FIDO UAF supports a passwordless authentication option. It was released as an open standard by the FIDO alliance. In this standard, a user who is authenticating to an application or service will leverage one or more security factors on their digital device (usually a mobile phone) to release a private key that is used to sign a challenge issued by the FIDO UAF Server. The user verification mechanism on the device itself can be biometric, knowledge, or possession based in order to unlock the private key for signing functions.
FIDO UAF also contains constructs and specifications for creating and configuring different policies for authentication as well as transaction verification where the private key on the client device is used to sign various transaction data. These could include financial transaction amounts so that the information cannot be tampered with in the event that it is intercepted. This standard is leveraged by global organizations to improve security and user experience for both consumers and their workforce.
Example:
"Google Chrome is dedicated to building a better web, and allowing developers to interact with secure keystores in a structured way helps us continue this mission. As a founding member of the U2F and FIDO2 working groups within FIDO, we’re excited for the launch of these standards and look forward to our continued collaboration.”
- Sam Srinivas, Product Management Director, Cloud Security, Google
FIDO UAF Certification Icon:
FIDO UAF Login Demo: