We have been trying for a long time to devise safer and more effective ways of identifying a user than by using a login and a password. Along with the development of technologies such as fingerprint readers or retinal scanners, we can verify identity as well as with the use of a login with a password.

Additionally, having all those devices built-in a mobile phone, we are able to confirm our identity safely. However, to standardize the way our identity is verified, Fidoalliance.org organization has decided to create one best practice in case of user’s authentication as well as their operations’ authorization. Those protocols have been given an abbreviated name FIDO.

How does it work?

One of the FIDO standard protocols used in user’s authentication on internet platforms is UAF. Shortly, its work is based on the following algorithm:

  • Client’s device (further referred to as UAF Client) creates a pair of cryptographics keys (a public and private one) in its memory while registering a user on authenticator. The authenticator makes it possible to confirm a user’s identity. It can be, for example, a fingerprint reader.
  • UAF server is queried for list of supported authenticators. Those groups can determine parameters such as: authenticator’s producer, algorithms which it supports, etc.
  • After successful verification of a possibility of authentication with the use of UAF Client, a private key is sent in the process of registering on UAF server and saved in its data base, which stores it along with a username, an identificator of the application used to register the user.
  • Additionally, the information concerning the key’s identificator in authenticator’s memory and some extra data is sent to UAF server.

FIDO – safer or more convenient1

At an authentication attempt, a client’s application (further referred to as UAF Client) sends a request to send a list of authenticators (e.g. fingerprint reader ) registered on UAF server for a given user. After receiving such a list, UAF Client checks if it has a pair of keys which matches the one registered on UAF server before. If so, it codes so called  „challenge” (e.g. a partially randomly generated part of text. It can be any text or a string of bytes.) sent from server, with the use of a private key. This kind of task could be, for example, a partially randomly generated text or a string of bytes. Next, such a coded message is sent to the server along with other information.

Server checks if the message which it received is encoded with the key which had been saved in the registration process. If so, the user is successfully verified and the authentication process is successful.

FIDO – safer or more convenient 2

What’s so cool about it?

Many people might wonder if this way of authentication is better than a standard login and password.

First of all, it’s a way which allows avoiding storing users’ passwords or their data on authentication servers. It has positive impact on the application’s security. Additionally, UAF protocol has protection against theft of the authentication device, it can monitor the number of authentications which have been performed with its use. It can also deactivate a stolen/lost authenticator, which prevents a user from losing access to their account on the platform, but they only lose a possibility of verifying their identity with the use of  the lost authenticator.

FIDO – safer or more convenient

Summing up, along with increase in accessibility of user’s authentication devices which use biometric readers, mobile applications, retinal scanners, etc, we less and less need passwords which have to be memorized, and we can transfer the responsibility to our devices. It is possible by means of e.g. UAF protocol from a set of FIDO protocols. Such solutions will work perfectly in bank applications, where a particular attention is given to providing the highest possible safety standards.

Logging in to an account on a mobile device will be much safer with the use of a fingerprint or a retina scanning camera built-in a laptop or a PC.

_All posts in this category

blogpost
Articles

Third Party QA Testing with Xray

Hiring Third Party QA teams to verify a product has become a common practice - find out what Third Party QA Testing is and how Transition Technologies PSC approaches its implementation using the Xray tool.

Read more
blogpost
Articles

From Java to Go – scaling competences in the Software Development Centre team

Transition Technologies PSC experts talk about the 'Go Academy' initiative and the benefits of learning the Go programming language in delivering efficient solutions to customers. Find out why Go is becoming the language of the future in IT.

Read more
blogpost
Articles

IT staff augmentation – flexible way of scaling the IT team

IT staff augmentation increases the potential of your team. An additional specialist is support in completing daily tasks and meeting deadlines. The presence of this person allows to increasing productivity when new and challenging business opportunities arise.

Read more
blogpost
Articles

How to protect yourself from phishing using authentication?

We live in the age of big data - they are more valuable than money in the world we live in. Identity theft and loss of important data is problematic for any user, but businesses in particular should be aware of this threat. A cyber-attack is not only associated with temporary downtime, production delays or losses related to the need to mitigate the damage.

Read more
blogpost
Articles

What should you know about serverless computing?

Serverless cmputing still raises a lot of doubts, especially among those environments that are just starting to use cloud services or are just planning to migrate their systems to the cloud. We will try to answer the most important questions about this solution in this article.

Read more
blogpost
Articles

6 Common misconceptions about Scrum methodology

6 of the most common myths and misconceptions around Scrum so you can spot and avoid them.

Read more
blogpost
Articles

Scrum Guide 2020. TOP 5 changes and what should I do?

Scrum Guide – what has changed? 2020 November update With all the events that happened in 2020 worldwide it’s not difficult to miss the latest update to the guidelines of the most popular agile framework – the Scrum Guide. In this article I outline the most important changes and assess their impact on teams’ everyday […]

Read more
blogpost
Articles

Agility. All you need to know about the agile methodology

What actually is agile? How did it all start? What are the principles that characterise this working method, how does it differ from the traditional approach and how to manage projects in an effective (and agile) way? We present a set of information that every person associated with technology in any way should become familiar with. We hope you will find it valuable and recommendable. Feel free to comment or contact us if you have any specific questions

Read more
blogpost
Articles

WCAG 2.1 – what should you pay attention to?

Imagine that you are a blind or visually impaired person and would like to log into your own bank account via a website or mobile app. You enter the password, select further options, go to the next page, but at some point you can’t do anything more... You don’t have access to the full functionality of the application. Why?

Read more
blogpost
Articles

On-line accessibility following WCAG standards and its impact on the company’s image.

Now is a perfect time for a thorough analysis of our online activities while taking into account a broader perspective than before. Implementing WCAG standards, created with users at risk of digital exclusion in mind, can be a great place to start.

Read more
blogpost
Articles

WCAG – why it is worth having an accessible website, web systems and mobile app

Have you ever wondered how blind and disabled people use websites? Standard activities that we perform on a daily basis on the Internet are difficult or even completely inaccessible for people with disabilities. That is why WCAG criteria for digital services are crucial. Making a bank transfer, searching for information on official websites or making an online medical appointment lasts only a while, but only if the page is accessible. What does it mean in practice? This means that the site has the appropriate features that allow each user - including people with disabilities - to navigate.

Read more
blogpost
Articles

What is WCAG and how to meet compliance?

The Modern society is very computerized. We want to have access to our music, books or movies wherever we are, regardless whether we’re in dentist’s waiting room or on a bus. To satisfy this demand, private companies and public institutions offer their service on the Internet. Despite that, there are a lot of barriers in using the web for disabled or elderly people, preventing them from enjoying the benefits of Internet.

Read more
blogpost
Articles

New features in Java

A lot has changed in Java. A few years have passed since the release of its most popular version 8. All the time version 8 is the one that developers use most. What is the reason for this? After all, Java 13 have been already released.

Read more
blogpost
Articles

Proxy Product Owner role in software development nearshoring and R&D augmentation

Today it is an imperative to be able to quickly build and deliver innovative and advanced software products not only to keep the business growing, but simply functioning just above the tide. The business virtually always demands the increments of the products to be delivered as soon as possible for many obvious reasons. In order to do that software development companies can use an old as dirt concept of outsourcing a part of the work to contractors.

Read more
blogpost
Articles

Nearshoring – more opportunities for your business

The IT sector is one of the most dynamically evolving business industries. It is not only due to the technology it offers but also thanks to the wide range of services it is able to deliver to other businesses.

Read more
blogpost
Articles

How to build a professional development team in a few steps quickly and effectively – a case study

The current trends in developing and supplying individual software for companies have significantly moved towards the model based on outsourcing. This is a very convenient solution, as the customer (the ordering company) does not have to support the whole team of IT engineers.

Read more
blogpost
Articles

The advantages of ”code review” – only for programmers?

Just a few years ago, code review was perceived more as some kind of curiosity or idealistic programming practice than an element contributing an added value to the commercial projects. Although the term has been clear for both developers and managers, and most of them praises the idea of mutual code analysis by programmers, this […]

Read more
blogpost
Articles

How do I resource IT projects?

The rapid development and technological boom we have been experiencing in the last years has left many companies in desperate need of qualified IT specialists. With technology transforming the economy and the scope of IT roles constantly developing most countries are facing a serious workforce issue. And despite outsourcing and offshoring dating back to at […]

Read more

Let’s get in touch

Contact us