We have been trying for a long time to devise safer and more effective ways of identifying a user than by using a login and a password. Along with the development of technologies such as fingerprint readers or retinal scanners, we can verify identity as well as with the use of a login with a password.

Additionally, having all those devices built-in a mobile phone, we are able to confirm our identity safely. However, to standardize the way our identity is verified, Fidoalliance.org organization has decided to create one best practice in case of user’s authentication as well as their operations’ authorization. Those protocols have been given an abbreviated name FIDO.

How does it work?

One of the FIDO standard protocols used in user’s authentication on internet platforms is UAF. Shortly, its work is based on the following algorithm:

  • Client’s device (further referred to as UAF Client) creates a pair of cryptographics keys (a public and private one) in its memory while registering a user on authenticator. The authenticator makes it possible to confirm a user’s identity. It can be, for example, a fingerprint reader.
  • UAF server is queried for list of supported authenticators. Those groups can determine parameters such as: authenticator’s producer, algorithms which it supports, etc.
  • After successful verification of a possibility of authentication with the use of UAF Client, a private key is sent in the process of registering on UAF server and saved in its data base, which stores it along with a username, an identificator of the application used to register the user.
  • Additionally, the information concerning the key’s identificator in authenticator’s memory and some extra data is sent to UAF server.

FIDO – safer or more convenient1

At an authentication attempt, a client’s application (further referred to as UAF Client) sends a request to send a list of authenticators (e.g. fingerprint reader ) registered on UAF server for a given user. After receiving such a list, UAF Client checks if it has a pair of keys which matches the one registered on UAF server before. If so, it codes so called  „challenge” (e.g. a partially randomly generated part of text. It can be any text or a string of bytes.) sent from server, with the use of a private key. This kind of task could be, for example, a partially randomly generated text or a string of bytes. Next, such a coded message is sent to the server along with other information.

Server checks if the message which it received is encoded with the key which had been saved in the registration process. If so, the user is successfully verified and the authentication process is successful.

FIDO – safer or more convenient 2

What’s so cool about it?

Many people might wonder if this way of authentication is better than a standard login and password.

First of all, it’s a way which allows avoiding storing users’ passwords or their data on authentication servers. It has positive impact on the application’s security. Additionally, UAF protocol has protection against theft of the authentication device, it can monitor the number of authentications which have been performed with its use. It can also deactivate a stolen/lost authenticator, which prevents a user from losing access to their account on the platform, but they only lose a possibility of verifying their identity with the use of  the lost authenticator.

FIDO – safer or more convenient

Summing up, along with increase in accessibility of user’s authentication devices which use biometric readers, mobile applications, retinal scanners, etc, we less and less need passwords which have to be memorized, and we can transfer the responsibility to our devices. It is possible by means of e.g. UAF protocol from a set of FIDO protocols. Such solutions will work perfectly in bank applications, where a particular attention is given to providing the highest possible safety standards.

Logging in to an account on a mobile device will be much safer with the use of a fingerprint or a retina scanning camera built-in a laptop or a PC.

How useful was this post?

Click on a star to rate it!

Average rating 5 / 5. Vote count: 69

No votes so far! Be the first to rate this post.

If you violate the Regulations , your post will be deleted.

    _All posts in this category

    Third Party QA Testing with Xray

    Hiring Third Party QA teams to verify a product has become a common practice - find out what Third Party QA Testing is…
    Read more

    From Java to Go - scaling competences in the Software Development Centre team

    Transition Technologies PSC experts talk about the 'Go Academy' initiative and the benefits of learning the Go programming language in delivering efficient solutions…
    Read more

    IT staff augmentation – flexible way of scaling the IT team

    IT staff augmentation increases the potential of your team. An additional specialist is support in completing daily tasks and meeting deadlines. The presence…
    Read more

    How to protect yourself from phishing using authentication?

    We live in the age of big data - they are more valuable than money in the world we live in. Identity theft…
    Read more

    What should you know about serverless computing?

    Serverless cmputing still raises a lot of doubts, especially among those environments that are just starting to use cloud services or are just…
    Read more

    6 Common misconceptions about Scrum methodology

    6 of the most common myths and misconceptions around Scrum so you can spot and avoid them.
    Read more

    Agility. All you need to know about the agile methodology

    What actually is agile? How did it all start? What are the principles that characterise this working method, how does it differ from…
    Read more

    WCAG 2.1 – what should you pay attention to?

    Imagine that you are a blind or visually impaired person and would like to log into your own bank account via a website…
    Read more

    On-line accessibility following WCAG standards and its impact on the company’s image.

    Now is a perfect time for a thorough analysis of our online activities while taking into account a broader perspective than before. Implementing…
    Read more

    WCAG – why it is worth having an accessible website, web systems and mobile app

    Have you ever wondered how blind and disabled people use websites? Standard activities that we perform on a daily basis on the Internet…
    Read more

    What is WCAG and how to meet compliance?

    The Modern society is very computerized. We want to have access to our music, books or movies wherever we are, regardless whether we’re…
    Read more

    New features in Java

    A lot has changed in Java. A few years have passed since the release of its most popular version 8. All the time…
    Read more

    Proxy Product Owner role in software development nearshoring and R&D augmentation

    Today it is an imperative to be able to quickly build and deliver innovative and advanced software products not only to keep the…
    Read more

    Nearshoring – more opportunities for your business

    The IT sector is one of the most dynamically evolving business industries. It is not only due to the technology it offers but…
    Read more

    How to build a professional development team in a few steps quickly and effectively – a case study

    The current trends in developing and supplying individual software for companies have significantly moved towards the model based on outsourcing. This is a…
    Read more

    _Let’s get in touch

    Contact us