO authenticator is responsible for user verification, and maintaining the cryptographic material required for the relying party authentication.

It is important to note that a FIDO authenticator is only considered such for, and in relation to, its participation in FIDO Alliance protocols. Because the FIDO Alliance aims to use diverse existing and future hardware, many devices used for FIDO might have other primary or secondary uses. To the extent that a device is used for non-FIDO purposes such as local operating system sign-in or network sign-in with non-FIDO protocols, it is not considered a FIDO authenticator and its operation in such modes is not subject to FIDO Alliance guidelines or restrictions, including those related to security and privacy.

A FIDO authenticator might be referred to as simply an authenticator or abbreviated as authnr. Important distinctions in an authenticator’s capabilities and user experience might be experienced depending on whether it is a roaming or bound authenticator, and whether it is a first-factor, or second-factor authenticator.

It is assumed by registration assertion schemes that the authenticator has exclusive control over the data being signed by the attestation key.

Authenticators specify in the Metadata Statement whether they have exclusive control over the data being signed by the Uauth key.

FIDO client

This is the software entity processing protocol messages on the FIDO user device. FIDO clients might take one of two forms:

A software component implemented in a user agent (either web browser or native application). A standalone piece of software shared by several user agents (web browsers or native applications).

FIDO data / FIDO information

Any information gathered or created as part of completing a FIDO transaction. This includes but is not limited to, biometric measurements of or reference data for the user and FIDO transaction history.

FIDO server

Server software typically deployed in the relying party’s infrastructure that implements WebAuthn.

FIDO user device

The computing device where the FIDO client operates, and from which the user initiates an action that uses FIDO.

key identifier (KeyID)

The KeyID is an opaque identifier for a key registered by an authenticator with a FIDO Server for first-factor authenticators. It is used in concert with an AAID to identify a particular authenticator that holds the necessary key. Thus key identifiers must be unique within the scope of an AAID.

One possible implementation is that the KeyID is the SHA256 hash of the keyHandle managed by the ASM.

key handle

A key container created by a FIDO Authenticator, containing a private key and (optionally) other data (such as username). A key handle might be wrapped (encrypted with a key known only to the authenticator) or unwrapped. In the unwrapped form it is referred to as a raw key handle. Second-factor authenticators must retrieve their key handles from the relying party to function. First-factor authenticators manage the storage of their own key handles, either internally (for roaming authenticators) or via the associated ASM (for bound authenticators).

key registration

The process of securely establishing a key between FIDO server and FIDO authenticator.

metadata service

A service that provides metadata statements of FIDO authenticators.

The FIDO Alliance publishes metadata statements on the FIDO Metadata Service.

Near Field Communication (NFC)

A short-range wireless connectivity technology that when enabled on a device, allows communication between devices when they are touching or within a few centimeters of each other.

one-time password (OTP)

Used to verify a user’s identity when logging in online or confirming an action as an added layer of security. OTPs are a secure authorization method where a numeric or alphanumeric code is sent to a mobile number. Once received, the user must then enter the code as a response.

Open Authorization (OAuth)

An open standard designed to allow a website or application to access resources hosted by other web apps on behalf of a user. It provides applications the ability for secure designated access. Users can use OAuth to grant websites or applications access to their information without sharing passwords.

operating environment

A set of hardware and software components (for example, hardware processing unit, and physical memory) that provide facilities (for example, computing, memory management, and input/output) necessary to support running of applications.

passkey

A passkey is a FIDO authentication credential based on FIDO standards, that allows a user to sign in to apps and websites with the same steps that they use to unlock their device (biometrics, PIN, or pattern). With passkeys, users no longer need to enter usernames and passwords or additional factors.

The word passkey is a common noun; think of it the way you would refer to password. It should be written in lowercase except when beginning a sentence or used in a title. The term passkey (and plural form passkeys) is a cross-platform general-use term, not a feature tied to any specific platform.

password

Used during the authentication process, a password is a secret word, phrase, or string of characters used to verify an authorized user or process before allowing access to a computer system or service.

people with disabilities (PwD)

A term used to apply to all persons with disabilities. This includes those who have long-term physical, mental, intellectual or sensory impairments which, in interaction with various attitudinal and environmental barriers, hinders their full and effective participation in society on an equal basis with others.

public key cryptography

Used in public key cryptography, a method of encrypting or signing data with two different keys that are paired together. The public key is available for public use and the other key is private. Data encrypted with the public key can only be decrypted with the private key.

public key infrastructure (PKI)

Everything (software, hardware, policies, and procedures) required to create, distribute, manage, store, and revoke digital certificates and manage public-key encryption.

PwD

See People with disabilities (PwD).

QR code

See quick response (QR) code.

quick response (QR) code

A two-dimensional matrix barcode that stores information and can be read by a digital device such as a cellphone.

registration

A FIDO protocol operation in which a user generates and associates new key material with an account at the relying party, subject to policy set by the server and acceptable attestation that the authenticator and registration matches that policy.

registration scheme

The registration scheme defines how the authentication key is being exchanged between the FIDO server and the FIDO authenticator.

relying party (RP)

A web site or other entity that uses a FIDO protocol to directly authenticate users (that is, performs peer-entity authentication). Note that if FIDO is composed with federated identity management protocols (for example, SAML), the identity provider will also be playing the role of a FIDO relying party.

For example, a web application that requires users to log in using their credentials is a relying party because it depends on the authentication process to verify the user's identity.

roaming authenticator

Authenticators that are not tied to a single platform and can therefore be used to authenticate across multiple devices.

A FIDO roaming authenticator is configured to move between different FIDO clients and FIDO user devices lacking an established trust relationship by:

Using only its own internal storage for registrations Allowing registered keys to be employed without access control mechanisms at the API layer. (Roaming authenticators still can perform user verification.)

Compare to bound authenticator.

security key

A hardware device that connects through Universal Serial Bus (USB) or Near Field Communication (NFC) to provide authentication across platforms, browsers, and applications.

server challenge

A random value provided by the FIDO server in the UAF protocol requests. A question presented by one party sent to the other party to respond to with an answer during challenge-response authentication.

Short Message Service (SMS)

A service that allows mobile phones to exchange short text messages using standardized communication protocols.

side-channel attack

Attack based on information gained from the physical implementation of a cryptosystem, rather than on brute force or theoretical weaknesses in the underlying algorithms. For example, timing information, power consumption, or electromagnetic emissions can provide extra sources of information and can be exploited to attack the system.

signed data

A signedData object is created and returned by an authenticator as the result of the authenticator's sign command. The to-be-signed data input to the signature operation is represented in the returned signedData object as intact values or as hashed values. The signedData object also contains general information about the authenticator and its mode, a nonce, information about authenticator-specific cryptographic algorithms, and a use counter. The signedData object is signed using a relying party-specific UAuth.priv key.

silent authenticator

FIDO Authenticator that does not prompt the user or perform any user verification.

step-up authentication

An authentication which is performed on top of an already authenticated session.

Example: The user authenticates the session initially using a username and password, and the web site later requests a FIDO authentication on top of this authenticated session.

One reason for requesting step-up authentication could be a request for a high value resource.

FIDO U2F is always used as a step-up authentication. FIDO UAF could be used as step-up authentication, but it could also be used as an initial authentication mechanism.

note

In general, there is no implication that the step-up authentication method itself is stronger than the initial authentication. Since the step-up authentication is performed on top of an existing authentication, the resulting combined authentication strength will increase most likely, but it will never decrease.

synced passkey

Passkeys that sync between multiple devices owned by a single user via a cloud service.

test of user presence

See user presence check

time-based one-time password (TOTP)

A computer algorithm that uses the current time, as a source of uniqueness, to generate a one-time password (OTP).

touch unlock

See face or touch unlock

transaction confirmation

An operation in the FIDO protocol that allows a relying party to request that a FIDO client and authenticator with the appropriate capabilities, display information to the user, request that the user authenticate locally to their FIDO authenticator to confirm the information, and provide proof-of-possession of previously registered key material and an attestation of the confirmation back to the relying party.

Transport Layer Security (TLS)

A cryptographic protocol that encrypts data sent over the internet to ensure communications are secure over a computer network.

UI

See user interface (UI)

Universal Authentication Framework (UAF)

A specification for enabling secure, biometric-based authentication on a wide range of devices and platforms allows online service providers to offer their users passwordless sign-on experiences

UAuth.pub / UAuth.priv / UAuth.key

User authentication keys generated by FIDO Authenticator. UAuth.pub is the public part of key pair. UAuth.priv is the private part of the key. UAuth.key is the more generic notation to refer to UAuth.priv.

user

Relying party’s user and owner of the FIDO authenticator.

user agent

The user agent is a client application that is acting on behalf of a user in a client-server system. Examples of user agents include web browsers and mobile apps.

User Agent Accessibility Guidelines (UAAG)

Part of a series of accessibility guidelines published by the W3C Web Accessibility Initiative, the guidelines explain how to make user agents (browsers, browser extensions, media players, readers and other applications that render web content) accessible to people with disabilities.

user interface (UI)

The space on a device where interactions between humans and machines occur. Includes display screens, keyboards, a mouse and the appearance of a desktop.

User Presence check

User Presence check is defined as obtaining some explicit gesture from a user (a natural person) that they are present. Examples are pressing a button, touching a touch screen or pad, or any biometrics that require a conscious action from the user such as touching a fingerprint sensor (but not passive biometrics such as looking at a device or checking an EKG).

user verification

User verification is defined as verifying that a particular user, typically a person, has supplied some input so the authenticator can know it is that particular person. The input is typically something only the user knowns or something the user is (biometric). This definition is primarily used to refer to a single method, not multifactor authentication based the combination of methods. Examples are a PIN, password or fingerprint.

user verification token

The user verification token is generated by authenticator and handed to the ASM after successful user verification. Without having this token, the ASM cannot invoke special commands such as register or sign.

The lifecycle of the user verification token is managed by the authenticator. The concrete techniques for generating such a token and managing its lifecycle are vendor-specific and non-normative.

username

A human-readable string identifying a user’s account at a relying party.

verification factor

The specific means by which local user verification is accomplished. for example fingerprint, voiceprint, or PIN.

This is also known as modality.

Voice over Internet Protocol (VoIP)

The set of rules that makes it possible to use the internet for telephone or videophone communication

Web Authentication (WebAuthn)

An API specification by W3C for accessing public key credentials. WebAuthn facilitates a way for users to securely log in to online services and websites with various authentication methods, such as biometrics (for example, fingerprint or facial recognition) and hardware-based authenticators (for example, USB or NFC tokens). It is a core component of the FIDO2 Project.

Web Content Accessibility Guidelines (WCAG)

Guidelines that cover a wide range of recommendations for making web content more accessible.